8.7 KiB
8.7 KiB
NixOS Configuration Repository
NOTE: These configs expect this repo to be cloned to /etc/nixos/git/
- Clone this repo
sudo git clone https://git.sysctl.io/albert/nix /etc/nixos/git
sudo chown -R albert:root /etc/nixos/git
# or, with wallpapers
sudo git clone --recursive https://git.sysctl.io/albert/nix /etc/nixos/git
sudo chown -R albert:root /etc/nixos/git
- Installation:
nixos-install <Hostname> [<Username>]
# or
./docs/install.sh <Hostname> [<Username>]
- Post install (home-manager, secrets, etc)
nix develop -c /etc/nixos/git/docs/setup.sh
Machines
Name | Category | Description | Status | Deployments |
---|---|---|---|---|
osaka-linode-01 | Linode | Osaka Linode relay for sysctl.io external connections | ✔️ | ✔️ |
milan-linode-01 | Linode | Milan Linode DERP relay for Tailscale | ✔️ | ✔️ |
frankfurt-linode-01 | Linode | Frankfurt, Germany alternate relay for external conns | ✔️ | ✔️ |
framework-server | Server | sysctl.io - main server, framework 13th gen mainboard | ✔️ | ✔️ |
warsaw-ovh-01 | Server | Warsaw OVH server, backup for framework-server | ✔️ | ✔️ |
nuc-server | Server | ON HOLD | ❌ | ❌ |
nixos-desktop | Personal | My main desktop | ✔️ | ❌ |
nixos-framework | Personal | My AMD Framework 13 laptop | ✔️ | ❌ |
steamdeck | Personal | Valve Steam Deck gaming console | ✔️ | ✔️ |
piaware-rpi4 | Raspberry Pi | Raspberry Pi for FlightAware flight tracking software | ✔️ | ✔️ |
backups-rpi4 | Raspberry Pi | Raspberry Pi for rsync backups | ✔️ | ✔️ |
bakersfield-rpi4 | Raspberry Pi | Raspiberry Pi in Bakersfield, Headscale Exit Node | ✔️ | ✔️ |
quitman-rpi4 | Raspberry Pi | ON HOLD | ❌ | ❌ |
Images
Name | Description | Build Commands |
---|---|---|
nixos-iso-console | Console ISO image of this flake for installing | nix build .#imageConfigurations.nixos-iso-console |
nixos-iso-desktop | Gnome ISO image of this flake for installing | nix build .#imageConfigurations.nixos-iso-desktop |
nixos-linode-img | Image of this flake for use on Linode | nix build .#imageConfigurations.nixos-linode-img |
nixos-rpi4-img | Image of this flake for use on Raspberry Pi 4's | nix build .#imageConfigurations.nixos-rpi4-img |
📋 To Do List
- Add audio to rdesktop xrdp config
- Framework volume buttons don't work on KDE
- Intermittent
- KDE not saving HDR / high frame rate settings on Wayland
- Figure out a way to pass through GPG AND SSH authentications via SSH (so I can use my YubiKey on my server remotely)
home-manager
- KDE:
- Add config for tiling
- Try Darkman - Link
- Firefox:
- Find a way to remove all default search engines (Google, Amazon, Yahoo!, etc)
- Pre-defined containers with URLs to match? (ie, Google container opens Google stuff automatically)
- Arkenfox interfering with some audio settings (media.mediasource, for example)
Homelab General
- Upgrades:
- Headscale 0.23 - Need to update the web ui
Completed To Do List here
ℹ️ Information
🏠 Home Manager
❄️ NixOS
- nix.dev - Official Nix Documentation - Link
- NixOS Documentation - Stable - Link
- NixOS Packages / Options Search - Link
- Nix User Repository (NUR) Search - Link
- ARM NixOS Building - Link
- NixOS Manual - Link
🔗 Useful Links
🌐 Examples
👀 Theming
🔒 Lanzaboote / SecureBoot
- Instructions here - Link
🔒 Generic Instructions:
- Create your keys:
sbctl create-keys
- Verify your machine is ready for SecureBoot:
sbctl verify
- Everything except*-bzImage.efi
are signed - Enter Secureboot Setup mode in your EFI Settings on the motherboard (F10)
- Security -> SecureBoot -> Set to Enabled and "Reset to Setup Mode" and exit
- Enroll the keys:
sbctl enroll-keys --microsoft
- If you wish, you can select
--tpm-eventlog
, but checksums will change later (ie, at a kernel rebuild)
- If you wish, you can select
- Reboot and verify you are activated:
bootctl status
💻 Framework Specific:
- Change boot import from
boot.nix
tosecureboot.nix
in./nixos/hosts/<hostname>/default.nix
- Run
rebuild-host
to switch fromboot.nix
tosecureboot.nix
- Reboot into EUFI and set SecureBoot settings to:
- Enforce Secure Boot - Enabled
- Erase all Secure Boot Settings - Enabled
- Restore Secure Boot to Factory Settings - Disabled
- Save and reboot
- Run
sudo sbctl create-keys
- Run
sudo sbctl enroll-keys
- Reboot and verify with
bootctl status
🗝️ Manual: GPG Keys
- Import the user private key:
gpg --import gpg/users/albert/privkey.asc
- Mark it as trusted:
gpg --edit-key albert@sysctl.io
, then typetrust
, then5
- On each new machine, run
sudo nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o /etc/nixos/git/keys/hosts/$(hostname).asc"
- This will output the identifier you add to
.sops.yaml
- Move
HOSTNAME.asc
tokeys/hosts/
and upload to git and rename accordingly.
- This will output the identifier you add to
🔐 Secrets
- Run
nix-develop
in/etc/nixos/git
to import new keys - To edit a file:
sops secrets/file.yml"
- When you add a new machine, you must update the secrets files encryption.
- Ensure
.sops.yaml
has the updated fingerprint and file mappings. - Run
sops updatekeys secrets/file.yaml
and commit the change.
- Ensure
ℹ️ Troubleshooting
- To troubleshoot disko issues, this command can come in handy:
nix eval .#nixosConfigurations.`hostname`.config.disko.devices._config
Directory Structure
/etc/nixos/git/
├── docs
├── home-manager
│ ├── common
│ │ ├── desktops
│ │ └── software
│ │ ├── cli
│ │ └── gui
│ ├── hosts
│ └── users
├── keys
│ ├── hosts
│ ├── ssh
│ └── users
├── lib
├── nixos
│ ├── common
│ │ ├── desktops
│ │ ├── modules
│ │ ├── packages
│ │ ├── services
│ │ └── software
│ │ ├── cli
│ │ └── gui
│ ├── hosts
│ ├── containers
│ └── users
├── secrets
│ ├── containers
│ └── hosts
├── stylix
│ ├── common
│ └── themes
└── wallpapers