chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
No description
834 commits 2 branches 0 tags 19 MiB
Find a file
Charlotte Van Petegem a64ef94ac5
Update dependencies
2021-09-06 10:23:29 +02:00
.git-crypt Initial commit 2020-02-10 17:27:13 +01:00
machines Disable direnv on servers 2021-07-29 15:43:25 +02:00
modules Update accentor 2021-09-04 11:52:36 +02:00
packages Package kotlin-language-server and jdtls again 2021-07-03 11:55:53 +02:00
patches Update dependencies 2021-09-06 09:50:04 +02:00
secrets Update dependencies 2021-07-20 12:54:18 +02:00
shells Update dependencies 2021-06-26 11:50:08 +02:00
.gitattributes Basic configuration for new servers and start modularizing config 2020-12-01 19:23:28 +01:00
flake.lock Update dependencies 2021-09-06 09:50:04 +02:00
flake.nix Update dependencies 2021-09-06 10:23:29 +02:00
license.md Update license.md 2020-09-27 14:41:25 +02:00
README.md Reorganize repository 2021-07-10 09:03:38 +02:00
remote.sh Update dependencies 2021-04-23 11:10:23 +02:00
secrets.nix Migrate matrix-synapse away from docker 2021-07-10 14:19:05 +02:00
update.sh Update dependencies 2021-04-16 10:45:04 +02:00

README.md

NixOS config

Secrets

There are two types of secrets in this repository. Secret secrets, and secret configuration.

Secret secrets should never be world-readable, even to users who are logged in to one of the hosts managed by this configuration. These are generally managed by agenix, allowing them to still be put in the nix store.

Secret configuration is generally more security through obscurity (e.g. some services that I run that I don't want the whole world to know what ports they run on). These are managed with git-crypt and are files that end in secret.nix.

Setting up a new dev environment

  • Create a new *.nix file in the shells directory that describes the environment (this is the hard part).

  • Execute use_nix > .envrc to initialize the .envrc file.

  • Execute ln -s /path/to/correct/file.nix shell.nix.

  • Execute direnv allow to load the .envrc file which in turn loads your environment.

Setting up ZFS

  1. Create three partitions:

    • Boot
    • Swap
    • ZFS

    For example:

    sgdisk -n 0:0:+512MiB -t 0:EF00 -c 0:boot $DISK
sgdisk -n 0:0:+32GiB -t 0:8200 -c 0:swap $DISK
sgdisk -n 0:0:0 -t 0:BF01 -c 0:ZFS $DISK

  2. Configure swap and boot as usual.

  3. Create ZPool:

    zpool create -O mountpoint=none -O encryption=aes-256-gcm -O keyformat=passphrase rpool $ZFS_PART

    Leave out -O encryption=aes-256-gcm -O keyformat=passphrase if you don't want to fully encrypt the ZFS partition.

  4. Create datasets:

    zfs create -o mountpoint=legacy rpool/local/root
zfs snapshot rpool/local/root@blank
zfs create -o mountpoint=legacy rpool/local/nix
zfs set compression=lz4 rpool/local/nix
zfs create -o mountpoint=legacy rpool/local/cache
zfs set compression=lz4 rpool/local/cache
zfs create -o mountpoint=legacy rpool/safe/data
zfs set compression=lz4 rpool/local/data

  5. Mount datasets:

    mount -t zfs rpool/local/root /mnt
mkdir /mnt/nix
mount -t zfs rpool/local/nix /mnt/nix
mkdir /mnt/boot
mount $BOOT_PART /mnt/boot
mkdir /mnt/cache
mount -t zfs rpool/local/cache /mnt/cache
mkdir /mnt/data
mount -t zfs rpool/safe/data /mnt/data

  6. Configure Host ID

    Set networking.hostid in the nixos config to head -c 8 /etc/machine-id.