nixos-config/README.md

# NixOS config

## Secrets

Secrets should never be world-readable, even to users who are
logged in to one of the hosts managed by this configuration. These are
generally managed by agenix, allowing them to still be put in the nix
store.

## Setting up a new dev environment

* Add a shell to the devShells output in `flake.nix`.

* Execute `use_flake /path/to/repo#name-of-shell > .envrc` to initialize the `.envrc` file.

* Execute `direnv allow` to load the `.envrc` file which in turn loads your environment.

## Setting up ZFS

1. Create three partitions:
   * Boot
   * Swap
   * ZFS

   For example:
   ```shell
   sgdisk -n 0:0:+512MiB -t 0:EF00 -c 0:boot $DISK
   sgdisk -n 0:0:+32GiB -t 0:8200 -c 0:swap $DISK
   sgdisk -n 0:0:0 -t 0:BF01 -c 0:ZFS $DISK
   ```

2. Configure swap and boot as usual.

3. Create ZPool:
   ```shell
   zpool create -O mountpoint=none -O encryption=aes-256-gcm -O keyformat=passphrase rpool $ZFS_PART
   ```
   Leave out `-O encryption=aes-256-gcm -O keyformat=passphrase` if you don't want to fully encrypt the ZFS partition.

4. Create datasets:
   ```shell
   zfs create -o mountpoint=legacy rpool/local/root
   zfs snapshot rpool/local/root@blank
   zfs create -o mountpoint=legacy rpool/local/nix
   zfs set compression=lz4 rpool/local/nix
   zfs create -o mountpoint=legacy rpool/local/cache
   zfs set compression=lz4 rpool/local/cache
   zfs create -o mountpoint=legacy rpool/safe/data
   zfs set compression=lz4 rpool/local/data
   ```
5. Mount datasets:
   ```shell
   mount -t zfs rpool/local/root /mnt
   mkdir /mnt/nix
   mount -t zfs rpool/local/nix /mnt/nix
   mkdir /mnt/boot
   mount $BOOT_PART /mnt/boot
   mkdir /mnt/cache
   mount -t zfs rpool/local/cache /mnt/cache
   mkdir /mnt/data
   mount -t zfs rpool/safe/data /mnt/data
   ```
6. Configure Host ID

   Set `networking.hostid` in the nixos config to `head -c 8 /etc/machine-id`.