This is my nixos config. It's intended for the use of 2 main devices and one raspberry pi 5. Support for kubernetes and multiple raspis is planned in near future.
-
hosts
contain a basic setup for each host (e.g. notebook, pc, etc.)
the goal is to keep those configurations at a bare minimum and import everything thats needed from other modules -
modules
contain a basic setup for application and their configurations- home
contains setup for home-manager specific stuff
- home
As this configuration utilizes flakes it is fairly simple to install and setup.
- Clone this repo
git clone https://github.com/yolofanhd/nixos-config
cd nixos-configNote
Optional: If you just want everything to work right away I would suggest to also
git checkout stable. This branch is updated less frequently and is checked a lot
better. The main branch is used as the dev branch and can sometimes be unstable due
to dependency updates or breaking changes for multiple hosts, which often wouldn't
be noticed right away.
- Copy the
.env.sampleand adjust the host according toflake.nix.
cp .env.sample .env
vi .env- Check if
/etc/nixos/hardware-configuration.nixis present. If not run:
nixos-generate-config- Rebuild the system
just rebuildThe following two commands are used to update 1. the nix flake and 2. the system.
sudo nix flake update
sudo nixos-rebuild switch --flake './#<host-name>'Normally there should be no need to update this flake manually as the update process is pretty much automated.
For more information look at: NixOS docs
Agenix is used as the secret manager. You can add any ssh key to /secrets/secrets.nix add the file you want to add to the list and run
cd ./secrets
agenix -e <filename>Then the secrets can be decrypted when rebuilding using the modules/agenix.nix file where you specify location and access rules for your file.
There already is a great documentation here.
None the less a quick guide:
Requirements are only needed for this guide, the process can be probably highly optimised but I found this one the easiest approach
- Rpi5 (with peripherals (e.g. display and keyboard))
- SD card
- USB stick
- another machine
- Create a gpt partition table
- Create an efi (fat32) partition
- Create a linux partition for nixos (could be done within the nixos installation step)
- Format the partitions
- fat32 for boot partition
- ext4 for linux partition
- Mount the boot partition
- Look at this repo and get the latest release
- Copy the 3 files from the release into the boot partition
- (Optional) Adjust the config.txt if needed
- Insert the sd card into the raspi and check if the uefi menu shows up correctly (might need to hit esc)
- Get the lates release or look at this guide
- Plug in the usb
- Flash the iso onto the usb stick
- Plug the installation stick into your raspi
- Boot the raspi
- (Optional) Adjust any uefi settings if needed (e.g. boot order)
- Launch nixos installation
Once this stage is reached you might also continue with the normal installation instructions. Allthough there are a few options that have to be set:
boot.loader.efi.canTouchEfiVariables = false;
boot.kernelPackages = (import (builtins.fetchTarball https://gitlab.com/vriska/nix-rpi5/-/archive/main.tar.gz)).legacyPackages.aarch64-linux.linuxPackages_rpi5;the second setting can also be implemented by using the flake directly like this config does.
When everything is in place hit nixos-install! Note: This might take a while
This is really important in order to be able to boot nixos.
- Open up the uefi by hitting esc.
- Go into Device Manager -> Raspberry Pi Configuration -> ACPI / Device Tree -> System Table Mode
- Change it from ACPI to Device Tree Once thats done, feel free to boot nixos!
After everything works and is correctly set up you might also revisit some guides and configs to ensure
that everything is set up as it should be. For example you might want to set force_turbo=1 to 0
in the /boot/config.txt file.
Secure is still experimental, but I found it to work quite well. Here is a step by step introction:
sudo sbctl create-keys- Add lanzaboote to the nix config. (example in boot.nix)
sudo sbctl verifyand verify that the boot entries which are relevant are signed.- Reboot into your UEFI/BIOS and enable SecureBoot and enable Boot Setup mode
- Boot the system and enroll the keys
sudo sbctl enroll-keys --microsoft - Reboot the system (Boot Setup mode should be automagically disabled)
- Check if everything is correctly setup with
bootctl status
Check out these 2 guides: NixOS Wiki, NixOS with encrypted root\
A quick summary:
- Get your nixos usb stick and boot up the installation media
- Create the encrypted partition using
cryptsetup luksFormat /dev/sda2and open it withcryptsetup luksOpen /dev/sda2 enc-pv - Create logical volumes on the created partition
pvcreate /dev/mapper/enc-pvvgcreate vg /dev/mapper/enc-pv- Create swap
lvcreate -L 8G -n swap vg - Create root
lvcreate -l '100%FREE' -n root vg
- Format the partitions
mkfs.fat /dev/sda1- Format encrypted root volume
mkfs.ext4 -L root /dev/vg/root - Format encrypted swap volume
mkswap -L swap /dev/vg/swap
- Mount the volumes
mount /dev/vg/root /mntmkdir /mnt/bootmount /dev/sda1 /mnt/bootswapon /dev/vg/swap
- Proceed with the usual installation
Note
Keep in mind when troubleshooting that the luks device needs to be open.
Once created it can be opened with the second command mentioned in step 2.
When working with the volumes keep in mind that the name doesn't match with the
physical partition name, so just be sure to always use the provided name from
the mapper!
There also is another setting for encrypted devices in the boot.nix
file. It just ensures that the device is used and can safely be ignored due to automatic
generation. (e.g. the same setting is set anyway in hardware-configuration.nix)
This repository uses convetional commits.
Just feel free to leave a PR and I might merge it! :D