# Hosts

## Overview

Host-specific configuration + common modules that aren't better expressed as options & flake outputs. All hosts are configured with [agenix](https://github.com/ryantm/agenix), [disko](https://github.com/nix-community/disko), and [nixhw](https://github.com/alyraffauf/nixhw).

## Automatic Updates

These hosts update themselves automatically, once a day, by rebuilding from one of two sources: directly from this repository's master branch or from [FlakeHub](https://flakehub.com/). This can be adjusted by overriding the value of `config.environment.variables.FLAKE`.

FlakeHub allows [semantic versioning](https://flakehub.com/docs/features/semver), which means that these hosts build from the lattest tag published to FlakeHub with format `v0.0.0`. I try to follow the [semantic versioning 2.0](https://github.com/semver/semver/blob/master/semver.md) standard, though this may not always be the case.

You can access the latest tagged commit from this repository with this url: [https://flakehub.com/f/alyraffauf/nixcfg/\*.tar.gz](https://flakehub.com/f/alyraffauf/nixcfg/*.tar.gz).

## Declarative WiFi Connections

WiFi networks can be configured declaratiely in `wifi.nix` using `config.networking.networkmanager.ensureProfiles.profiles`, provided by nixpkgs. I also provide helper functions for common wifi security types.

[nm2nix](https://github.com/janik-haag/nm2nix) can generate nix code for all WiFi networks currently configured in `/etc/NetworkManager/system-connections/` and `/run/NetworkManager/system-connections` with the following command:

```bash
sudo su -c "cd /etc/NetworkManager/system-connections && nix --extra-experimental-features 'nix-command flakes' run github:Janik-Haag/nm2nix | nix --extra-experimental-features 'nix-command flakes' run nixpkgs#nixfmt-rfc-style"
```

Secrets (passwords, certificates, and identities) are supported, but must be declared and available as variables with agenix. They will be replaced upon activation with `envsubst`.

In short,

1. Manually configure the WiFi network on one device.
1. Export configuration to nix with `nm2nix`.
1. Add secrets to `secrets/wifi.age` as variables (e.g. `MYPSK=1234567890`)
1. Edit the code generated by `nm2nix` to reference `$MYPSK` instead of directly declaring the WPA password.
1. Commit and push changes.
1. Rebuild hosts as required to propogate your new WiFi configuration.

## Provisioning New Devices

1. Create `hosts/$HOSTNAME/default.nix` and other host-specific nix modules (e.g. `disko.nix`,`hardware.nix`, and `home.nix`).
1. Add host to `nixosConfigurations` in `flake.nix`.
1. (OPTIONAL) Generate a `cert.pem`, `key.pem`, and device ID for Syncthing with `syncthing -generate=$HOSTNAME`. Find the device ID in the generated `config.xml` and add it to `nixosModules/services/syncthing/default.nix`, encrypt the cert and key with agenix, and set them as appropriate in the host configuration.
1. Install NixOS from this flake. Secrets will _not_ be available on first boot without a valid SSH private key.
1. On a separate PC, copy the new system's public SSH key (`/etc/ssh/ssh_host_ed25519_key.pub`) to the host configuration (`secrets/publicKeys/root_$HOSTNAME.pub`).
1. Add the new public key to `secrets/secrets.nix`, rekey all secrets with `agenix --rekey`, and push your changes to master.
1. Rebuild the new system from git. Secrets will be automatically decrypted and immediately available in `/run/agenix/` for NixOS and `$XDG_RUNTIME_DIR/agenix/` for users.
1. (OPTIONAL) Generate a new user SSH key and add it to `nixosModules/users/default.nix` in order to enable passwordless logins to other hosts.

## Secure Boot

1. Generate secure boot keys:

   ```bash
   sudo nix run nixpkgs#sbctl create-keys
   ```

1. Enable lanzaboote in NixOS host configuration:

   ```nix
   boot = {
     initrd.systemd.enable = true; # For automatic decryption with TPM.
     loader.systemd-boot.enable = lib.mkForce false; # Interferes with lanzaboote and must be force-disabled.

     lanzaboote = {
       enable = true;
       pkiBundle = "/etc/secureboot";
     };
   };
   ```

1. In UEFI, set secure boot to "setup mode" or erase platform keys.

1. Enroll your secure boot keys:

   ```bash
   sudo nix run nixpkgs#sbctl -- enroll-keys --microsoft
   ```

1. Reboot,  make sure secure boot is enabled in UEFI.

1. Check secure boot status with `bootctl status`:

   ```bash
   System:
         Firmware: UEFI 2.70 (American Megatrends 5.17)
   Firmware Arch: x64
     Secure Boot: enabled (user)
     TPM2 Support: yes
     Measured UKI: yes
     Boot into FW: supported
   ```

1. If your root drive is encrypted with LUKS, you can have the TPM automatically decrypt it on boot:

   ```bash
   sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 /dev/nvme0n1p2
   ```

   Replace `/dev/nvme0n1p2` with your root partition.
   Check the [Linux TPM PCR Registry](https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) for more details.