nix/README.md
2024-08-15 20:02:38 +09:00

177 lines
8.3 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# NixOS Configuration Repository
## NOTE: These configs expect this repo to be cloned to `/etc/nixos/git/`
* Clone this repo
```
sudo git clone https://git.sysctl.io/albert/nix /etc/nixos/git
sudo chown -R albert:root /etc/nixos/git
# or, with wallpapers
sudo git clone --recursive https://git.sysctl.io/albert/nix /etc/nixos/git
sudo chown -R albert:root /etc/nixos/git
```
* Installation:
```
nixos-install <Hostname> [<Username>]
# or
./docs/install.sh <Hostname> [<Username>]
```
* Post install (home-manager, secrets, etc)
```
nix develop -c /etc/nixos/git/docs/setup.sh
```
# Machines
| Name | Category | Description | Status | Deployments |
| --------------------- | ------------ | ------------------------------------------------------ | -------- | ----------- |
| osaka-linode-01 | Linode | Osaka Linode relay for sysctl.io external connections | ✔️ | ✔️ |
| milan-linode-01 | Linode | Milan Linode DERP relay for Tailscale | ✔️ | ✔️ |
| frankfurt-linode-01 | Linode | Frankfurt, Germany alternate relay for external conns | ✔️ | ✔️ |
| framework-server | Server | sysctl.io - main server, framework 13th gen mainboard | ✔️ | ✔️ |
| warsaw-ovh-01 | Server | Warsaw OVH server, backup for framework-server | ✔️ | ✔️ |
| nuc-server | Server | ON HOLD | ❌ | ❌ |
| nixos-desktop | Personal | My main desktop | ✔️ | ❌ |
| nixos-framework | Personal | My AMD Framework 13 laptop | ✔️ | ❌ |
| steamdeck | Personal | Valve Steam Deck gaming console | ✔️ | ✔️ |
| piaware-rpi4 | Raspberry Pi | Raspberry Pi for FlightAware flight tracking software | ✔️ | ✔️ |
| backups-rpi4 | Raspberry Pi | Raspberry Pi for rsync backups | ✔️ | ✔️ |
| bakersfield-rpi4 | Raspberry Pi | Raspiberry Pi in Bakersfield, Headscale Exit Node | ✔️ | ✔️ |
| quitman-rpi4 | Raspberry Pi | ON HOLD | ❌ | ❌ |
# Images
| Name | Description | Build Commands |
| ----------------- | ----------------------------------------------- | --------------------------------------------------- |
| nixos-iso-console | Console ISO image of this flake for installing | `nix build .#imageConfigurations.nixos-iso-console` |
| nixos-iso-desktop | Gnome ISO image of this flake for installing | `nix build .#imageConfigurations.nixos-iso-desktop` |
| nixos-linode-img | Image of this flake for use on Linode | `nix build .#imageConfigurations.nixos-linode-img` |
| nixos-rpi4-img | Image of this flake for use on Raspberry Pi 4's | `nix build .#imageConfigurations.nixos-rpi4-img` |
---
# 📋 To Do List
* [ ] Add audio to rdesktop xrdp config
* [ ] Figure out a way to pass through GPG AND SSH authentications via SSH (so I can use my YubiKey on my server remotely)
## home-manager
* [ ] Firefox:
* [ ] Arkenfox interfering with some audio settings (media.mediasource, for example)
## Homelab General
* [ ] Upgrades:
* [ ] Headscale 0.23 - Need to update the web ui
Completed To Do List [here](./docs/complete.md)
---
# Information
### 🏠 Home Manager
* Home Manager Documentation - [Link](https://nix-community.github.io/home-manager/index.html)
* Home Manager Options Search - [Link](https://mipmip.github.io/home-manager-option-search/)
### ❄️ NixOS
* nix.dev - Official Nix Documentation - [Link](https://nix.dev/)
* NixOS Documentation - Stable - [Link](https://nixos.org/manual/nixos/stable/)
* NixOS Packages / Options Search - [Link](https://search.nixos.org/)
* Nix User Repository (NUR) Search - [Link](https://nur.nix-community.org/)
* ARM NixOS Building - [Link](https://nixos.wiki/wiki/NixOS_on_ARM#NixOS_installation_.26_configuration)
* NixOS Manual - [Link](https://nixos.org/manual/nix/unstable/introduction)
### 🔗 Useful Links
* FlakeHub - [Link](https://flakehub.com)
* Flakestry.dev - [Link](https://flakestry.dev/)
* Track a Nixpkgs PR - [Link](https://nixpk.gs/pr-tracker.html)
* Awesome-Hyprland - [Link](https://github.com/hyprland-community/awesome-hyprland)
### 🌐 Examples
* Tons of good examples here - [Link](https://github.com/Mic92/dotfiles/blob/main/nixos/modules/)
* NixOS Flakes Intro Guide - [Link](https://nixos-and-flakes.thiscute.world/)
### 👀 Theming
* Neofetch Themes - [Link](https://github.com/Chick2D/neofetch-themes/)
* Stylix - [Link](https://github.com/danth/stylix)
* Hyprland Inspirations
* Aylur - [Link](https://github.com/Aylur/dotfiles)
* Base16 Color Schemes - [Link](https://tinted-theming.github.io/base16-gallery/)
---
# 🔒 Lanzaboote / SecureBoot
* Instructions here - [Link](https://git.sysctl.io/Mirrors/lanzaboote/src/branch/master/docs/QUICK_START.md)
## 🔒 Generic Instructions:
1. Create your keys: `sbctl create-keys`
2. Verify your machine is ready for SecureBoot: `sbctl verify` - Everything except `*-bzImage.efi` are signed
3. Enter Secureboot Setup mode in your EFI Settings on the motherboard (F10)
* Security -> SecureBoot -> Set to Enabled and "Reset to Setup Mode" and exit
4. Enroll the keys: `sbctl enroll-keys --microsoft`
* If you wish, you can select `--tpm-eventlog`, but checksums will change later (ie, at a kernel rebuild)
5. Reboot and verify you are activated: `bootctl status`
## 💻 Framework Specific:
1. Change boot import from `boot.nix` to `secureboot.nix` in `./nixos/hosts/<hostname>/default.nix`
4. Run `rebuild-host` to switch from `boot.nix` to `secureboot.nix`
2. Reboot into EUFI and set SecureBoot settings to:
* Enforce Secure Boot - Enabled
* Erase all Secure Boot Settings - Enabled
* Restore Secure Boot to Factory Settings - Disabled
3. Save and reboot
4. Run `sudo sbctl create-keys`
5. Run `sudo sbctl enroll-keys`
6. Reboot and verify with `bootctl status`
# 🗝️ Manual: GPG Keys
1. Import the user private key: `gpg --import gpg/users/albert/privkey.asc`
2. Mark it as trusted: `gpg --edit-key albert@sysctl.io`, then type `trust`, then `5`
3. On each new machine, run `sudo nix-shell -p ssh-to-pgp --run "ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key -o /etc/nixos/git/keys/hosts/$(hostname).asc"`
* This will output the identifier you add to `.sops.yaml`
* Move `HOSTNAME.asc` to `keys/hosts/` and upload to git and rename accordingly.
# 🔐 Secrets
1. Run `nix-develop` in `/etc/nixos/git` to import new keys
2. To edit a file: `sops secrets/file.yml"`
3. When you add a new machine, you must update the secrets files encryption.
* Ensure `.sops.yaml` has the updated fingerprint and file mappings.
* Run `sops updatekeys secrets/file.yaml` and commit the change.
# Troubleshooting
1. To troubleshoot disko issues, this command can come in handy:
```
nix eval .#nixosConfigurations.`hostname`.config.disko.devices._config
```
# Directory Structure
```
/etc/nixos/git/
├── docs
├── home-manager
│   ├── common
│   │   ├── desktops
│   │   └── software
│   │   ├── cli
│   │   └── gui
│   ├── hosts
│   └── users
├── keys
│   ├── hosts
│   ├── ssh
│   └── users
├── lib
├── nixos
│   ├── common
│   │   ├── desktops
│   │   ├── modules
│   │   ├── packages
│   │   ├── services
│   │   └── software
│   │   ├── cli
│   │   └── gui
│   ├── hosts
│   ├── containers
│   └── users
├── secrets
│   ├── containers
│   └── hosts
├── stylix
│   ├── common
│   └── themes
└── wallpapers
```