mirror of
https://github.com/gburd/nix-config.git
synced 2024-11-20 10:36:25 +00:00
131 lines
4.9 KiB
Text
131 lines
4.9 KiB
Text
* Yubikeys are great, if you use them correctly
|
|
https://www.procustodibus.com/blog/2023/04/how-to-set-up-a-yubikey/
|
|
* generate age public key from host's existing SSH keypair
|
|
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
|
* trigger first encryption of a secrets file
|
|
EDITOR=vi sops --config .sops.yaml --encrypt --in-place hosts/common/secrets.yaml
|
|
* edit secrets in that file later
|
|
* When SOPS complains about your ~/.gnupg/secring.pgp file not being there try:
|
|
export GPG_TTY=$(tty)
|
|
gpgconf --reload gpg-agent
|
|
* SOPS
|
|
https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g
|
|
export SOPS_PGP_FP="D4BB42BE729AEFBD2EFEBF8822931AF7895E82DF"
|
|
sops -e /etc/ssh/ssh_host_id > hosts/floki/
|
|
* labels
|
|
* btrfs
|
|
* sudo btrfs filesystem label <mountpoint|device> <newlabel>
|
|
* luks
|
|
* FAT
|
|
* sudo fatlabel <device> <newlabel>
|
|
* swap (see: https://discourse.nixos.org/t/how-do-i-set-up-a-swap-file/8323/7)
|
|
* udevadm trigger
|
|
|
|
INSTALL:
|
|
nix-env -iA nixos.pkgs.gitAndTools.gitFull
|
|
export device=/dev/nvme0n1
|
|
export hostname=floki
|
|
wipefs/shread/scrub ${device}
|
|
sgdisk --zap-all ${device}
|
|
printf "label: gpt\n,550M,U\n,,L\n" | sfdisk ${device}
|
|
mkfs.fat -L ESP -F 32 ${device}
|
|
cryptsetup --verify-passphrase -v luksFormat --label "${hostname}_crypt" "${device}p2"
|
|
cryptsetup open "${device}p2" "${hostname}_crypt"
|
|
mkfs.btrfs -L ${hostname} /dev/mapper/"${hostname}_crypt"
|
|
mount -t btrfs -o subvol=root /dev/disk/by-label/${hostname} /mnt
|
|
btrfs subvolume create /mnt/root
|
|
btrfs subvolume create /mnt/nix
|
|
btrfs subvolume create /mnt/persist
|
|
btrfs subvolume create /mnt/swap
|
|
btrfs subvolume create /mnt/logs
|
|
|
|
mount -t btrfs -o compress=zstd,subvol=root /dev/disk/by-label/"${hostname}" /mnt
|
|
mkdir /mnt/{nix,persist,swap,var/logs}
|
|
mount -t btrfs -o compress=zstd,noatime,subvol=nix /dev/disk/by-label/"${hostname}" /mnt/nix
|
|
mount -t btrfs -o compress=zstd,subvol=persist /dev/disk/by-label/"${hostname}" /mnt/persist
|
|
mount -t btrfs -o compress=zstd,noatime,subvol=logs /dev/disk/by-label/"${hostname}" /mnt/var/logs
|
|
mount -t btrfs -o noatime,subvol=swap /dev/disk/by-label/"${hostname}" /mnt/swap
|
|
|
|
mkdir /mnt/boot
|
|
mount /dev/nvme0n1p1 /mnt/boot
|
|
|
|
mount -t proc /proc /mnt/proc
|
|
mount -t sysfs /sys /mnt/sys
|
|
mount --bind /dev /mnt/dev
|
|
mount --bind /dev/pts /mnt/dev/pts
|
|
|
|
or
|
|
for i in proc sys dev; do mount -o bind $i /mnt/$i; done
|
|
|
|
nixos-generate-config --root /mnt
|
|
nano /mnt/etc/nixos/configuration.nix # manually add mount options or cp from USB
|
|
nixos-install
|
|
|
|
nixos-generate-config --show-hardware-config
|
|
|
|
fileSystems = {
|
|
"/".options = [ "compress=zstd" ];
|
|
"/nix".options = [ "compress=zstd" "noatime" ];
|
|
"/persist".options = [ "compress=zstd" "noatime" ];
|
|
"/logs".options = [ "compress=zstd" "noatime" ];
|
|
"/swap".options = [ "noatime" ];
|
|
};
|
|
|
|
user hashedPassword: mkpasswd -m sha-512
|
|
|
|
SWAP file btrfs: https://discourse.nixos.org/t/how-do-i-set-up-a-swap-file/8323/7
|
|
btrfs filesystem mkswapfile --size 8g --uuid clear /swap/swapfile
|
|
swapon?
|
|
swapDevices = [ { device = "/dev/disk/by-label/swap/swapfile"; } ];
|
|
nixos-rebulid switch
|
|
|
|
export NIX_CONFIG="experimental-features = nix-command flakes"
|
|
nix-env -iA nixos.pinentry nixos.git nixos.direnv
|
|
eval "$(direnv hook bash)"
|
|
echo pinentry-program $(which pinentry) >> ~/.gnupg/gpg-agent.conf
|
|
git clone https://github.com/gburd/nix-config.git
|
|
cd nix-config
|
|
nix develop
|
|
export GPG_TTY=$(tty)
|
|
gpg-connect-agent reloadagent /bye
|
|
echo test | gpg --clearsign
|
|
gpg --list-keys
|
|
EDITOR=vi sops --config .sops.yaml nixos/common/secrets.yaml
|
|
sudo nixos-install --flake .#hostname
|
|
reboot
|
|
home-manager switch --flake .#username@hostname
|
|
gsettings reset org.gnome.desktop.input-sources xkb-options
|
|
gsettings reset org.gnome.desktop.input-sources sources
|
|
|
|
sudo nixos-rebuild switch --flake .#my-hostname
|
|
clear; sudo nixos-rebuild dry-activate --flake .#${hostname}
|
|
sudo nix --extra-experimental-features "flakes nix-command" run github:nix-community/disko -- --mode disko nixos/${hostname}/disks.nix --arg disks '[ "/dev/nvme0n1" ]' --arg config.networking.hostName ${hostname}
|
|
sudo nix run github:nix-community/disko -- --mode disko nixos/${hostname}/disks.nix
|
|
|
|
-------
|
|
services.pcscd.enable = true;
|
|
|
|
https://mt-caret.github.io/blog/posts/2020-06-29-optin-state.html
|
|
https://hoverbear.org/blog/declarative-gnome-configuration-in-nixos/
|
|
https://github.com/wimpysworld/nix-config
|
|
https://github.com/Misterio77/nix-config
|
|
https://github.com/Misterio77/nix-starter-configs
|
|
|
|
------------------------------------------
|
|
TODO:
|
|
|
|
* agenix: alternative to sops/age for secrets
|
|
agenix.url = "github:ryantm/agenix";
|
|
agenix.inputs.nixpkgs.follows = "nixpkgs";
|
|
* "yet-another-nix-helper" https://github.com/viperML/nh
|
|
* declarative disk partitioning/formatting
|
|
https://github.com/nix-community/disko
|
|
* https://aria2.github.io/
|
|
* https://github.com/schollz/croc
|
|
|
|
------------------------------------------
|
|
EXAMPLE COMMANDS:
|
|
|
|
* nh os switch --ask
|
|
* nix run github:viperML/nh -- os switch --ask --nom .
|
|
* clear; sudo nixos-rebuild dry-activate --flake .#floki
|