nixcfg/hosts
2024-12-05 08:08:36 -05:00
..
fallarbor flake: update inputs (#187) 2024-12-01 12:53:28 -05:00
lavaridge lavaridge: disable sway 2024-12-05 08:08:36 -05:00
mauville mauville: remove custom zram memoryPercent 2024-12-03 15:31:16 -05:00
pacifidlog pacifidlog: disable jovian default steamOSConfig 2024-12-03 15:52:38 -05:00
petalburg flake: update inputs (#187) 2024-12-01 12:53:28 -05:00
rustboro rustboro: use lz4 for zram, limit to 50% 2024-12-03 15:31:16 -05:00
slateport slateport: use default zram size in hw/common 2024-12-03 15:31:16 -05:00
README.md hosts: remove flakehub references from README 2024-11-24 20:38:25 -05:00

Hosts

Overview

Host-specific configuration + common modules that aren't better expressed as options & flake outputs. All hosts are configured with agenix, disko, and nixhw.

Automatic Updates

These hosts update themselves automatically, once a day, by rebuilding directly from one of this repository's branches, typically master.

Declarative WiFi Connections

WiFi networks can be configured declaratiely in wifi.nix using config.networking.networkmanager.ensureProfiles.profiles, provided by nixpkgs. I also provide helper functions for common wifi security types.

nm2nix can generate nix code for all WiFi networks currently configured in /etc/NetworkManager/system-connections/ and /run/NetworkManager/system-connections with the following command:

sudo su -c "cd /etc/NetworkManager/system-connections && nix --extra-experimental-features 'nix-command flakes' run github:Janik-Haag/nm2nix | nix --extra-experimental-features 'nix-command flakes' run nixpkgs#nixfmt-rfc-style"

Secrets (passwords, certificates, and identities) are supported, but must be declared and available as variables with agenix. They will be replaced upon activation with envsubst.

In short,

  1. Manually configure the WiFi network on one device.
  2. Export configuration to nix with nm2nix.
  3. Add secrets to secrets/wifi.age as variables (e.g. MYPSK=1234567890)
  4. Edit the code generated by nm2nix to reference $MYPSK instead of directly declaring the WPA password.
  5. Commit and push changes.
  6. Rebuild hosts as required to propogate your new WiFi configuration.

Provisioning New Devices

  1. Create hosts/$HOSTNAME/default.nix and other host-specific nix modules (e.g. disko.nix,hardware.nix, and home.nix).
  2. Add host to nixosConfigurations in flake.nix.
  3. (OPTIONAL) Generate a cert.pem, key.pem, and device ID for Syncthing with syncthing -generate=$HOSTNAME. Find the device ID in the generated config.xml and add it to nixosModules/services/syncthing/default.nix, encrypt the cert and key with agenix, and set them as appropriate in the host configuration.
  4. Install NixOS from this flake. Secrets will not be available on first boot without a valid SSH private key.
  5. On a separate PC, copy the new system's public SSH key (/etc/ssh/ssh_host_ed25519_key.pub) to the host configuration (secrets/publicKeys/root_$HOSTNAME.pub).
  6. Add the new public key to secrets/secrets.nix, rekey all secrets with agenix --rekey, and push your changes to master.
  7. Rebuild the new system from git. Secrets will be automatically decrypted and immediately available in /run/agenix/ for NixOS and $XDG_RUNTIME_DIR/agenix/ for users.
  8. (OPTIONAL) Generate a new user SSH key and add it to nixosModules/users/default.nix in order to enable passwordless logins to other hosts.

Secure Boot

  1. Generate secure boot keys:

    sudo nix run nixpkgs#sbctl create-keys
    
  2. Enable lanzaboote in NixOS host configuration:

    boot = {
      initrd.systemd.enable = true; # For automatic decryption with TPM.
      loader.systemd-boot.enable = lib.mkForce false; # Interferes with lanzaboote and must be force-disabled.
    
      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };
    
  3. In UEFI, set secure boot to "setup mode" or erase platform keys.

  4. Enroll your secure boot keys:

    sudo nix run nixpkgs#sbctl -- enroll-keys --microsoft
    
  5. Reboot, make sure secure boot is enabled in UEFI.

  6. Check secure boot status with bootctl status:

    System:
          Firmware: UEFI 2.70 (American Megatrends 5.17)
    Firmware Arch: x64
      Secure Boot: enabled (user)
      TPM2 Support: yes
      Measured UKI: yes
      Boot into FW: supported
    
  7. If your root drive is encrypted with LUKS, you can have the TPM automatically decrypt it on boot:

    sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 /dev/nvme0n1p2
    

    Replace /dev/nvme0n1p2 with your root partition. Check the Linux TPM PCR Registry for more details.

    NOTE: This requires a TPM2 module, devices with prior versions will not work.