nix-config/NOTES
2023-09-22 13:25:33 -04:00

114 lines
6.4 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

* Yubikeys are great, if you use them correctly
https://www.procustodibus.com/blog/2023/04/how-to-set-up-a-yubikey/
* generate age public key from host's existing SSH keypair
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
* trigger first encryption of a secrets file
EDITOR=vi sops --config .sops.yaml --encrypt --in-place hosts/common/secrets.yaml
* edit secrets in that file later
* When SOPS complains about your ~/.gnupg/secring.pgp file not being there try:
export GPG_TTY=$(tty)
gpgconf --reload gpg-agent
* SOPS
https://dev.to/stack-labs/manage-your-secrets-in-git-with-sops-common-operations-118g
export SOPS_PGP_FP="D4BB42BE729AEFBD2EFEBF8822931AF7895E82DF"
sops -e /etc/ssh/ssh_host_id > hosts/floki/
* labels
* btrfs
* sudo btrfs filesystem label <mountpoint|device> <newlabel>
* luks
* FAT
* sudo fatlabel <device> <newlabel>
* swap (see: https://discourse.nixos.org/t/how-do-i-set-up-a-swap-file/8323/7)
* udevadm trigger
INSTALL:
export device=/dev/nvme0n1
export hostname=floki
wipefs/shread/scrub ${device}
printf "label: gpt\n,550M,U\n,,L\n" | sfdisk ${device}
mkfs.fat -L ESP -F 32 ${device}
cryptsetup --verify-passphrase -v luksFormat --label "${hostname}_crypt" "${device}p2"
cryptsetup open "${device}p2" "${hostname}_crypt"
mkfs.btrfs -L ${hostname} /dev/mapper/"${hostname}_crypt"
mount -t btrfs -o subvol=/ /dev/disk/by-label/${hostname} /mnt
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/nix
btrfs subvolume create /mnt/persist
btrfs subvolume create /mnt/swap
btrfs subvolume create /mnt/logs
mount -o compress=zstd,subvol=root /dev/mapper/"${hostname}_crypt" /mnt
mkdir /mnt/{nix,persist,swap,var/logs}
mount -o compress=zstd,noatime,subvol=nix /dev/mapper/"${hostname}_crypt" /mnt/nix
mount -o compress=zstd,subvol=persist /dev/mapper/"${hostname}_crypt" /mnt/persist
mount -o compress=zstd,noatime,subvol=logs /dev/mapper/"${hostname}_crypt" /mnt/var/logs
mount -o noatime,subvol=swap /dev/mapper/"${hostname}_crypt" /mnt/swap
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
nixos-generate-config --root /mnt
nano /mnt/etc/nixos/configuration.nix # manually add mount options or cp from USB
nixos-install
nixos-generate-config --show-hardware-config
fileSystems = {
"/".options = [ "compress=zstd" ];
"/nix".options = [ "compress=zstd" "noatime" ];
"/persist".options = [ "compress=zstd" "noatime" ];
"/logs".options = [ "compress=zstd" "noatime" ];
"/swap".options = [ "noatime" ];
};
user hashedPassword: mkpasswd -m sha-512
SWAP file btrfs: https://discourse.nixos.org/t/how-do-i-set-up-a-swap-file/8323/7
btrfs filesystem mkswapfile --size 8g --uuid clear /swap/swapfile
swapon?
swapDevices = [ { device = "/dev/disk/by-label/swap/swapfile"; } ];
nixos-rebulid switch
export NIX_CONFIG="experimental-features = nix-command flakes"
nix-env -iA nixos.pinentry nixos.git
echo pinentry-program $(which pinentry) >> ~/.gnupg/gpg-agent.conf
git clone https://github.com/gburd/nix-config.git
cd nix-config
nix develop
export GPG_TTY=$(tty)
gpg-connect-agent reloadagent /bye
echo test | gpg --clearsign
gpg --list-keys
EDITOR=vi sops --config .sops.yaml hosts/common/secrets.yaml
sudo nixos-install --flake .#hostname
reboot
home-manager switch --flake .#username@hostname
sudo nixos-rebuild switch --flake .#my-hostname
clear; sudo nixos-rebuild dry-activate --flake .#${hostname}
-------
services.pcscd.enable = true;
https://mt-caret.github.io/blog/posts/2020-06-29-optin-state.html
------------------------------------------
building the system configuration...
warning: Git tree '/home/gburd/ws/nix-config' is dirty
trace: warning: optionsDocBook is deprecated since 23.11 and will be removed in 24.05
trace: warning: optionsDocBook is deprecated since 23.11 and will be removed in 24.05
trace: warning: optionsDocBook is deprecated since 23.11 and will be removed in 24.05
would stop the following units: ModemManager.service, NetworkManager-wait-online.service, NetworkManager.service, accounts-daemon.service, alsa-store.service, audit.service, avahi-daemon.service, avahi-daemon.socket, bluetooth.service, bolt.service, colord.service, cpufreq.service, kmod-static-nodes.service, logrotate-checkconf.service, mount-pstore.service, network-local-commands.service, network-setup.service, nscd.service, power-profiles-daemon.service, resolvconf.service, rtkit-daemon.service, systemd-machined.service, systemd-modules-load.service, systemd-oomd.service, systemd-oomd.socket, systemd-sysctl.service, systemd-timesyncd.service, systemd-udevd-control.socket, systemd-udevd-kernel.socket, systemd-udevd.service, systemd-update-done.service, udisks2.service, upower.service, wpa_supplicant.service
would NOT stop the following changed units: display-manager.service, getty@tty1.service, systemd-backlight@backlight:intel_backlight.service, systemd-backlight@leds:tpacpi::kbd_backlight.service, systemd-fsck@dev-disk-by\x2duuid-3D04\x2d3716.service, systemd-journal-flush.service, systemd-logind.service, systemd-random-seed.service, systemd-remount-fs.service, systemd-update-utmp.service, systemd-user-sessions.service, user-runtime-dir@1000.service, user@1000.service
would activate the configuration...
sops-install-secrets: Imported /persist/etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1z2x0g05q2erpux006vwhul70d8akj9avrj67s9p27fm4ce32ly8qt8nllz
warning: password file /run/secrets-for-users/gburd-password does not exist
would restart systemd
would reload the following units: dbus.service, firewall.service, persist.mount, reload-systemd-vconsole-setup.service
would restart the following units: nix-daemon.service, polkit.service, sshd.service, systemd-journald.service
would start the following units: ModemManager.service, NetworkManager-wait-online.service, NetworkManager.service, accounts-daemon.service, audit.service, avahi-daemon.socket, bluetooth.service, bolt.service, colord.service, cpufreq.service, kmod-static-nodes.service, logrotate-checkconf.service, mount-pstore.service, network-local-commands.service, network-setup.service, nscd.service, power-profiles-daemon.service, resolvconf.service, rtkit-daemon.service, systemd-machined.service, systemd-modules-load.service, systemd-oomd.socket, systemd-sysctl.service, systemd-timesyncd.service, systemd-udevd-control.socket, systemd-udevd-kernel.socket, systemd-update-done.service, udisks2.service, upower.service, wpa_supplicant.service
[nix-shell:~/ws/nix-config]$ clear; sudo nixos-rebuild dry-activate --flake .#floki