My NixOS Configuration

Secrets are encrypted by the hosts' own SSH key via sops-nix.

Useful Commands

Configuration

Host configuration is specified by *.nix files in hosts/${hostname}, e.g.:

• system.nix
• hardware-configuration.nix (generated by nixos-generate-config)
• Optionally, other files as resources e.g. monitors.xml

They also inherit configurations from common/.

See available options in common-opt.

When adding a new host, generate its SSH keypair in server's /home/user/keys directory: ssh-keygen -t ed25519 -f <hostname>

Install

An encrypted root (LVM over LUKS) with zram will be setup. Root account is disabled.

Important

Before installing anything, back up your existing configuration:

• Firefox profiles
• /etc/fstab (if applicable)
• nm-cli connections (if applicable)
• VM images (if applicable)

Boot into the NixOS installer.

Then, run:

$ sudo -i
# source <(curl -s https://raw.githubusercontent.com/extrange/nixos-config/main/setup.sh)

Enter SSH login details when prompted.

Once installation is completed successfully, reboot.

Post Install

• git push changes to hardware-configuration.nix for the respective host
  • If necessary, add the new key to Github
• If remote access is required, add the hosts public key to common/system.nix's known_hosts for other devices to be able to connect without prompting
  • NixOS generates new host keys everytime a host is provisioned, and I do not declaratively configure that
• Pull Firefox profile
• Setup logins (these can't be declaratively set)
  • Tailscale (Auth Key max expiry is 90 days)
  • Telegram
  • Whatsapp
• Syncthing: configure folders, add device to server
• GSConnect pairing
• VSCode settings sync (note: due to automatic login, the keyring is not unlocked. However, it is possible to use a insecure storage and disable the password.)

Raspberry Pi 4

Currently not working - GPU driver issues (Qt Fatal: Could not open display).

For the initial build, build locally on another build host:

NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 nix build path:.#nixosConfigurations.rpi4.config.system.build.sdImage --impure --max-jobs 1

Note: the build host requires boot.binfmt.emulatedSystems = [ "aarch64-linux" ] set.

dd the image to the sdcard:

sudo dd if=<path-to-img> of=/dev/sdX bs=4096 conv=fsync status=progress

Subsequent builds can be pushed to the pi remotely:

nixos-rebuild --target-host [email protected] --flake path:.#rpi4 --use-remote-sudo switch

Notes

• To edit sops secrets, use SOPS_AGE_KEY=$(ssh-to-age -private-key -i ~/.ssh/id_ed25519) sops secrets.yaml.
• To add a new key for a host:
  • First, get the age key from the SSH public key: ssh-keygen -y -f path/to/public/key | ssh-to-age
  • Add the key to .sops.yaml
  • Update: SOPS_AGE_KEY=$(ssh-to-age -private-key -i path/to/private/key sops updatekeys secrets.yaml (the private key must have previously used to encrypt the file)
• nixos-rebuild switch --flake .#hostname will not allow access to untracked files. To work around this, do nixos-rebuild switch --flake path:.#hostname.
• Using read in curl ... | bash doesn't work as read does not have access to the terminal, so source is used instead.
• To fix the TypeError: BootSpec.__init__() missing 1 required positional argument, delete symlinks to older generations in /nix/var/nix/profiles, then rerun nixos-rebuild switch.

Resources

• Dotfiles: dmadisetti, Electrostasy, reckenrode
• Hyprland configs: yurihikari, Waayway
• Comparison of git-crypt, agenix and sops-nix