Skip to content

pbek/nixcfg

Repository files navigation

nixcfg

GitHub

My personal NixOS config of my machines.

Not be meant to be used by others, but feel free to take inspiration from it.

Screenhots

Shell

Shell

Setup

Pick your hostname, you might find some inspiration here.

Set your hostname and run the install script:

# Start with a fresh NixOS installation in ~/Code/nixcfg
HOSTNAME=yourhostname bash <(curl -s https://raw.githubusercontent.com/pbek/nixcfg/main/install.sh)

# Initially build and switch to new configuration for host "yourhostname" after you adapted flake.nix and your configuration.nix
nix-shell -p git --run "sudo nixos-rebuild switch --flake .#yourhostname -L"

Afterward here are some useful commands:

# Build and switch to new configuration
make switch

# edit configuration.nix
kate . &

# check for Nvidia card
nix-shell -p pciutils --run 'lspci | grep VGA'

# look at network load and other stats?
nix-shell -p btop --run btop

# login at another computer and start the restic mount and restore

# take over tmux session at local system to watch restore
tmux new-session -A -s main

# after backup restore reboot computer
sudo reboot

# run backup script

In the end commit changes to https://github.com/pbek/nixcfg.

Secrets

Rekey after adding new host

This needs to be done if hosts were added.

  • run ssh-keyscan localhost on new host
  • add those keys to ./secrets/secret.nix
  • run cd ./secrets && agenix -i ~/.ssh/agenix --rekey to rekey all keys

Add secret

cd ./secrets && agenix -i ~/.ssh/agenix -e secret-file.age

Commands

# update just one flake (we need to set the github token so the API limit is not reached)
NIX_CONFIG="access-tokens = github.com=`cat ~/.secrets/github-token`" nix flake lock --update-input catppuccin

Fix bootloader

If the UEFI "BIOS" gets corrupted and was reset, no NixOS EFI boot device will be found. You can fix this with the following steps:

  • boot Ventoy USB stick in UEFI mode
  • start NixOS image
  • load encrypted root partition with gparted
# as root
sudo su -

# mount encrypted root partition and boot partition
mount /dev/mapper/sda2_crypt /mnt
mount /dev/sda1 /mnt/boot

# install current flake including bootloader
cd /mnt/home/omega/Code/nixcfg
nixos-install --flake .#pluto

# reboot machine, "Linux Bootloader" should now be available in the UEFI boot menu
reboot

Server setup with nixos-anywhere

# Test configuration build process in vm
nix run github:nix-community/nixos-anywhere -- --flake .#netcup02 --vm-test

# Build and test configuration in vm with ssh
make build-vm-netcup02
make boot-vm-server-console
make ssh-vm-server

# Deploy configuration to server "server-host"
nix run github:nix-community/nixos-anywhere -- --flake .#netcup02 root@server-host

Desktop setup with nixos-anywhere

# First boot into minimal nixos and set root password
# Then create a /tmp/secret.key with the disk-password
# Set `services.openssh.settings.PermitRootLogin = "yes";`
# Set `services.openssh.settings.PasswordAuthentication = true;`
# Then use nixos-anywhere remotely
nix run github:nix-community/nixos-anywhere -- --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#ally2 [email protected]

Manual setup with disko

# Boot some nixos minimal image (for a ZFS setup you need to have ZFS support enabled)
# If there is disk encryption, then create a /tmp/secret.key with the disk-password (at least 8 characters)
# Make sure you have nixcfg checked out and are in the nixcfg directory
export HOST=ally2
sudo nix --experimental-features nix-command --extra-experimental-features flakes run github:nix-community/disko -- --mode disko ./hosts/${HOST}/disk-config.zfs.nix
sudo nix --experimental-features nix-command --extra-experimental-features flakes run github:nix-community/disko -- --flake .#${HOST} --write-efi-entries
sudo nixos-install --flake .#${HOST}

Todo after server setup

# Set password
passwd

# Clone nixcfg repository via https (read-only)
cd ~ && git clone https://github.com/pbek/nixcfg.git && cd nixcfg
# or via ssh (read-write)
cd ~ && git clone [email protected]:pbek/nixcfg.git && cd nixcfg

# Update channels, so command-not-found will work
sudo nix-channel --update