nixcfg/hosts/README.md

97 lines
4.3 KiB
Markdown
Raw Permalink Normal View History

2024-07-20 20:35:01 -04:00
# Hosts
2024-08-05 16:49:34 -04:00
## Overview
Host-specific configuration + common modules that aren't better expressed as options & flake outputs. All hosts are configured with [agenix](https://github.com/ryantm/agenix), [disko](https://github.com/nix-community/disko), and [nixhw](https://github.com/alyraffauf/nixhw).
## Automatic Updates
These hosts update themselves automatically, once a day, by rebuilding directly from one of this repository's branches, typically master.
2024-08-05 16:49:34 -04:00
## Declarative WiFi Connections
WiFi networks can be configured declaratiely in `wifi.nix` using `config.networking.networkmanager.ensureProfiles.profiles`, provided by nixpkgs. I also provide helper functions for common wifi security types.
[nm2nix](https://github.com/janik-haag/nm2nix) can generate nix code for all WiFi networks currently configured in `/etc/NetworkManager/system-connections/` and `/run/NetworkManager/system-connections` with the following command:
```bash
sudo su -c "cd /etc/NetworkManager/system-connections && nix --extra-experimental-features 'nix-command flakes' run github:Janik-Haag/nm2nix | nix --extra-experimental-features 'nix-command flakes' run nixpkgs#nixfmt-rfc-style"
```
Secrets (passwords, certificates, and identities) are supported, but must be declared and available as variables with agenix. They will be replaced upon activation with `envsubst`.
In short,
1. Manually configure the WiFi network on one device.
1. Export configuration to nix with `nm2nix`.
1. Add secrets to `secrets/wifi.age` as variables (e.g. `MYPSK=1234567890`)
1. Edit the code generated by `nm2nix` to reference `$MYPSK` instead of directly declaring the WPA password.
1. Commit and push changes.
1. Rebuild hosts as required to propogate your new WiFi configuration.
2024-07-20 20:35:01 -04:00
## Provisioning New Devices
1. Create `hosts/$HOSTNAME/default.nix` and other host-specific nix modules (e.g. `disko.nix`,`hardware.nix`, and `home.nix`).
1. Add host to `nixosConfigurations` in `flake.nix`.
1. (OPTIONAL) Generate a `cert.pem`, `key.pem`, and device ID for Syncthing with `syncthing -generate=$HOSTNAME`. Find the device ID in the generated `config.xml` and add it to `nixosModules/services/syncthing/default.nix`, encrypt the cert and key with agenix, and set them as appropriate in the host configuration.
1. Install NixOS from this flake. Secrets will _not_ be available on first boot without a valid SSH private key.
2024-08-05 16:51:19 -04:00
1. On a separate PC, copy the new system's public SSH key (`/etc/ssh/ssh_host_ed25519_key.pub`) to the host configuration (`secrets/publicKeys/root_$HOSTNAME.pub`).
1. Add the new public key to `secrets/secrets.nix`, rekey all secrets with `agenix --rekey`, and push your changes to master.
2024-07-20 20:35:01 -04:00
1. Rebuild the new system from git. Secrets will be automatically decrypted and immediately available in `/run/agenix/` for NixOS and `$XDG_RUNTIME_DIR/agenix/` for users.
1. (OPTIONAL) Generate a new user SSH key and add it to `nixosModules/users/default.nix` in order to enable passwordless logins to other hosts.
## Secure Boot
1. Generate secure boot keys:
```bash
sudo nix run nixpkgs#sbctl create-keys
```
1. Enable lanzaboote in NixOS host configuration:
```nix
boot = {
initrd.systemd.enable = true; # For automatic decryption with TPM.
loader.systemd-boot.enable = lib.mkForce false; # Interferes with lanzaboote and must be force-disabled.
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
```
1. In UEFI, set secure boot to "setup mode" or erase platform keys.
1. Enroll your secure boot keys:
```bash
sudo nix run nixpkgs#sbctl -- enroll-keys --microsoft
```
1. Reboot, make sure secure boot is enabled in UEFI.
1. Check secure boot status with `bootctl status`:
```bash
System:
Firmware: UEFI 2.70 (American Megatrends 5.17)
Firmware Arch: x64
Secure Boot: enabled (user)
TPM2 Support: yes
Measured UKI: yes
Boot into FW: supported
```
1. If your root drive is encrypted with LUKS, you can have the TPM automatically decrypt it on boot:
```bash
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 /dev/nvme0n1p2
```
Replace `/dev/nvme0n1p2` with your root partition.
Check the [Linux TPM PCR Registry](https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) for more details.
2024-08-24 15:54:14 -04:00
**NOTE:** This requires a TPM2 module, devices with prior versions will not work.