Skip to main content

New Deployment checklist

NixOS System

My nix configuration has gotten complex. Passwords and Secrets are embedded in the repository and are necessary to be accessed in order to allow logins from the console. This is a summary of getting a system or a home configuration up and running.

First steps

Edit Repository

This needs to be done on a system that has access to update secrets before installation!

  • Clone NixOS Configuration Repository 
    git clone https://git.repo/nixos-config /<whereever>
  • Edit Flake.nix with NixOS Configuration of new hostname
  • Create folder under hosts with hostname
  • Edit default.nix with any features, and any users required
  • Create secrets folder
    • Put ssh_host_ed25519_key.pub inside secrets
  • Generate SSH Host Key 
    ssh-keygen -t ed25519 "Hostname" -f /tmp/ssh_host_ed25519_key
  • Create secrets folder
    • Put ssh_host_ed25519_key.pub inside hosts/<hostname>/secrets
  • Get AGE Key of Host public key 
    cat hosts/<hostname>/secrets/ssh_host_ed25519_key.pub | ssh-to-age
  • Update /.sops.yaml
    • Add the AGE Key of the Host Public key under keys
    • Add a new creation_rule group for and add *host_<hostname> and *user_dave to the key_groups
    • Add *host_<hostname> to both hosts/common/secrets.*andhosts/common/users/secrets.yaml`
  • Create example secret to ensure secrets can be decoded 
    sops hosts/<hostname>/secrets/secrets.yaml
    • Call the secret <hostname>: Example Secret for <Hostname> - This secret must exist
  • Commit to Git

Installation

Option 1: Boot from Install Media

  • Download NixOS install media

    wget https://channels.nixos.org/nixos-23.05/latest-nixos-minimal-x86_64-linux.iso

  • Copy to Flash drive or mount remotely

    dd if=latest-nixos-minimal-x86_64-linux.iso of=<YOUR_DEVICE> bs=4M

  • Boot NixOS Install media

Partition Disks

  • If impermanence, make sure that /persist (active + snapshots) is created

Mount Disks and Subvolumes

  • Make sure all are mounted including any swap partitions

Copy additional files from Host

  • Copy SSH private and public key from /tmp/ssh_host_ed25519* to {/persist}/etc/ssh/
  • Get Host AGE Private Key 
    ssh-to-age -private-key -i /tmp/ssh_host_ed25519_key
Create SOPS configuration on host
  • Copy output of above ssh-to-age command to /root/.config/sops/age/keys.txt
  • Make sure file is owned by root:root and can only be read (chmod 400)

Clone NixOS Configuration Repository

  • Make sure that you have Git and Flakes enabled 
    nix-shell -p git nixFlakes
git clone https://git.repo/nixos-config /persist

Generate Hardware Configuration

  • Make sure that all of your disks and the correct hardware modules have been detected. Swap has a tendency to not appear here automatically! 
    nixos-generate-config --show-hardware-config --root /mnt > /persist/nixos-config/hosts/<hostname>/hardware-configuration.nix

Install

  • If all goes well you will have a working system upon reboot: 
    nixos-install --root /mnt --flake /persist/nixos-config/#<hostname>

Option 2: Remote Installation (NixOS Anywhere)

echo -n "password" > /tmp/secret.key
nix run github:numtide/nixos-anywhere -- --flake .#<hostname> --disk-encryption-keys /tmp/secret.key /tmp/secret.key root@192.168.122.111

Another time...

Home Setup

Non or NixOS System

  • If non, make sure that Nix is installed either from your package manager or via
    • Standlone | Single User 
      sh <(curl -L https://nixos.org/nix/install) --nodaemon
    • MultiUser 
      sh <(curl -L https://nixos.org/nix/install) --daemon

Install Channel

  • Login as user and add Home-Manager channel 
    nix-channel --add https://github.com/nix-community/home-manager/archive/master.tar.gz home-manager
#or a tagged release
#nix-channel --add https://github.com/nix-community/home-manager/archive/release-23.05.tar.gz home-manager
nix-channel --update
  • Logout and log back in 
    nix-shell '<home-manager>' -A install

Clone Repo

```
  mkdir -p ~/src/
  git clone https://git.repo/home-manager-config ~/src/home-manager
```

Edit Repository

  • Edit flake.nix and add a new HomeConfiguration making sure you add at minimum:
    • org this profile belongs to. use generic if you don't know
    • role of system
    • windowmanager if this is a graphical system
  • Add any custom configuration under `home//, or don't.

Update SOPS

  • As above, edit sops.yaml with your users AGE public key and make any adjustments to where secrets should be decoded.
  • Copy any private/public SSH keys required for decoding into your ~/.ssh folder
  • Make sure that you have copied your AGE Private Key or regenerated 
    ssh-to-age -private-key -i ~/.ssh/id_ed25519 | install -D -m 400 /dev/stdin ~/.config/sops/age/keys.txt

Deploy Configuration

  • Make sure you commit back to git! 
    home-manager switch --flake ~/src/home-manager#<config-name> --extra-experimental-features "nix-command flakes"
Back to top