| About | Screenshot |
| This repository contains my personal NixOS configuration. Feel free to do whatever with it. |
|
.
├── .gitattributes
├── .gitignore
├── README.md
├── assets ; Binary assets such as screenshots and wallpapers
│ └── ...
├── flake.lock
├── flake.nix
├── hosts ; Host configurations
│ ├── puter
│ │ ├── default.nix ; Host specific configuration options
│ │ ├── disko.nix ; Host specific partitioning layout
│ │ └── packages.nix ; Host specific package set
│ └── ...
├── install.sh
├── lib ; Custom helper functions
│ └── ...
├── modules ; Configuration modules
│ ├── home ; Home-manager modules
│ │ └── caem ; User home-manager modules
│ │ ├── default.nix ; User specific configuration options
│ │ ├── packages.nix ; User specific package set
│ │ └── ...
│ └── nixos ; NixOS modules
│ ├── user ; User definition
│ │ └── caem.nix
│ └── ...
└── overlays ; Overlays
└── ...
This step is required to install the system as it is built around nix-sops with encrypted files in a private repository in order to not expose even the encrypted secrets to the public. You don't need to be in a NixOS livecd or system in order to complete this step as long as you can install all requirements from step 1.
nix-shell -p sops age git wl-clipboardmkdir secrets
cd secrets
git initYou want this to make sure that you do not accidentally push your private key.
echo "keys.txt" > .gitignoreage-keygen -o ./keys.txtcat <<EOF > .sops.yaml
keys:
- &master $(age-keygen -y ./keys.txt)
creation_rules:
- path_regex: .*\.(yaml|json|env|ini)$
key_groups:
- age:
- *master
EOFmkpasswd | wl-copy
sops upasswd.yamlThen edit the file to look like this
upasswd: [The pasted password from mkpasswd]cat <<EOF > flake.nix
{
outputs = { self, ... }: {
paths = {
upasswd = self + "/upasswd.yaml";
};
};
}
EOFIf your git forge supports creating the repository on push you can simply run the commands below, if it does not, like GitHub, create a private repository named "secrets" first before running the below commands.
git remote add origin git@git.example.net:username/secrets
git add .
git commit -m "batman"
git push --set-upstream origin masterTHIS STEP IS VERY IMPORTANT
Back up your keys.txt in a safe location where you can later transfer it on to the livecd. Keep it safe afterwards as it is required to decrypt your secrets. Do not share this with anyone else as it'd allow them to decrypt all your secrets.
You also need to have a copy of your ssh private key or (preferably) deployment key to the repository ready to later clone your secrets repository.
Any of the official NixOS livecds will work as long as you're able securely transfer files on to it. Non-nixos livecds might work if you install the required tools manually but is out of scope of this document.
git clone https://github.com/c4em/caenix.git
cd caenixFetch your keys.txt from wherever you've stored them and place them at the root of the configuration directory. If you place them anywhere else the installation will fail. Do not move them later either.
For your ssh key, place it in ~/.ssh and create a symlink for the root user.
sudo ln -sf /home/nixos/.ssh /root/.sshAnd start a instance of ssh-agent.
eval $(ssh-agent -s)
ssh-add ~/.ssh/[your key]In flake.nix, replace
inputs = {
secrets.url = "git+ssh://git@git.caem.dev/caem/secrets";with your url.
inputs = {
secrets.url = "git+ssh://git@git.example.com/username/secrets";This is very useful and will also tell you if cloning your secrets work, rather than only telling you after already having partitioned the drive.
nix --extra-experimental-features 'nix-command flakes' flake update./install.sh --host [your host] --device [the device to install NixOS on]