blob: b846cd3076a22f3d1c93f5e98a8612832588ac99 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
#+TITLE: Installation
#+AUTHOR: Franck Cuny
#+EMAIL: franck@fcuny.net
* Darwin
** =agenix=
Create SSH host keys with =sudo ssh-keygen -A=.
You then need to add the public key (=/etc/ssh/ssh_host_ed25519_key.pub=) to [[file+emacs:../secrets/secrets.nix][secrets.nix]] and re-key the secrets, running =agenix -i ~/.ssh/agenix -r=.
You can then validate that they key is encrypted properly with =sudo agenix -i /etc/ssh/ssh_host_ed25519_key -d ssh-remote-builder.age=.
* Virtual machine running on the Synology NAS
** Creating the VM
- chose VGA for the display (otherwise ~systemd-udevd~ gets stuck)
** Install NixOS on the VM
1. Boot to the installer
2. Copy the local configuration to the remote host ~rsync -avz --exclude='.git' --exclude='result' world/ nixos@192.168.1.151:~/world/~
3. On the VM, from the =world= directory:
1. Run =sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount nix/machines/vm-synology/disk.nix=
2. Run =nixos-install --root /mnt/ --flake .#vm-synology=
4. Reboot the VM
* Create the nixos installer
Run
#+begin_src fish
nix build .#nixosConfigurations.iso.config.system.build.isoImage
#+end_src
Then copy to a USB stick with:
#+begin_src fish
sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress
#+end_src
* Bare metal machine
We can install remotely a machine with =nixos-anywhere=, including full disk encryption.
First, create a password in 1password for the machine (using the convention "nix/<hostname>/encryption"). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it).
#+begin_src fish
set temp (mktemp -d)
ssh-keygen -t ed25519 -N "" -C "initrd-root-ssh" -f "$temp/etc/initrd/ssh_host_ed25519_key"
nix run github:nix-community/nixos-anywhere -- --flake .#rivendell --build-on remote --disk-encryption-keys /tmp/pass (op read "op://Private/vmifhwbjtvaqp3422gfbjxdq2y/password"|psub) --target-host root@192.168.1.112 --extra-files "$temp"
#+end_src
|
