nix/README.md
2024-05-08 20:02:29 +09:00

197 lines
8.4 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# NixOS Configuration Repository
## NOTE: These configs expect this repo to be cloned to `/etc/nixos/git/`
* Clone this repo
```
sudo git clone https://git.sysctl.io/albert/nix /etc/nixos/git
sudo chown -R albert:root /etc/nixos/git
# or, with wallpapers
sudo git clone --recursive https://git.sysctl.io/albert/nix /etc/nixos/git
sudo chown -R albert:root /etc/nixos/git
```
* Installation:
```
nixos-install <Hostname> [<Username>]
# or
./docs/install.sh <Hostname> [<Username>]
```
* Post install (home-manager, secrets, etc)
```
nix develop -c /etc/nixos/git/docs/setup.sh
```
# Machines
| Name | Description | Status | deploy-rs |
| ----------------- | ------------------------------------------------------ | -------- | --------- |
| backups-rpi4 | Japan Raspberry Pi 4 for backups from nuc-server | ✔️ | ✔️ |
| framework-server | sysctl.io - main server, framework 13th gen mainboard | ✔️ | ✔️ |
| nixos-desktop | My main desktop | ✔️ | ❌ |
| nixos-framework | My AMD Framework 13 laptop | ✔️ | ❌ |
| osaka-linode-01 | Osaka Linode relay for sysctl.io external connections | ✔️ | ✔️ |
| milan-linode-01 | Milan Linode DERP relay for Tailscale | ✔️ | ✔️ |
| piaware-rpi4 | FlightAware for Raspberry Pi | ✔️ | ✔️ |
| bakersfield-rpi4 | Raspberry Pi at my brothers house. Headscale Exit Node | ✔️ | ✔️ |
| steamdeck | Valve Steam Deck, handheld gaming console | ✔️ | ❌ |
| Name | Description | Status |
| ----------------- | ------------------------------------------------------ | -------- |
| quitman-rpi4 | Raspberry Pi at my parents house. Headscale Exit Node | On Hold |
| nuc-server | Second NUC server at my brothers house | On Hold |
# Images
| Name | Description | Build Commands |
| ----------------- | ----------------------------------------------- | --------------------------------------------------- |
| nixos-iso-console | Console ISO image of this flake for installing | `nix build .#imageConfigurations.nixos-iso-console` |
| nixos-iso-desktop | Gnome ISO image of this flake for installing | `nix build .#imageConfigurations.nixos-iso-desktop` |
| nixos-linode-img | Image of this flake for use on Linode | `nix build .#imageConfigurations.nixos-linode-img` |
| nixos-rpi4-img | Image of this flake for use on Raspberry Pi 4's | `nix build .#imageConfigurations.nixos-rpi4-img` |
---
# 📋 To Do List
* [ ] Fix sysctl backup scripts
* [ ] 24.05 Updates:
* [ ] Re-enable a few things <SPC-S> "TODO"
* [ ] Add sound to XRDP config
* [ ] vimPlugins.outline-nvim
* [ ] Yubikey
* [ ] Add static password to slot 1
## home-manager
* [ ] Find a way to remove all default search engines in Firefox (Google, Amazon, etc)
* [ ] Fix misaligned waybar items
* [ ] Maybe redo waybar altogether
* [ ] Maybe add a wallpaper randomizer button via `sww img`
## Homelab general
* [ ] Fixes:
* [ ] Migrate Forgejo sqlite db to MySQL
* [ ] Alternatively, figure out why sqlite is taking so long to load
* [ ] Upgrades:
* [ ] Nextcloud 29
* [ ] Traefik v3
* [ ] Headscale 0.23
* [ ] Lower Priority:
* [ ] Jitsi
* [ ] Mealie
* [ ] Lemmy
* [ ] Atuin
* [ ] Forgejo Runner
* [ ] Synapse
Completed To Do List [here](./docs/complete.md)
---
# Information
### 🏠 Home Manager
* Home Manager Documentation - [Link](https://nix-community.github.io/home-manager/index.html)
* Home Manager Options Search - [Link](https://mipmip.github.io/home-manager-option-search/)
### ❄️ NixOS
* nix.dev - Official Nix Documentation - [Link](https://nix.dev/)
* NixOS Documentation - Stable - [Link](https://nixos.org/manual/nixos/stable/)
* NixOS Packages / Options Search - [Link](https://search.nixos.org/)
* Nix User Repository (NUR) Search - [Link](https://nur.nix-community.org/)
* ARM NixOS Building - [Link](https://nixos.wiki/wiki/NixOS_on_ARM#NixOS_installation_.26_configuration)
* NixOS Manual - [Link](https://nixos.org/manual/nix/unstable/introduction)
### 🔗 Useful Links
* FlakeHub - [Link](https://flakehub.com)
* Flakestry.dev - [Link](https://flakestry.dev/)
* Track a Nixpkgs PR - [Link](https://nixpk.gs/pr-tracker.html)
* Awesome-Hyprland - [Link](https://github.com/hyprland-community/awesome-hyprland)
### 🌐 Examples
* Tons of good examples here - [Link](https://github.com/Mic92/dotfiles/blob/main/nixos/modules/)
* NixOS Flakes Intro Guide - [Link](https://nixos-and-flakes.thiscute.world/)
### 👀 Theming
* Neofetch Themes - [Link](https://github.com/Chick2D/neofetch-themes/)
* Stylix - [Link](https://github.com/danth/stylix)
* Hyprland Inspirations
* Aylur - [Link](https://github.com/Aylur/dotfiles)
* Base16 Color Schemes - [Link](https://tinted-theming.github.io/base16-gallery/)
---
# 🔒 Lanzaboote / SecureBoot
* Instructions here - [Link](https://git.sysctl.io/Mirrors/lanzaboote/src/branch/master/docs/QUICK_START.md)
## 🔒 Generic Instructions:
1. Create your keys: `sbctl create-keys`
2. Verify your machine is ready for SecureBoot: `sbctl verify` - Everything except `*-bzImage.efi` are signed
3. Enter Secureboot Setup mode in your EFI Settings on the motherboard (F10)
* Security -> SecureBoot -> Set to Enabled and "Reset to Setup Mode" and exit
4. Enroll the keys: `sbctl enroll-keys --microsoft`
* If you wish, you can select `--tpm-eventlog`, but checksums will change later (ie, at a kernel rebuild)
5. Reboot and verify you are activated: `bootctl status`
## 💻 Framework Specific:
1. Change boot import from `boot.nix` to `secureboot.nix` in `./nixos/hosts/<hostname>/default.nix`
4. Run `rebuild-host` to switch from `boot.nix` to `secureboot.nix`
2. Reboot into EUFI and set SecureBoot settings to:
* Enforce Secure Boot - Enabled
* Erase all Secure Boot Settings - Enabled
* Restore Secure Boot to Factory Settings - Disabled
3. Save and reboot
4. Run `sudo sbctl create-keys`
5. Run `sudo sbctl enroll-keys`
6. Reboot and verify with `bootctl status`
# 🗝️ Manual: GPG Keys
1. Import the user private key: `gpg --import gpg/users/albert/privkey.asc`
2. Mark it as trusted: `gpg --edit-key albert@sysctl.io`, then type `trust`, then `5`
3. On each new machine, run `sudo nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o /etc/nixos/git/keys/hosts/$(hostname).asc"`
* This will output the identifier you add to `.sops.yaml`
* Move `HOSTNAME.asc` to `keys/hosts/` and upload to git and rename accordingly.
# 🔐 Secrets
1. Run `nix-develop` in `/etc/nixos/git` to import new keys
2. To edit a file: `sops secrets/file.yml"`
3. When you add a new machine, you must update the secrets files encryption.
* Ensure `.sops.yaml` has the updated fingerprint and file mappings.
* Run `sops updatekeys secrets/file.yaml` and commit the change.
# Troubleshooting
1. To troubleshoot disko issues, this command can come in handy:
```
nix eval .#nixosConfigurations.`hostname`.config.disko.devices._config
```
# Directory Structure
```
/etc/nixos/git/
├── docs
├── home-manager
│   ├── common
│   │   ├── desktops
│   │   └── software
│   │   ├── cli
│   │   └── gui
│   ├── hosts
│   └── users
├── keys
│   ├── hosts
│   ├── ssh
│   └── users
├── lib
├── nixos
│   ├── common
│   │   ├── desktops
│   │   ├── modules
│   │   ├── packages
│   │   ├── services
│   │   └── software
│   │   ├── cli
│   │   └── gui
│   ├── hosts
│   ├── containers
│   └── users
├── secrets
│   ├── containers
│   └── hosts
├── stylix
│   ├── common
│   └── themes
└── wallpapers
```