mirror of
https://github.com/gburd/nix-config.git
synced 2024-11-14 00:26:24 +00:00
117 lines
6.5 KiB
Text
117 lines
6.5 KiB
Text
* Yubikeys are great, if you use them correctly
|
||
https://www.procustodibus.com/blog/2023/04/how-to-set-up-a-yubikey/
|
||
* generate age public key from host's existing SSH keypair
|
||
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
|
||
* trigger first encryption of a secrets file
|
||
EDITOR=vi sops --config .sops.yaml --encrypt --in-place hosts/common/secrets.yaml
|
||
* edit secrets in that file later
|
||
* When SOPS complains about your ~/.gnupg/secring.pgp file not being there try:
|
||
export GPG_TTY=$(tty)
|
||
gpgconf --reload gpg-agent
|
||
* SOPS
|
||
https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g
|
||
export SOPS_PGP_FP="D4BB42BE729AEFBD2EFEBF8822931AF7895E82DF"
|
||
sops -e /etc/ssh/ssh_host_id > hosts/floki/
|
||
* labels
|
||
* btrfs
|
||
* sudo btrfs filesystem label <mountpoint|device> <newlabel>
|
||
* luks
|
||
* FAT
|
||
* sudo fatlabel <device> <newlabel>
|
||
* swap (see: https://discourse.nixos.org/t/how-do-i-set-up-a-swap-file/8323/7)
|
||
* udevadm trigger
|
||
|
||
INSTALL:
|
||
export device=/dev/nvme0n1
|
||
export hostname=floki
|
||
wipefs/shread/scrub ${device}
|
||
printf "label: gpt\n,550M,U\n,,L\n" | sfdisk ${device}
|
||
mkfs.fat -L ESP -F 32 ${device}
|
||
cryptsetup --verify-passphrase -v luksFormat --label "${hostname}_crypt" "${device}p2"
|
||
cryptsetup open "${device}p2" "${hostname}_crypt"
|
||
mkfs.btrfs -L ${hostname} /dev/mapper/"${hostname}_crypt"
|
||
mount -t btrfs -o subvol=/ /dev/disk/by-label/${hostname} /mnt
|
||
btrfs subvolume create /mnt/root
|
||
btrfs subvolume create /mnt/nix
|
||
btrfs subvolume create /mnt/persist
|
||
btrfs subvolume create /mnt/swap
|
||
btrfs subvolume create /mnt/logs
|
||
|
||
mount -o compress=zstd,subvol=root /dev/mapper/"${hostname}_crypt" /mnt
|
||
mkdir /mnt/{nix,persist,swap,var/logs}
|
||
mount -o compress=zstd,noatime,subvol=nix /dev/mapper/"${hostname}_crypt" /mnt/nix
|
||
mount -o compress=zstd,subvol=persist /dev/mapper/"${hostname}_crypt" /mnt/persist
|
||
mount -o compress=zstd,noatime,subvol=logs /dev/mapper/"${hostname}_crypt" /mnt/var/logs
|
||
mount -o noatime,subvol=swap /dev/mapper/"${hostname}_crypt" /mnt/swap
|
||
|
||
mkdir /mnt/boot
|
||
mount /dev/sda1 /mnt/boot
|
||
|
||
nixos-generate-config --root /mnt
|
||
nano /mnt/etc/nixos/configuration.nix # manually add mount options or cp from USB
|
||
nixos-install
|
||
|
||
nixos-generate-config --show-hardware-config
|
||
|
||
fileSystems = {
|
||
"/".options = [ "compress=zstd" ];
|
||
"/nix".options = [ "compress=zstd" "noatime" ];
|
||
"/persist".options = [ "compress=zstd" "noatime" ];
|
||
"/logs".options = [ "compress=zstd" "noatime" ];
|
||
"/swap".options = [ "noatime" ];
|
||
};
|
||
|
||
user hashedPassword: mkpasswd -m sha-512
|
||
|
||
SWAP file btrfs: https://discourse.nixos.org/t/how-do-i-set-up-a-swap-file/8323/7
|
||
btrfs filesystem mkswapfile --size 8g --uuid clear /swap/swapfile
|
||
swapon?
|
||
swapDevices = [ { device = "/dev/disk/by-label/swap/swapfile"; } ];
|
||
nixos-rebulid switch
|
||
|
||
export NIX_CONFIG="experimental-features = nix-command flakes"
|
||
nix-env -iA nixos.pinentry nixos.git
|
||
echo pinentry-program $(which pinentry) >> ~/.gnupg/gpg-agent.conf
|
||
git clone https://github.com/gburd/nix-config.git
|
||
cd nix-config
|
||
nix develop
|
||
export GPG_TTY=$(tty)
|
||
gpg-connect-agent reloadagent /bye
|
||
echo test | gpg --clearsign
|
||
gpg --list-keys
|
||
EDITOR=vi sops --config .sops.yaml hosts/common/secrets.yaml
|
||
sudo nixos-install --flake .#hostname
|
||
reboot
|
||
home-manager switch --flake .#username@hostname
|
||
|
||
|
||
sudo nixos-rebuild switch --flake .#my-hostname
|
||
clear; sudo nixos-rebuild dry-activate --flake .#${hostname}
|
||
|
||
-------
|
||
services.pcscd.enable = true;
|
||
|
||
https://mt-caret.github.io/blog/posts/2020-06-29-optin-state.html
|
||
https://hoverbear.org/blog/declarative-gnome-configuration-in-nixos/
|
||
|
||
|
||
------------------------------------------
|
||
------------------------------------------
|
||
|
||
|
||
building the system configuration...
|
||
warning: Git tree '/home/gburd/ws/nix-config' is dirty
|
||
trace: warning: optionsDocBook is deprecated since 23.11 and will be removed in 24.05
|
||
trace: warning: optionsDocBook is deprecated since 23.11 and will be removed in 24.05
|
||
trace: warning: optionsDocBook is deprecated since 23.11 and will be removed in 24.05
|
||
would stop the following units: ModemManager.service, NetworkManager-wait-online.service, NetworkManager.service, accounts-daemon.service, alsa-store.service, audit.service, avahi-daemon.service, avahi-daemon.socket, bluetooth.service, bolt.service, colord.service, cpufreq.service, kmod-static-nodes.service, logrotate-checkconf.service, mount-pstore.service, network-local-commands.service, network-setup.service, nscd.service, power-profiles-daemon.service, resolvconf.service, rtkit-daemon.service, systemd-machined.service, systemd-modules-load.service, systemd-oomd.service, systemd-oomd.socket, systemd-sysctl.service, systemd-timesyncd.service, systemd-udevd-control.socket, systemd-udevd-kernel.socket, systemd-udevd.service, systemd-update-done.service, udisks2.service, upower.service, wpa_supplicant.service
|
||
would NOT stop the following changed units: display-manager.service, getty@tty1.service, systemd-backlight@backlight:intel_backlight.service, systemd-backlight@leds:tpacpi::kbd_backlight.service, systemd-fsck@dev-disk-by\x2duuid-3D04\x2d3716.service, systemd-journal-flush.service, systemd-logind.service, systemd-random-seed.service, systemd-remount-fs.service, systemd-update-utmp.service, systemd-user-sessions.service, user-runtime-dir@1000.service, user@1000.service
|
||
would activate the configuration...
|
||
sops-install-secrets: Imported /persist/etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1z2x0g05q2erpux006vwhul70d8akj9avrj67s9p27fm4ce32ly8qt8nllz
|
||
warning: password file ‘/run/secrets-for-users/gburd-password’ does not exist
|
||
would restart systemd
|
||
would reload the following units: dbus.service, firewall.service, persist.mount, reload-systemd-vconsole-setup.service
|
||
would restart the following units: nix-daemon.service, polkit.service, sshd.service, systemd-journald.service
|
||
would start the following units: ModemManager.service, NetworkManager-wait-online.service, NetworkManager.service, accounts-daemon.service, audit.service, avahi-daemon.socket, bluetooth.service, bolt.service, colord.service, cpufreq.service, kmod-static-nodes.service, logrotate-checkconf.service, mount-pstore.service, network-local-commands.service, network-setup.service, nscd.service, power-profiles-daemon.service, resolvconf.service, rtkit-daemon.service, systemd-machined.service, systemd-modules-load.service, systemd-oomd.socket, systemd-sysctl.service, systemd-timesyncd.service, systemd-udevd-control.socket, systemd-udevd-kernel.socket, systemd-update-done.service, udisks2.service, upower.service, wpa_supplicant.service
|
||
|
||
[nix-shell:~/ws/nix-config]$ clear; sudo nixos-rebuild dry-activate --flake .#floki
|