Skip to main content

New Deployment checklist

NixOS System

First steps

Edit Repository

This needs to be done on a system that has access to update secrets before installation!

  • Clone NixOS Configuration Repository 
    git clone https://git.repo/nixos-config /<whereever>
  • Edit Flake.nix with NixOS Configuration of new hostname
  • Create folder under hosts with hostname
  • Edit default.nix with any features, and any users required
  • Create secrets folder
    • Put ssh_host_ed25519_key.pub inside secrets
  • Generate SSH Host Key 
    ssh-keygen -t ed25519 "Hostname" -f /tmp/ssh_host_ed25519_key
  • Create secrets folder
    • Put ssh_host_ed25519_key.pub inside hosts/<hostname>/secrets
  • Get AGE Key of Host public key 
    cat hosts/<hostname>/secrets/ssh_host_ed25519_key.pub | ssh-to-age
  • Update /.sops.yaml
    • Add the AGE Key of the Host Public key under keys
    • Add a new creation_rule group for and add *host_<hostname> and *user_dave to the key_groups
    • Add *host_<hostname> to both hosts/common/secrets.*andhosts/common/users/secrets.yaml`
  • Create example secret to ensure secrets can be decoded 
    sops hosts/<hostname>/secrets/secrets.yaml
    • Call the secret <hostname>: Example Secret for <Hostname> - This secret must exist
  • Commit to Git

Installation

Option 1: Boot from Install Media

  • Download NixOS install media

    wget https://channels.nixos.org/nixos-23.05/latest-nixos-minimal-x86_64-linux.iso

  • Copy to Flash drive or mount remotely

    dd if=latest-nixos-minimal-x86_64-linux.iso of=<YOUR_DEVICE> bs=4M

  • Boot NixOS Install media

Partition Disks

  • If impermanence, make sure that /persist (active + snapshots) is created

Mount Disks and Subvolumes

  • Make sure all are mounted including any swap partitions

Copy additional files from Host

  • Copy SSH private and public key from /tmp/ssh_host_ed25519* to {/persist}/etc/ssh/
  • Get Host AGE Private Key 
    ssh-to-age -private-key -i /tmp/ssh_host_ed25519_key
Create SOPS configuration on host
  • Copy output of above ssh-to-age command to /root/.config/sops/age/keys.txt
  • Make sure file is owned by root:root and can only be read (chmod 400)

Clone NixOS Configuration Repository

  • Make sure that you have Git and Flakes enabled 
    nix-shell -p git nixFlakes
git clone https://git.repo/nixos-config /persist

Generate Hardware Configuration

  • Make sure that all of your disks and the correct hardware modules have been detected. Swap has a tendency to not appear here automatically! 
    nixos-generate-config --show-hardware-config --root /mnt > /persist/nixos-config/hosts/<hostname>/hardware-configuration.nix

Install

  • If all goes well you will have a working system upon reboot: 
    nixos-install --root /mnt --flake /persist/nixos-config/#<hostname>

Option 2: Remote Installation (NixOS Anywhere)

Another time...

Home Setup

Non or NixOS System

  • If non, make sure that Nix is installed either from your package manager or via
    • Standlone | Single User 
      sh <(curl -L https://nixos.org/nix/install) --nodaemon
    • MultiUser 
      sh <(curl -L https://nixos.org/nix/install) --daemon

Install Channel

  • Login as user and add Home-Manager channel 
    nix-channel --add https://github.com/nix-community/home-manager/archive/master.tar.gz home-manager
#or a tagged release
#nix-channel --add https://github.com/nix-community/home-manager/archive/release-23.05.tar.gz home-manager
nix-channel --update
  • Logout and log back in 
    nix-shell '<home-manager>' -A install

Clone Repo

```
  mkdir -p ~/src/
  git clone https://git.repo/home-manager-config ~/src/home-manager
```

Edit Repository

  • Edit flake.nix and add a new HomeConfiguration making sure you add at minimum:
    • org this profile belongs to. use generic if you don't know
    • role of system
    • windowmanager if this is a graphical system
  • Add any custom configuration under `home//, or don't.

Update SOPS

  • As above, edit sops.yaml with your users AGE public key and make any adjustments to where secrets should be decoded.
  • Copy any private/public SSH keys required for decoding into your ~/.ssh folder
  • Make sure that you have copied your AGE Private Key or regenerated 
    ssh-to-age -private-key -i ~/.ssh/id_ed25519 | install -D -m 400 /dev/stdin ~/.config/sops/age/keys.txt

Deploy Configuration

  • Make sure you commit back to git! 
    home-manager switch --flake ~/src/home-manager#<config-name> --extra-experimental-features "nix-command flakes"
Back to top