Skip to main content

New Deployment checklist

NixOS System

My nix configuration has gotten complex. Passwords and Secrets are embedded in the repository and are necessary to be accessed in order to allow logins from the console. This is a summary of getting a system or a home configuration up and running.

First steps

Edit Repository

This needs to be done on a system that has access to update secrets before installation!

  • Clone NixOS Configuration Repository
    git clone https://git.repo/nixos-config /<whereever>
    
  • Edit Flake.nix with NixOS Configuration of new hostname
  • Create folder under hosts with hostname
  • Edit default.nix with any features, and any users required
  • Create secrets folder
    • Put ssh_host_ed25519_key.pub inside secrets
  • Generate SSH Host Key
    ssh-keygen -t ed25519 -N "Hostname" -f /tmp/ssh_host_ed25519_key -q
    
  • Create secrets folder
    • Put ssh_host_ed25519_key.pub inside hosts/<hostname>/secrets
  • Get AGE Key of Host public key
    cat hosts/<hostname>/secrets/ssh_host_ed25519_key.pub | ssh-to-age
    
  • Update /.sops.yaml
    • Add the AGE Key of the Host Public key under keys
    • Add a new creation_rule group for and add *host_<hostname> and *user_dave to the key_groups
    • Add *host_<hostname> to both hosts/common/secrets.*andhosts/common/users/secrets.yaml`
  • Create example secret to ensure secrets can be decoded
    sops hosts/<hostname>/secrets/secrets.yaml
    
    • Call the secret <hostname>: Example Secret for <Hostname> - This secret must exist
  • Commit to Git

Installation

Option 1: Boot from Install Media

  • Download NixOS install media

    wget https://channels.nixos.org/nixos-23.05/latest-nixos-minimal-x86_64-linux.iso
    
  • Copy to Flash drive or mount remotely

    dd if=latest-nixos-minimal-x86_64-linux.iso of=<YOUR_DEVICE> bs=4M
    
  • Boot NixOS Install media

Partition Disks

  • If impermanence, make sure that /persist (active + snapshots) is created

Mount Disks and Subvolumes

  • Make sure all are mounted including any swap partitions

Copy additional files from Host

  • Copy SSH private and public key from /tmp/ssh_host_ed25519* to {/persist}/etc/ssh/
  • Get Host AGE Private Key
    ssh-to-age -private-key -i /tmp/ssh_host_ed25519_key 
    
Create SOPS configuration on host
  • Copy output of above ssh-to-age command to /root/.config/sops/age/keys.txt
  • Make sure file is owned by root:root and can only be read (chmod 400)

Clone NixOS Configuration Repository

  • Make sure that you have Git and Flakes enabled
    nix-shell -p git nixFlakes
    git clone https://git.repo/nixos-config /persist
    

Generate Hardware Configuration

  • Make sure that all of your disks and the correct hardware modules have been detected. Swap has a tendency to not appear here automatically!
    nixos-generate-config --show-hardware-config --root /mnt > /persist/nixos-config/hosts/<hostname>/hardware-configuration.nix
    

Install

  • If all goes well you will have a working system upon reboot:
    nixos-install --root /mnt --flake /persist/nixos-config/#<hostname>
    

Option 2: Remote Installation (NixOS Anywhere)

echo -n "password" > /tmp/secret.key
nix run github:numtide/nixos-anywhere -- --flake .#<hostname> --disk-encryption-keys /tmp/secret.key /tmp/secret.key root@192.168.122.111

Another time...

Home Setup

Non or NixOS System

  • If non, make sure that Nix is installed either from your package manager or via
    • Standlone | Single User
      sh <(curl -L https://nixos.org/nix/install) --nodaemon
      
    • MultiUser
      sh <(curl -L https://nixos.org/nix/install) --daemon
      

Install Channel

  • Login as user and add Home-Manager channel
    nix-channel --add https://github.com/nix-community/home-manager/archive/master.tar.gz home-manager
    #or a tagged release
    #nix-channel --add https://github.com/nix-community/home-manager/archive/release-23.05.tar.gz home-manager
    nix-channel --update
    
  • Logout and log back in
    nix-shell '<home-manager>' -A install
    

Clone Repo

```
  mkdir -p ~/src/
  git clone https://git.repo/home-manager-config ~/src/home-manager
```

Edit Repository

  • Edit flake.nix and add a new HomeConfiguration making sure you add at minimum:
    • org this profile belongs to. use generic if you don't know
    • role of system
    • windowmanager if this is a graphical system
  • Add any custom configuration under `home//, or don't.

Update SOPS

  • As above, edit sops.yaml with your users AGE public key and make any adjustments to where secrets should be decoded.
  • Copy any private/public SSH keys required for decoding into your ~/.ssh folder
  • Make sure that you have copied your AGE Private Key or regenerated
    ssh-to-age -private-key -i ~/.ssh/id_ed25519 | install -D -m 400 /dev/stdin ~/.config/sops/age/keys.txt
    

Deploy Configuration

  • Make sure you commit back to git!
    home-manager switch --flake ~/src/home-manager#<config-name> --extra-experimental-features "nix-command flakes"