Skip to content

ghedamat/nixfiles

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

352 Commits
cachix
cachix
 
 
common
common
 
 
hardware
hardware
 
 
nixpkgs
nixpkgs
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
hive-baneling-gpd-pocket.nix
hive-baneling-gpd-pocket.nix
 
 
hive-drone-devserver.nix
hive-drone-devserver.nix
 
 
hive-hydralisk-desktop.nix
hive-hydralisk-desktop.nix
 
 
hive-infested-terran-opstest.nix
hive-infested-terran-opstest.nix
 
 
hive-lurker-devserver.nix
hive-lurker-devserver.nix
 
 
hive-nixos-dev-template.nix
hive-nixos-dev-template.nix
 
 
hive-nydusworm-plex.nix
hive-nydusworm-plex.nix
 
 
hive-overlord-dnsmasq.nix
hive-overlord-dnsmasq.nix
 
 
hive-probe-outer.nix
hive-probe-outer.nix
 
 
hive-spawning-pool-printserver.nix
hive-spawning-pool-printserver.nix
 
 
hive-swarm-host-nas.nix
hive-swarm-host-nas.nix
 
 
hive-ultralisk-postgres.nix
hive-ultralisk-postgres.nix
 
 
hive-viper-devserver.nix
hive-viper-devserver.nix
 
 
hive-zergling-x280.nix
hive-zergling-x280.nix
 
 
nixops.nix
nixops.nix
 
 

Repository files navigation

nixfiles

Some of my .nix files

mostly based on @shazow's work

https://github.com/shazow/nixfiles

Installing

Disk Setup

Rough sketch of the expected disk layout with full-disk encryption.

NOTE: If trying in a VM, make sure to use a SCSI virtual disk (instead of HDA) and UEFI enabled.

# Setup partition layout
# Swap should be >RAM size if you're going to use hibernate
parted /dev/sda -- mklabel gpt
parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB  # boot
parted /dev/sda -- set 1 boot on
parted /dev/sda -- mkpart primary 512MiB -1GiB  # root
parted /dev/sda -- mkpart primary linux-swap -1GiB 100%  # swap

# Generate root private key file
if [[ ! -f cryptroot.key ]]; then
  dd if=/dev/urandom of=cryptroot.key bs=1 count=4096
  chmod 0400 cryptroot.key
fi

# Encrypt the partitions
# Swap partition is also encrypted, so our hibernate state is encrypted.
cryptsetup luksFormat /dev/sda2  # Enter password
cryptsetup luksFormat /dev/sda3  # Enter the same password
cryptsetup luksAddKey /dev/sda2 cryptroot.key
cryptsetup luksAddKey /dev/sda3 cryptroot.key

# Open the encrypted partitions
cryptsetup open -d cryptroot.key /dev/sda2 cryptroot
cryptsetup open -d cryptroot.key /dev/sda3 cryptswap

# Format the underlying partitions
mkfs.fat -F 32 -n efi /dev/sda1
mkswap /dev/mapper/cryptswap
mkfs.btrfs /dev/mapper/cryptroot
mount -o defaults,noatime,compress=lzo,autodefrag /dev/mapper/cryptroot /mnt

# Create volumes on the btrfs root
btrfs subvolume create /mnt/@rootnix
btrfs subvolume create /mnt/@boot
btrfs subvolume create /mnt/@home

# Remount with new volumes
umount /mnt
mount -o compress=lzo,subvol=@rootnix /dev/mapper/cryptroot /mnt
mkdir -p /mnt/boot /mnt/home
mount -o compress=lzo,subvol=@boot /dev/mapper/cryptroot /mnt/boot
mount -o compress=lzo,subvol=@home /dev/mapper/cryptroot /mnt/home
mkdir /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi

Resume an existing disk setup:

cryptsetup open /dev/sda2 cryptroot  # Enter password
cryptsetup open /dev/sda3 cryptswap  # Enter password

mount -o compress=lzo,subvol=@rootnix /dev/mapper/cryptroot /mnt
mount -o compress=lzo,subvol=@boot /dev/mapper/cryptroot /mnt/boot
mount -o compress=lzo,subvol=@home /dev/mapper/cryptroot /mnt/home
mount /dev/sda1 /mnt/boot/efi

NixOS Setup from another distro

If you're installing from inside another distro, you can use these instructions: https://nixos.org/nixos/manual/index.html#sec-installing-from-other-distro

In Arch, using the aur/nix package does not work.

If we need to add hardware-specific configuration imports, we'll need nixos-hardware (setup instructions). The nix environment activator only includes the nixpkgs channel in the NIX_PATH by default, so we'll need to add that too.

# Activate the nix environment
. $HOME/.nix-profile/etc/profile.d/nix.sh

# Add the nixos-hardware channel
nix-channel --add https://github.com/NixOS/nixos-hardware/archive/master.tar.gz nixos-hardware
nix-channel --update nixos-hardware

# Add the new channel to our NIX_PATH
export NIX_PATH=${NIX_PATH}:${NIX_PATH//nixpkgs/nixos-hardware}

Some other notes for installing from another distro (doesn't apply for a normal install):

  • ${disk.efi} should be mounted to /mnt/boot/efi (or whatever the root prefix is).
  • ${disk.extraInitrd} should be an absolute path under the root prefix (otherwise when we install outside the root prefix, it messes up the path).

After that, off we go:

sudo PATH="$PATH" NIX_PATH="$NIX_PATH" `which nixos-install` --root /mnt

NixOS Setup from scratch (in a VM)

curl -Ls "https://github.com/shazow/nixfiles/archive/master.zip" -o nixfiles.zip
unzip nixfiles.zip

mkdir /mnt/etc
mv nixfiles-master /mnt/etc/nixos

cd /mnt/etc/nixos
echo \"$(mkpasswd -m sha-512)\" > .hashedPassword.nix
chmod 400 .hashedPassword.nix

# TODO: Make initrd.keys.gz (see Makefile)

cat > disk.nix << EOF
{
  extraInitrd = ./initrd.keys.gz;
  keyFile = "cryptroot.key";
  cryptroot = "/dev/sda2";
  cryptswap = "/dev/sda3";
  efi = "/dev/sda1";
}
EOF

cp hosts/example.nix configuration.nix
echo "Edit configuration.nix ... Some of the paths are wrong here, need to fix."

nixos-install --root /mnt

References

Big thanks to @shazow!

below his friends that helped!

Full Disk Encryption (FDE)

notes

this config track the unstable channel

nix-channel --add https://nixos.org/channels/nixos-unstable unstable
nix-channel --update unstable

About

Some of my .nix files

Resources

Readme

License

MIT license
Activity

Stars

19 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Nix 82.7%
  • Python 7.6%
  • Shell 6.0%
  • Vim Script 3.3%
  • Makefile 0.4%