diff options
| -rw-r--r-- | docs/install.org | 20 | ||||
| -rw-r--r-- | flake.lock | 17 | ||||
| -rw-r--r-- | flake.nix | 5 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/installer/default.nix | 21 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/rivendell/default.nix | 62 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/rivendell/disks.nix | 67 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix | 38 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/rivendell/home.nix | 6 |
8 files changed, 236 insertions, 0 deletions
diff --git a/docs/install.org b/docs/install.org index d552513..b846cd3 100644 --- a/docs/install.org +++ b/docs/install.org @@ -19,3 +19,23 @@ You can then validate that they key is encrypted properly with =sudo agenix -i / 1. Run =sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount nix/machines/vm-synology/disk.nix= 2. Run =nixos-install --root /mnt/ --flake .#vm-synology= 4. Reboot the VM +* Create the nixos installer +Run +#+begin_src fish +nix build .#nixosConfigurations.iso.config.system.build.isoImage +#+end_src + +Then copy to a USB stick with: +#+begin_src fish +sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress +#+end_src +* Bare metal machine +We can install remotely a machine with =nixos-anywhere=, including full disk encryption. + +First, create a password in 1password for the machine (using the convention "nix/<hostname>/encryption"). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it). + +#+begin_src fish +set temp (mktemp -d) +ssh-keygen -t ed25519 -N "" -C "initrd-root-ssh" -f "$temp/etc/initrd/ssh_host_ed25519_key" +nix run github:nix-community/nixos-anywhere -- --flake .#rivendell --build-on remote --disk-encryption-keys /tmp/pass (op read "op://Private/vmifhwbjtvaqp3422gfbjxdq2y/password"|psub) --target-host root@192.168.1.112 --extra-files "$temp" +#+end_src @@ -478,6 +478,22 @@ "type": "github" } }, + "nixos-hardware": { + "locked": { + "lastModified": 1760106635, + "narHash": "sha256-2GoxVaKWTHBxRoeUYSjv0AfSOx4qw5CWSFz2b+VolKU=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1755274400, @@ -683,6 +699,7 @@ "home-manager": "home-manager_2", "my-go-tools": "my-go-tools", "my-site": "my-site", + "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_5", "nixpkgsUnstable": "nixpkgsUnstable", "nur": "nur", @@ -21,6 +21,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-hardware = { + url = "github:NixOS/nixos-hardware/master"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/machines/nixos/x86_64-linux/installer/default.nix b/machines/nixos/x86_64-linux/installer/default.nix new file mode 100644 index 0000000..e914571 --- /dev/null +++ b/machines/nixos/x86_64-linux/installer/default.nix @@ -0,0 +1,21 @@ +{ adminUser, modulesPath, ... }: +{ + # run `nix build .#nixosConfigurations.iso.config.system.build.isoImage` to build the image + imports = [ + "${modulesPath}/installer/cd-dvd/channel.nix" + "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" + { + home-manager.users.${adminUser.name} = { + imports = [ + { home.stateVersion = "25.05"; } + ]; + }; + } + ]; + + boot.loader.grub.efiSupport = true; + boot.loader.grub.efiInstallAsRemovable = true; + boot.loader.grub.device = "nodev"; + + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix new file mode 100644 index 0000000..8c71cbf --- /dev/null +++ b/machines/nixos/x86_64-linux/rivendell/default.nix @@ -0,0 +1,62 @@ +{ + lib, + adminUser, + config, + ... +}: +{ + imports = [ + ./disks.nix + ./hardware-configuration.nix + { + home-manager.users.${adminUser.name} = { + imports = [ + ./home.nix + { home.stateVersion = "25.05"; } + ]; + }; + } + ]; + + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.systemd-boot.enable = true; + + networking.hostName = "rivendell"; + networking.useDHCP = lib.mkDefault true; + systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; + + users.users.builder = { + openssh.authorizedKeys.keys = [ + # my personal key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + # remote builder ssh key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw" + ]; + isNormalUser = true; + group = "nogroup"; + }; + + boot.kernelParams = [ + "ip=dhcp" + ]; + + boot.initrd.network = { + enable = true; + postCommands = "echo 'cryptsetup-askpass' >> /root/.profile"; + flushBeforeStage2 = true; + ssh = { + enable = true; + port = 911; + hostKeys = [ + "/etc/initrd/ssh_host_ed25519_key" + ]; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + ]; + }; + }; + + nix.settings.trusted-users = [ "builder" ]; + + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/machines/nixos/x86_64-linux/rivendell/disks.nix b/machines/nixos/x86_64-linux/rivendell/disks.nix new file mode 100644 index 0000000..8cb1f32 --- /dev/null +++ b/machines/nixos/x86_64-linux/rivendell/disks.nix @@ -0,0 +1,67 @@ +let + btrfsopt = [ + "compress=zstd" + "noatime" + ]; +in +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "fmask=0022" + "dmask=0022" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "nixos"; + passwordFile = "/tmp/pass"; + settings = { + allowDiscards = true; + }; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "@root" = { + mountpoint = "/"; + mountOptions = btrfsopt; + }; + "@home" = { + mountpoint = "/home"; + mountOptions = btrfsopt; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = btrfsopt; + }; + "@data" = { + mountpoint = "/data"; + mountOptions = btrfsopt; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix b/machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix new file mode 100644 index 0000000..02de536 --- /dev/null +++ b/machines/nixos/x86_64-linux/rivendell/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + inputs, + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series + ]; + + services.fwupd.enable = true; + hardware.enableRedistributableFirmware = true; + + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + "usbhid" + "usb_storage" + "sd_mod" + "r8169" # ethernet driver + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/nixos/x86_64-linux/rivendell/home.nix b/machines/nixos/x86_64-linux/rivendell/home.nix new file mode 100644 index 0000000..8f0935e --- /dev/null +++ b/machines/nixos/x86_64-linux/rivendell/home.nix @@ -0,0 +1,6 @@ +{ self, ... }: +{ + imports = [ + "${self}/home/programs/bat.nix" + ]; +} |