General: finish disk partitioning script; add filesystem LUKS assertion
This commit is contained in:
parent
1d93917d7b
commit
ef8c268341
50
README.md
50
README.md
|
@ -1,6 +1,6 @@
|
||||||
# NixOS Configuration
|
# NixOS Configuration
|
||||||
|
|
||||||
A full set of configuration files managed via NixOS. This project is an extension of the [Auxolotl system template](https://git.auxolotl.org/auxolotl/templates).
|
A full set of configuration files managed via NixOS. This project is an **unofficial** extension of the [Auxolotl system template](https://git.auxolotl.org/auxolotl/templates).
|
||||||
|
|
||||||
> [!WARNING]
|
> [!WARNING]
|
||||||
> DO NOT DOWNLOAD AND RUN `nixos-rebuild` ON THIS REPOSITORY! These are my personal configuration files. I invite you to look through them, modify them, and take inspiration from them, but if you run `nixos-rebuild`, it _will completely overwrite your current system_!
|
> DO NOT DOWNLOAD AND RUN `nixos-rebuild` ON THIS REPOSITORY! These are my personal configuration files. I invite you to look through them, modify them, and take inspiration from them, but if you run `nixos-rebuild`, it _will completely overwrite your current system_!
|
||||||
|
@ -19,27 +19,37 @@ git submodule update --init --recursive
|
||||||
|
|
||||||
### First-time installation
|
### First-time installation
|
||||||
|
|
||||||
To apply the config for the first time (e.g. on a fresh install), run these commands, replacing `Shura` with the name of the host:
|
When installing on a brand new system, use `bin/format-drives.sh` to format the main drive with an unencrypted boot partition and a LUKS-encrypted BTRFS partition. This also creates a `hardware-configuration.nix` file.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
./bin/format-drives.sh --boot /dev/nvme0n1p1 --luks /dev/nvme0n1p2
|
||||||
|
```
|
||||||
|
|
||||||
|
Next, set up the host's config under in the `hosts` folder by copying `configuration.nix.template` and `hardware-configuration.nix.template` into a new folder.
|
||||||
|
|
||||||
|
Then, add the host to `flake.nix` under the `nixosConfigurations` section.
|
||||||
|
|
||||||
|
Finally, run `nixos-rebuild`, replacing `host` with the name of the host:
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
nix flake update
|
nix flake update
|
||||||
sudo nixos-rebuild switch --flake .#Shura
|
sudo nixos-rebuild boot --flake .#host
|
||||||
```
|
```
|
||||||
|
|
||||||
`nix flake update` updates the `flake.lock` file, which pins repositories to specific versions. Nix will then pull down any derivations it needs to meet the version.
|
`nix flake update` updates the `flake.lock` file, which pins repositories to specific versions. Nix will then pull down any derivations it needs to meet the version.
|
||||||
|
|
||||||
> [!NOTE]
|
> [!TIP]
|
||||||
> This config installs a [Nix wrapper called nh](https://github.com/viperML/nh). Basic install/upgrade commands can be run using `nh`, but more advanced stuff should use `nixos-rebuild`.
|
> This config installs a [Nix wrapper called nh](https://github.com/viperML/nh). Basic install/upgrade commands can be run using `nh`, but more advanced stuff should use `nixos-rebuild`.
|
||||||
|
|
||||||
### Running updates
|
### Running updates
|
||||||
|
|
||||||
All hosts are configured to run automatic daily updates (see `modules/system/system.nix`). You can disable this by adding `aux.system.services.autoUpgrade = false;` to a hosts config.
|
All hosts are configured to run automatic daily updates (see `modules/system/system.nix`). You can disable this by adding `aux.system.services.autoUpgrade = false;` to a host's config.
|
||||||
|
|
||||||
Automatic updates work by `git pull`ing the latest version of the Repo from Forgejo. This repo gets updated nightly by Haven, which updates the `flake.lock` file and pushes it back up to Forgejo. Only one host needs to do this, and you can enable this feature on a host using `aux.system.services.autoUpgrade.pushUpdates = true;`.
|
Automatic updates work by `git pull`ing the latest version of the repo from Forgejo. This repo gets updated nightly by [`Haven`](./hosts/Haven), which updates the `flake.lock` file and pushes it back up to Forgejo. Only one host needs to do this, and you can enable this feature on a host using `aux.system.services.autoUpgrade.pushUpdates = true;`.
|
||||||
|
|
||||||
#### Manually updating
|
#### Manually updating
|
||||||
|
|
||||||
Run `nh` to update the system. Use the `--update` flag to update `flake.lock` as part of the process. Note that for subsequent builds, you can omit the hostname:
|
Run `nh` to update the system. Use the `--update` flag to update `flake.lock` as part of the process. After the first build, you can omit the hostname:
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
nh os boot --update
|
nh os boot --update
|
||||||
|
@ -110,27 +120,16 @@ nixos-rebuild build-vm --flake .
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Running the VM also creates a `.qcow2` file for data persistence. Remove this file after a while, otherwise data might persist between builds and muck things up.
|
> Running the VM also creates a `.qcow2` file for data persistence. Remove this file after a while, otherwise data might persist between builds and muck things up.
|
||||||
|
|
||||||
### Adding a host
|
|
||||||
|
|
||||||
To add a new host:
|
|
||||||
|
|
||||||
1. Create a new folder in `hosts/`.
|
|
||||||
2. Copy `hosts/configuration.nix.template` into this folder and name it `default.nix`.
|
|
||||||
3. Run `nixos-hardware-configuration` on the host and copy its `hardware-configuration.nix` file here. You might also want to check the `configuration.nix` generated by this command to see if there's anything you should import into your host's `default.nix`.
|
|
||||||
4. Configure `/hosts/<host>/default.nix` however you'd like.
|
|
||||||
5. Add the new host to `flake.nix`.
|
|
||||||
5. Run `nix flake update` and `nixos-rebuild boot --flake .#<Hostname>`.
|
|
||||||
|
|
||||||
## About this repository
|
## About this repository
|
||||||
|
|
||||||
### Layout
|
### Layout
|
||||||
|
|
||||||
This config uses two main systems: Flakes, and Home-manager.
|
This config uses a custom templating system built off of the [Auxolotl system templates](https://git.auxolotl.org/auxolotl/templates).
|
||||||
|
|
||||||
- Flakes are the entrypoint, via `flake.nix`. This is where Flake inputs and Flake-specific options get defined.
|
- Flakes are the entrypoint, via `flake.nix`. This is where Flake inputs and Flake-specific options get defined.
|
||||||
- Home-manager configs live in the `users/` folders.
|
- Hosts are defined in the `hosts` folder.
|
||||||
- Modules are stored in `modules`. All of these files are automatically imported (except home-manager modules); you simply enable the ones you want to use, and disable the ones you don't. For example, to install Flatpak, set `aux.system.ui.flatpak.enable = true;`.
|
- Modules are defined in `modules`. All of these files are automatically imported (except home-manager modules). You simply enable the ones you want to use, and disable the ones you don't. For example, to install Flatpak support, set `aux.system.ui.flatpak.enable = true;`.
|
||||||
- After adding a new module, make sure to `git add` it before running `nixos-rebuild`.
|
- After adding a new module, make sure to `git add` it before running `nixos-rebuild`.
|
||||||
|
- Home-manager configs live in the `users/` folders.
|
||||||
|
|
||||||
### Features
|
### Features
|
||||||
|
|
||||||
|
@ -140,11 +139,10 @@ This Nix config features:
|
||||||
- Home Manager
|
- Home Manager
|
||||||
- Automatic daily updates
|
- Automatic daily updates
|
||||||
- AMD, Intel, and Raspberry Pi (ARM64) hardware configurations
|
- AMD, Intel, and Raspberry Pi (ARM64) hardware configurations
|
||||||
- Workstation and server base system configurations
|
- Support for various GUIs and desktop environments including Gnome, KDE, XFCE, and Hyprland
|
||||||
- GNOME desktop environment with KDE integrations
|
|
||||||
- Boot splash screens via Plymouth
|
- Boot splash screens via Plymouth
|
||||||
- Secure Boot and TPM
|
- Secure Boot support via Lanzaboote
|
||||||
- Disk encryption via LUKS
|
- Disk encryption via LUKS with TPM auto-unlocking
|
||||||
- Custom packages and systemd services
|
- Custom packages and systemd services
|
||||||
- Flatpaks
|
- Flatpaks
|
||||||
- Default ZSH shell using Oh My ZSH
|
- Default ZSH shell using Oh My ZSH
|
||||||
|
|
81
bin/format-drives.sh
Executable file
81
bin/format-drives.sh
Executable file
|
@ -0,0 +1,81 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# Script to setup a drive for a brand new NixOS installation.
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Configuration parameters
|
||||||
|
ask_root_password=false # Whether to prompt for a root user password
|
||||||
|
boot_partition="" # The drive to install the bootloader to
|
||||||
|
luks_partition="" # The drive partition to create the LUKS container on
|
||||||
|
root_partition="/dev/mapper/nixos-crypt" # The partition to install NixOS to
|
||||||
|
|
||||||
|
function usage() {
|
||||||
|
echo "Usage: format-drives.sh [--boot boot-partition-path] [--luks luks-partition-path] [--ask-root-password]"
|
||||||
|
echo "Options:"
|
||||||
|
echo " -h | --help Show this help screen."
|
||||||
|
echo " -b | --boot <path> The path to the boot drive (e.g. /dev/nvme0n1p1)."
|
||||||
|
echo " -l | --luks <path> The path to the partition to create the LUKS container on (e.g. /dev/nvme0n1p2)."
|
||||||
|
echo " -a | --ask-root-password Sets a password for the root user account."
|
||||||
|
exit 2
|
||||||
|
}
|
||||||
|
|
||||||
|
while [[ $# -gt 0 ]]; do
|
||||||
|
case "$1" in
|
||||||
|
--ask-root-password|-a)
|
||||||
|
ask_root_password=true
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--boot|-b)
|
||||||
|
boot_partition=$1
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--luks|-l)
|
||||||
|
luks_partition=1
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--help|-h)
|
||||||
|
usage
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ "$(id -u)" != "0" ]; then
|
||||||
|
echo "This script must be run as root" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
cryptsetup --label=nixos-crypt --type=luks2 luksFormat $luks_partition
|
||||||
|
cryptsetup luksOpen $luks_partition nixos-crypt
|
||||||
|
mkfs.btrfs -L nixos $root_partition
|
||||||
|
mount /dev/mapper/nixos-crypt /mnt
|
||||||
|
btrfs subvolume create /mnt/@
|
||||||
|
btrfs subvolume create /mnt/@home
|
||||||
|
btrfs subvolume create /mnt/@log
|
||||||
|
btrfs subvolume create /mnt/@nix
|
||||||
|
btrfs subvolume create /mnt/@swap
|
||||||
|
umount /mnt
|
||||||
|
|
||||||
|
mount -o subvol=@ $root_partition /mnt
|
||||||
|
mkdir -p /mnt/{boot,home,var/log,nix,swap}
|
||||||
|
mount $boot_partition /mnt/boot
|
||||||
|
mount -o subvol=@home $root_partition /mnt/home
|
||||||
|
mount -o subvol=@log $root_partition /mnt/var/log
|
||||||
|
mount -o subvol=@nix $root_partition /mnt/nix
|
||||||
|
mount -o subvol=@swap $root_partition /mnt/swap
|
||||||
|
echo "Disks partitioned and mounted to /mnt."
|
||||||
|
|
||||||
|
# Generate hardware-configuration.nix
|
||||||
|
nixos-generate-config --no-filesystems --dir /home/nixos
|
||||||
|
echo "Configuration files generated and saved to /home/nixos."
|
||||||
|
|
||||||
|
echo "Setup complete!"
|
||||||
|
echo "To install, set up your system's configuration files under ./hosts/yourHost and add it to flake.nix."
|
||||||
|
echo "Then, run the following command:"
|
||||||
|
echo "nixos-install --verbose --root /mnt --flake [path-to-flake.nix] $( (( ask_root_password == false )) && echo "--no-root-password" )"
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
|
@ -1,50 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
# Script to install a brand new NixOS installation.
|
|
||||||
# Formats the drive provided, then runs nixos-install.
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
# Configuration parameters
|
|
||||||
ask_root_password=true # Prompt for a root user password
|
|
||||||
flakeDir="." # Where the flake.nix file is stored
|
|
||||||
boot_drive="/dev/disk/by-uuid/B2D7-96C3" # The drive to install the bootloader to
|
|
||||||
luks_drive="/dev/nvme0n1p2"
|
|
||||||
root_drive="/dev/mapper/nixos-crypt" # The partition to install NixOS to
|
|
||||||
|
|
||||||
if [ "$(id -u)" != "0" ]; then
|
|
||||||
echo "This script must be run as root" 1>&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# FIXME: Need to get the UUID from the newly-created LUKS partition, then use it going forward.
|
|
||||||
cryptsetup --label=nixos-crypt --type=luks2 luksFormat $root_drive
|
|
||||||
cryptsetup luksOpen $root_drive nixos-crypt
|
|
||||||
mkfs.btrfs -L nixos $root_drive
|
|
||||||
mount /dev/mapper/nixos-crypt /mnt
|
|
||||||
btrfs subvolume create /mnt/@
|
|
||||||
btrfs subvolume create /mnt/@home
|
|
||||||
btrfs subvolume create /mnt/@log
|
|
||||||
btrfs subvolume create /mnt/@nix
|
|
||||||
btrfs subvolume create /mnt/@swap
|
|
||||||
umount /mnt
|
|
||||||
|
|
||||||
mount -o subvol=@ $root_drive /mnt
|
|
||||||
mkdir -p /mnt/{boot,home,var/log,nix,swap}
|
|
||||||
mount $boot_drive /mnt/boot
|
|
||||||
mount -o subvol=@home $root_drive /mnt/home
|
|
||||||
mount -o subvol=@log $root_drive /mnt/var/log
|
|
||||||
mount -o subvol=@nix $root_drive /mnt/nix
|
|
||||||
mount -o subvol=@swap $root_drive /mnt/swap
|
|
||||||
echo "Disks partitioned and mounted to /mnt."
|
|
||||||
|
|
||||||
# Generate hardware-configuration.nix
|
|
||||||
nixos-generate-config --no-filesystems --dir /home/nixos
|
|
||||||
echo "Configuration files generated and saved to /home/nixos."
|
|
||||||
|
|
||||||
echo "Setup complete!"
|
|
||||||
echo "To install, set up your system's configuration files under ./hosts/yourHost and add it to flake.nix."
|
|
||||||
echo "Then, run the following command:"
|
|
||||||
echo "nixos-install --verbose --root /mnt --flake $flakeDir#Khanda --max-jobs 1 --cores 10 $( (( ask_root_password == false )) && echo "--no-root-password" )"
|
|
||||||
|
|
||||||
exit 0
|
|
||||||
|
|
67
hosts/hardware-configuration.nix.template
Normal file
67
hosts/hardware-configuration.nix.template
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
# Template for setting a new host's hardware configuration
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
modulesPath,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
hostName = "myHost";
|
||||||
|
platform = "x86_64-linux";
|
||||||
|
bootUUID = "ABCD-1234"; # The UUID of the boot partition.
|
||||||
|
luksUUID = "1408f9cf-68b8-4063-b919-48edde3329a5"; # The UUID of the encrypted LUKS partition.
|
||||||
|
rootUUID = "3eab3498-9597-454a-a790-43f4c99a87cd"; # The UUID of the unlocked filesystem partition.
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||||
|
|
||||||
|
# Configure the kernel.
|
||||||
|
boot = {
|
||||||
|
# Run `nixos-generate-config --no-filesystems` to generate a baseline hardware configuration.
|
||||||
|
initrd = {
|
||||||
|
availableKernelModules = [
|
||||||
|
"nvme"
|
||||||
|
"xhci_pci"
|
||||||
|
"usbhid"
|
||||||
|
"usb_storage"
|
||||||
|
"sd_mod"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
kernelModules = [ ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Configure the main filesystem.
|
||||||
|
aux.system.filesystem = {
|
||||||
|
btrfs = {
|
||||||
|
enable = true;
|
||||||
|
devices = {
|
||||||
|
boot = "/dev/disk/by-uuid/${bootUUID}";
|
||||||
|
btrfs = "/dev/disk/by-uuid/${rootUUID}";
|
||||||
|
};
|
||||||
|
swapFile = {
|
||||||
|
enable = true;
|
||||||
|
size = 16384; # By default, this creates a 16GB swap file. Change this to whatever you'd like.
|
||||||
|
};
|
||||||
|
};
|
||||||
|
luks = {
|
||||||
|
enable = true;
|
||||||
|
uuid = luksUUID;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
# Set the hostname.
|
||||||
|
hostName = hostName;
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault platform;
|
||||||
|
}
|
|
@ -48,12 +48,16 @@ in
|
||||||
assertions = [
|
assertions = [
|
||||||
{
|
{
|
||||||
assertion = cfg.btrfs.devices.btrfs != "";
|
assertion = cfg.btrfs.devices.btrfs != "";
|
||||||
message = "Please specify a BTRFS partition to use as a filesystem.";
|
message = "Please specify the BTRFS partition UUID to use as the filesystem.";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
assertion = cfg.btrfs.devices.boot != "";
|
assertion = cfg.btrfs.devices.boot != "";
|
||||||
message = "Please specify a boot partition to use as a filesystem.";
|
message = "Please specify the boot partition UUID.";
|
||||||
}
|
}
|
||||||
|
(lib.mkIf cfg.luks.enable {
|
||||||
|
assertion = cfg.luks.uuid != "";
|
||||||
|
message = "Please enter a valid UUID for the encrypted LUKS volume.";
|
||||||
|
})
|
||||||
];
|
];
|
||||||
boot.initrd.luks.devices = lib.mkIf cfg.luks.enable {
|
boot.initrd.luks.devices = lib.mkIf cfg.luks.enable {
|
||||||
"luks-${cfg.luks.uuid}" = {
|
"luks-${cfg.luks.uuid}" = {
|
||||||
|
|
|
@ -88,12 +88,14 @@ in
|
||||||
binfmt = true;
|
binfmt = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Install full GStreamer capabilities.
|
environment.sessionVariables = {
|
||||||
# References:
|
# Tell Electron apps that they can use Wayland
|
||||||
# https://wiki.nixos.org/wiki/GStreamer
|
NIXOS_OZONE_WL = "1";
|
||||||
# https://github.com/NixOS/nixpkgs/issues/195936
|
# Install full GStreamer capabilities.
|
||||||
environment = {
|
# References:
|
||||||
sessionVariables.GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (
|
# https://wiki.nixos.org/wiki/GStreamer
|
||||||
|
# https://github.com/NixOS/nixpkgs/issues/195936
|
||||||
|
GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (
|
||||||
with pkgs.gst_all_1;
|
with pkgs.gst_all_1;
|
||||||
[
|
[
|
||||||
gstreamer
|
gstreamer
|
||||||
|
|
Loading…
Reference in a new issue