nixos-config

No description

Find a file

Jeffrey Phillips Freeman 14b6075110 Added asus-inux		2024-01-11 21:54:31 -05:00
config	Added asus-inux	2024-01-11 21:54:31 -05:00
pkgs	Added asus-inux	2024-01-11 21:54:31 -05:00
secrets	Added agenix	2023-03-07 14:47:18 +02:00
users	Removed old users	2023-07-19 01:50:01 -04:00
.gitattributes	Initial working version of configuration	2023-02-15 15:08:59 +02:00
.gitignore	Removing all vscode working directories	2023-02-19 12:57:33 +02:00
flake.lock	Updgraded to latest versions	2023-12-30 16:57:58 -05:00
flake.nix	Added silversin computer	2024-01-10 20:26:09 -05:00
lib.nix	Updated aliases and added an update alias	2023-02-17 23:06:18 +02:00
README.md	Made shahar the user on his computer	2023-03-26 15:23:20 +03:00

README.md

This repository contains the Nix / NixOS configuration for all of my systems.

Setup

To use this repository as base configuration for your new machine running:

NixOS Linux

Install NixOS
- Hetzner dedicated from Linux Rescue system: https://github.com/serokell/nixos-install-scripts/pull/1#pullrequestreview-746593205
- Digital Ocean: https://github.com/elitak/nixos-infect
- X1 Carbon: https://srid.ca/x1c7-install
- Windows (via WSL): https://github.com/nix-community/NixOS-WSL
Clone this repo at /etc/nixos
Edit flake.nix to use your system hostname in the nixosConfigurations set
Edit users/config.nix to contain your users
Run nix develop -c , activate. That's it. Re-open your terminal.


# Create partitions, replace 32GiB with the desired swap size
sudo parted /dev/nvme0n1 -- mklabel gpt
sudo parted /dev/nvme0n1 -- mkpart ESP fat32 1MiB 512MiB
sudo parted /dev/nvme0n1 -- mkpart primary 512MiB 100%
sudo parted /dev/nvme0n1 -- set 1 esp on

nix-shell https://gitlab.com/scentech/nixos-yubikey-luks-shell/-/archive/master/nixos-yubikey-luks-shell-master.tar.gz
#insert yubikey, replav=ce 2 with desired slot
#replace the access code below (all x) with actual 12 character long hex vale
# IMPORTANT! Before confirming save the values displayed on the screen so it can be recovered
ykpersonalize -2 -ochal-resp -ochal-hmac -ochal-btn-trig -oaccess=xxxxxxxxxxxx


# Type in desired password
read -s USER_PASSPHRASE

SALT_LENGTH=16
SALT="$(dd if=/dev/random bs=1 count=$SALT_LENGTH 2>/dev/null | rbtohex)"
CHALLENGE="$(echo -n $SALT | openssl dgst -binary -sha512 | rbtohex)"
RESPONSE=$(ykchalresp -2 -x $CHALLENGE 2>/dev/null)
KEY_LENGTH=512
ITERATIONS=1000000
LUKS_KEY="$(echo -n $USER_PASSPHRASE | pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $RESPONSE | rbtohex)"
CIPHER=aes-xts-plain64
HASH=sha512

echo -n "$LUKS_KEY" | hextorb > keyfile
sudo cryptsetup luksFormat --cipher="$CIPHER" --key-size="$KEY_LENGTH" --hash="$HASH" --key-slot=1 --key-file=./keyfile /dev/nvme0n1p2
#Enter the master backup password when prompted
sudo cryptsetup luksAddKey --cipher="$CIPHER" --key-size="$KEY_LENGTH" --hash="$HASH" --key-slot=2 --key-file=./keyfile /dev/nvme0n1p2
rm keyfile

sudo mkdir /boot
sudo mount /dev/nvme0n1p1 /boot
sudo mkdir -p /boot/crypt-storage
sudo sh -c "echo -ne \"$SALT\n$ITERATIONS\" > /boot/crypt-storage/default"
sudo umount /boot
sudo rm -rf /boot

echo -n "$LUKS_KEY" | hextorb | sudo cryptsetup open /dev/nvme0n1p2 pv_main --key-file=-

sudo pvcreate /dev/mapper/pv_main
sudo vgcreate vg_main /dev/mapper/pv_main
#select swap size
sudo lvcreate -L 32G -n swap vg_main
sudo lvcreate -l 100%FREE -n root vg_main
sudo vgchange -ay

sudo mkswap -L swap /dev/mapper/vg_main-swap
sudo mkfs.btrfs -L root /dev/mapper/vg_main-root

sudo mount /dev/mapper/vg_main-root /mnt
cd /mnt
sudo btrfs subvolume create root
sudo btrfs subvolume create home
cd ~
sudo umount /mnt
sudo mount -o subvol=root /dev/mapper/vg_main-root /mnt
sudo mkdir /mnt/home
sudo mount -o subvol=home /dev/mapper/vg_main-root /mnt/home
sudo mkdir -p /mnt/boot/efi
sudo mount /dev/nvme0n1p1 /mnt/boot/efi
sudo swapon /dev/mapper/vg_main-swap

sudo nixos-generate-config --dir ~ --root /mnt
sudo mkdir /mnt/etc
cd /mnt/etc
sudo git clone https://gitlab.com/scentech/nixos-config/ /mnt/etc/nixos

At this point in /mnt/etc/nixos you want to create a config for the new machine under the config sub directory. Incorporate the hardware-configuration.nix file that was generated into the new setup. Add the new host in flake.nix. Make sure you commit to the repo so it detects new files.

Edit /mnt/etc/nixos/users/all_users.nix add the user, make sure you add a hashed password and any public ssh keys.

Make a myself config in users/myself/<username> and add this as an import in the config for the host.

To create a hashed password from plain text:

mkpasswd

Make the user's computer have a static ip in our dhcp server and then update the hosts file to add the new computer at /mnt/etc/nixos/pkgs/hardware/common/hosts/default.nix.

Change hostname to new hostname then install.

HOSTNAME="foo" sudo nixos-install -v --flake /mnt/etc/nixos#foo

More info on using yubikey to encrypt drives: https://github.com/sgillespie/nixos-yubikey-luks

To create pgp key for the user:

https://keys.openpgp.org/vks/v1/by-fingerprint/3C1EA4C0A376F880280D3C1B15ABBB20ED615997


To create pgp key for the user:
```bash
# Generate key
gpg --expert --full-gen-key

# execute tsign at the prompt and save when done, pick a depth of 1
gpg --expert --ask-cert-level --edit-key <user>@scentech-medical.com -u security@scentech-medical.com

# Sign both direction
gpg --expert --ask-cert-level -u <user>@scentech-medical.com --edit-key security@scentech-medical.com

#send both keys to key server, remember to verify your email
gpg --keyserver keys.openpgp.org --send-keys <New key fingerprint>
gpg --keyserver keys.openpgp.org --send-keys <Company key fingerprint>

Next add the users key as a proof to the DNS server's registry as a TXT record. The format should be <email username>.u.scentech-medical.com with the domain being left off. The value should be openpgp4fpr:<key fingerprint>

Next add it as a notation on the uid. Edit the key in gpg and select the uid with the uid command. Then use the notation command to add a notation. You then add a notation of the format proof@ariadne.id=dns:<email username>.u.scentech-medical.com?type=TXT.

Verify the proof shows on keyoxide: https://keyoxide.org/<fingerprint>

Architecture

Start from flake.nix (see Flakes). flake-parts is used as the module system.

Directory layout

home: home-manager config (shared between Linux and macOS)
nixos: nixos modules for Linux
nix-darwin: nix-darwin modules for macOS
users: user information
secrets: agenix secrets (encrypted using ssh keys)
systems: top-level configuration.nix('ish) for various systems

Important files

home/default.nix: This defines all the packages/modules applied to all users in home-manager.
hardware/common/users/main_user/default.nix: Sets up the main user for all systems. This is where the home-manager controlled packages that apply to all local main users can be defined. For per-user packages see below.
hardware/common/users/admin_user/default.nix: Sets up the admin user for all systems. This is where the home-manager controlled packages that apply to the remote admin user can be defined. For per-user packages see below.
hardware/common/core_packages/default.nix: Installs core packages required on a minimal system. This is typically utilities that dont require configuration.
hardware/systems/*/default.nix: Configuration for specific machines. This is where you define hardware-specific needs that apply to a specific computer.
nixos/default.nix: System-wide imports are defined here. This is where packages installed system wide should be defined that apply to all systems.
nixos/hosts/default.nix: This is the shared hosts file, every machine in the company should have an entry here and dhcp should be configured to give a static ip.
users/all_users.json: This file defines all users across the whole company as well as their ssh-keys and other important information.
users/myself/: Each user that owns a physical machine should have a directory here, this is then included in the flake.nix file for each host. This is how the host knows who the main user for a computer is.
users/myself/*/packages/default.nix: This is where user specific packages, under home-manager, are defined.
flake.nix: The root configuration where everything starts. There is an entry for each physical computer here (keyed by hostname). You can also define machine-specific imports here, particularly if they arent specific to the hardware.

Tips

Run , in nix develop shell (tip: direnv is better) to see available scripts.
- (, is provided by the mission-control module)

To update NixOS (and other inputs) run nix flake update

You may also update a subset of inputs, e.g.

nix flake lock --update-input nixpkgs --update-input darwin --update-input home-manager
# Also, in the dev shell: , update-primary

To free up disk space,

sudo nix-env -p /nix/var/nix/profiles/system --delete-generations +2
sudo nixos-rebuild boot

To autoformat the project tree using nixpkgs-fmt, run nix fmt.