Skip to content

rake5k/nixcfg

Repository files navigation

❄️ Nix Configuration

NixOS Build and Test

Features

Supported configurations

See flake.nix for more information like system.

Structure

πŸ“‚ .
β”œβ”€β”€πŸ”’ flake.lock    -- flake lockfile
β”œβ”€β”€ ❄ flake.nix     -- flake definition
β”œβ”€β”€πŸ“‚ home          -- Home Manager configuration
β”‚  β”œβ”€β”€πŸ“‚ base       -- basic configs
β”‚  β”œβ”€β”€πŸ“‚ programs   -- custom program modules
β”‚  β”œβ”€β”€πŸ“‚ roles      -- custom roles for bundling configsets
β”‚  β””β”€β”€πŸ“‚ users      -- user-specific config
β”œβ”€β”€πŸ“‚ hosts         -- NixOS host configs
β”‚  β”œβ”€β”€πŸ“‚ nixos-vm
β”‚  β”œβ”€β”€πŸ“‚ nix-on-droid
β”‚  β””β”€β”€πŸ“‚ non-nixos-vm
β”œβ”€β”€πŸ“‚ lib           -- internal flake library
β”œβ”€β”€πŸ“‚ nix-on-droid  -- custom NixOnDroid modules
β”œβ”€β”€πŸ“‚ nixos         -- custom NixOS modules
β”‚  β”œβ”€β”€πŸ“‚ base       -- basic configs
β”‚  β”‚   β””β”€β”€πŸ“‚ users  -- user configs
β”‚  β”œβ”€β”€πŸ“‚ containers -- custom container modules
β”‚  β”œβ”€β”€πŸ“‚ programs   -- custom program modules
β”‚  β””β”€β”€πŸ“‚ roles      -- custom roles for bundling configsets
β””β”€β”€πŸ“‚ secrets       -- agenix-encrypted secrets

Usage

This flake can be either extended/modified directly or be used as a library.

Directly

If you are not planning to use this flake for multiple Nix configurations, feel free to fork this repo and add your host and user configurations into the folder structure and reference them in the flake.nix:

{
  description = "Custom config flake";

  inputs = {
    # ...
  };

  outputs = { self, nixpkgs, ... } @ inputs:
    let
      # ...
    in
    {
      homeConfigurations = listToAttrs [
        (mkHome x86_64-linux "demo@non-nixos-host")
      ];

      nixosConfigurations = listToAttrs [
        (mkNixos x86_64-linux "nixos-host")
      ];

      # ...
    };
}

As a Library

Create a new flake and prepare the folder structure as above, according to your needs. Then, add this flake to the inputs and define your hosts and users in the flake.nix:

{
  description = "Custom config flake";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05";
    nixcfg.url = "github:rake5k/nixcfg";
  };

  outputs = { nixpkgs, nixcfg, ... } @ inputs:
    let
      nixcfgLib = nixcfg.lib { inherit inputs; };

      # ...
    in
    with nixcfgLib;
    {
      homeConfigurations = listToAttrs [
        (mkHome x86_64-linux "demo@non-nixos-host")
      ];

      nixosConfigurations = listToAttrs [
        (mkNixos x86_64-linux "nixos-host")
      ];
    };
}

Initial Setup

NixOS

NixOS installation

To install NixOS from the ISO of nixos.org on a fresh machine, run:

# If nix version < 2.4, run:
nix-shell -p nixFlakes

sudo su # become root
mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf

export FLAKE=github:rake5k/nixcfg
nix run $FLAKE#disko-install -- <hostname> $FLAKE [--disk <disk-name> /dev/by-id/<disk-id>]...

Where:

  • <hostname> is your target machine's desired host name. Define it beforehand inside nixosConfigurations of flake.nix.
  • <disk-name>/<disk-id> for each drive to be managed by disko (at least the name needs to be defined in disko.devices.disk.<disk-name> beforehand).

This will completely nuke all the data on your <disk> device provided. Make sure to have a working backup from your data of all drives connected to your target machine.

Warning: Even if the script should ask you before committing any changes to your machine, it can unexpectedly cause great harm!

After rebooting proceed with the next section.

NixOS config setup

sudo nix run github:rake5k/nixcfg#setup -- https://github.com/rake5k/nixcfg.git

Non-NixOS

Nix installation

# install Nix
mkdir -p ~/.config/nix
echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
sh <(curl -L https://nixos.org/nix/install) --no-channel-add --no-modify-profile
. ~/.nix-profile/etc/profile.d/nix.sh

Nix config setup

# Set up this Nix configuration
nix run github:rake5k/nixcfg#setup -- https://github.com/rake5k/nixcfg.git

# set login shell
chsh -s /bin/zsh

Secrets management

Make secrets available on new host

Add the host public key into the .agenix.toml file and assign it to the appropriate groups. Push the updated .agenix.toml back to the git repository, pull it to an existing host and re-key all the secrets with the command:

# On NixOS:
sudo agenix -i /etc/ssh/ssh_host_ed25519_key -i ~/.age/key.txt -r -vv

# On non-NixOS:
agenix -i ~/.age/key.txt -r -vv

After pushing/pulling the re-keyed secrets, just run a rebuild of the new host's config for decrypting them.

Updating secrets

# First decrypt current secret
age --decrypt -i ~/.age/key.txt -o tmpfile < ./secrets/<secretfile>.age

# Update `tmpfile` contents...
vim tmpfile

# Re-encrypt the updated secret
age --encrypt --armor -i ~/.age/key.txt -o ./secrets/<secretfile>.age < tmpfile

Updating inputs

This corresponds to the classical software/system update process known from other distros.

nix flake update

To apply (install) the updated inputs on the system, just run a rebuild of the config.

Rebuilding

# On NixOS
sudo nixos-rebuild switch

# On non-NixOS
hm-switch