nixcfg/hosts
2024-10-13 16:30:57 -04:00
..
fallarbor home: move gammastep settings to hosts 2024-09-28 19:58:05 -04:00
lavaridge lavaridge: added monitor description 2024-10-11 14:15:48 -04:00
mauville Merge branch 'master' into 24.11 2024-10-08 11:29:30 -04:00
pacifidlog pacifidlog: add hdd-decky 2024-10-13 16:30:57 -04:00
petalburg accidentally changed petalburg :\ 2024-10-13 16:02:02 -04:00
rustboro rustboro: hyprland by default 2024-10-06 18:44:14 -04:00
slateport Merge remote-tracking branch 'origin/master' into 24.11 2024-10-07 19:10:33 -04:00
README.md hosts: update README.md 2024-08-24 15:54:14 -04:00

Hosts

Overview

Host-specific configuration + common modules that aren't better expressed as options & flake outputs. All hosts are configured with agenix, disko, and nixhw.

Automatic Updates

These hosts update themselves automatically, once a day, by rebuilding from one of two sources: directly from this repository's master branch or from FlakeHub. This can be adjusted by overriding the value of config.environment.variables.FLAKE.

FlakeHub allows semantic versioning, which means that these hosts build from the lattest tag published to FlakeHub with format v0.0.0. I try to follow the semantic versioning 2.0 standard, though this may not always be the case.

You can access the latest tagged commit from this repository with this url: https://flakehub.com/f/alyraffauf/nixcfg/*.tar.gz.

Declarative WiFi Connections

WiFi networks can be configured declaratiely in wifi.nix using config.networking.networkmanager.ensureProfiles.profiles, provided by nixpkgs. I also provide helper functions for common wifi security types.

nm2nix can generate nix code for all WiFi networks currently configured in /etc/NetworkManager/system-connections/ and /run/NetworkManager/system-connections with the following command:

sudo su -c "cd /etc/NetworkManager/system-connections && nix --extra-experimental-features 'nix-command flakes' run github:Janik-Haag/nm2nix | nix --extra-experimental-features 'nix-command flakes' run nixpkgs#nixfmt-rfc-style"

Secrets (passwords, certificates, and identities) are supported, but must be declared and available as variables with agenix. They will be replaced upon activation with envsubst.

In short,

  1. Manually configure the WiFi network on one device.
  2. Export configuration to nix with nm2nix.
  3. Add secrets to secrets/wifi.age as variables (e.g. MYPSK=1234567890)
  4. Edit the code generated by nm2nix to reference $MYPSK instead of directly declaring the WPA password.
  5. Commit and push changes.
  6. Rebuild hosts as required to propogate your new WiFi configuration.

Provisioning New Devices

  1. Create hosts/$HOSTNAME/default.nix and other host-specific nix modules (e.g. disko.nix,hardware.nix, and home.nix).
  2. Add host to nixosConfigurations in flake.nix.
  3. (OPTIONAL) Generate a cert.pem, key.pem, and device ID for Syncthing with syncthing -generate=$HOSTNAME. Find the device ID in the generated config.xml and add it to nixosModules/services/syncthing/default.nix, encrypt the cert and key with agenix, and set them as appropriate in the host configuration.
  4. Install NixOS from this flake. Secrets will not be available on first boot without a valid SSH private key.
  5. On a separate PC, copy the new system's public SSH key (/etc/ssh/ssh_host_ed25519_key.pub) to the host configuration (secrets/publicKeys/root_$HOSTNAME.pub).
  6. Add the new public key to secrets/secrets.nix, rekey all secrets with agenix --rekey, and push your changes to master.
  7. Rebuild the new system from git. Secrets will be automatically decrypted and immediately available in /run/agenix/ for NixOS and $XDG_RUNTIME_DIR/agenix/ for users.
  8. (OPTIONAL) Generate a new user SSH key and add it to nixosModules/users/default.nix in order to enable passwordless logins to other hosts.

Secure Boot

  1. Generate secure boot keys:

    sudo nix run nixpkgs#sbctl create-keys
    
  2. Enable lanzaboote in NixOS host configuration:

    boot = {
      initrd.systemd.enable = true; # For automatic decryption with TPM.
      loader.systemd-boot.enable = lib.mkForce false; # Interferes with lanzaboote and must be force-disabled.
    
      lanzaboote = {
        enable = true;
        pkiBundle = "/etc/secureboot";
      };
    };
    
  3. In UEFI, set secure boot to "setup mode" or erase platform keys.

  4. Enroll your secure boot keys:

    sudo nix run nixpkgs#sbctl -- enroll-keys --microsoft
    
  5. Reboot, make sure secure boot is enabled in UEFI.

  6. Check secure boot status with bootctl status:

    System:
          Firmware: UEFI 2.70 (American Megatrends 5.17)
    Firmware Arch: x64
      Secure Boot: enabled (user)
      TPM2 Support: yes
      Measured UKI: yes
      Boot into FW: supported
    
  7. If your root drive is encrypted with LUKS, you can have the TPM automatically decrypt it on boot:

    sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 /dev/nvme0n1p2
    

    Replace /dev/nvme0n1p2 with your root partition. Check the Linux TPM PCR Registry for more details.

    NOTE: This requires a TPM2 module, devices with prior versions will not work.