nixos-system-config/README.md

153 lines
3.4 KiB
Markdown
Raw Normal View History

2025-01-22 00:35:38 +01:00
# caenix
2025-01-18 01:59:23 +01:00
2025-01-18 16:12:32 +01:00
## Installation
2025-01-19 23:06:17 +01:00
### Setting up your secrets repository
2025-01-18 01:59:23 +01:00
2025-01-19 23:06:17 +01:00
This step is required to install the system as it is built around nix-sops
with encrypted files in a private repository in order to not expose even the
encrypted secrets to the public. You don't need to be in a NixOS livecd or
system in order to complete this step as long as you can install all
requirements from step 1.
2025-01-18 01:59:23 +01:00
2025-01-19 23:42:13 +01:00
#### 1. Ensure all required dependencies are present
2025-01-18 01:59:23 +01:00
```sh
2025-01-19 23:06:17 +01:00
nix-shell -p sops age git wl-clipboard
2025-01-18 01:59:23 +01:00
```
2025-01-19 23:42:13 +01:00
#### 2. Initialize your secrets repo
2025-01-19 23:06:17 +01:00
2025-01-18 01:59:23 +01:00
```sh
mkdir secrets
cd secrets
git init
```
2025-01-19 23:42:13 +01:00
#### 3. Create your gitignore
You want this to make sure that you do not accidentally push your private key.
2025-01-19 23:06:17 +01:00
2025-01-18 01:59:23 +01:00
```sh
echo "keys.txt" > .gitignore
```
2025-01-19 23:42:13 +01:00
#### 4. Generate your private key
2025-01-19 23:06:17 +01:00
2025-01-18 01:59:23 +01:00
```sh
age-keygen -o ./keys.txt
```
2025-01-19 23:42:13 +01:00
#### 5. Create your sops configuration file
2025-01-19 23:06:17 +01:00
2025-01-18 01:59:23 +01:00
```sh
cat <<EOF > .sops.yaml
keys:
- &master $(age-keygen -y ./keys.txt)
creation_rules:
- path_regex: .*\.(yaml|json|env|ini)$
key_groups:
- age:
- *master
EOF
```
2025-01-19 23:06:17 +01:00
#### 6. Create your secrets file
2025-01-18 01:59:23 +01:00
```sh
2025-01-19 23:06:17 +01:00
mkpasswd | wl-copy
2025-01-20 00:55:30 +01:00
sops upasswd.yaml
2025-01-18 15:58:34 +01:00
```
2025-01-19 23:06:17 +01:00
Then edit the file to look like this
2025-01-18 15:58:34 +01:00
```yaml
2025-01-19 23:06:17 +01:00
upasswd: [The pasted password from mkpasswd]
2025-01-18 15:58:34 +01:00
```
2025-01-19 23:06:17 +01:00
#### 7. Create the flake to expose the secrets
```sh
cat <<EOF > flake.nix
{
outputs = { self, ... }: {
2025-01-20 00:55:30 +01:00
paths = {
upasswd = self + "/upasswd.yaml";
};
2025-01-19 23:06:17 +01:00
};
}
EOF
```
2025-01-19 23:42:13 +01:00
#### 8. Commit and push your changes
2025-01-19 23:06:17 +01:00
If your git forge supports creating the repository on push you can
simply run the commands below, if it does not, like GitHub, create a private
repository named "secrets" first before running the below commands.
2025-01-18 15:58:34 +01:00
```sh
2025-01-19 23:06:17 +01:00
git remote add origin git@git.example.net:username/secrets
2025-01-18 15:58:34 +01:00
git add .
git commit -m "batman"
git push --set-upstream origin master
```
2025-01-19 23:42:13 +01:00
#### 9. Back up your keys.txt
2025-01-19 23:06:17 +01:00
**THIS STEP IS VERY IMPORTANT**
Back up your keys.txt in a safe location where you can later transfer it on to the livecd.
Keep it safe afterwards as it is required to decrypt your secrets. Do not share this with
anyone else as it'd allow them to decrypt all your secrets.
2025-01-18 16:17:49 +01:00
2025-01-19 23:06:17 +01:00
You also need to have a copy of your ssh private key or (preferably) deployment key to the repository
ready to later clone your secrets repository.
2025-01-18 16:12:32 +01:00
2025-01-19 23:06:17 +01:00
### Installing the system
2025-01-18 16:12:32 +01:00
2025-01-19 23:06:17 +01:00
#### 0. Boot in to a livcd image
2025-01-18 16:12:32 +01:00
2025-01-19 23:06:17 +01:00
Any of the official NixOS livecds will work as long as you're able securely transfer files on to
it. Non-nixos livecds might work if you install the required tools manually but is out of scope
of this document.
#### 1. Clone this repository
2025-01-18 16:12:32 +01:00
```sh
2025-01-22 02:18:47 +01:00
git clone https://github.com/c4em/caenix.git
cd caenix
2025-01-18 16:12:32 +01:00
```
2025-01-19 23:06:17 +01:00
#### 2. Fetch your keys.txt and ssh key
2025-01-18 16:12:32 +01:00
2025-01-19 23:06:17 +01:00
Fetch your keys.txt from wherever you've stored them and **place them at the root of the configuration directory**.
If you place them anywhere else the installation will fail. Do not move them later either.
For your ssh key, place it in `~/.ssh` and create a symlink for the root user.
2025-01-18 15:58:34 +01:00
```sh
2025-01-19 23:06:17 +01:00
sudo ln -sf /home/nixos/.ssh /root/.ssh
2025-01-18 01:59:23 +01:00
```
2025-01-20 01:00:11 +01:00
#### 3. Update the flake input for your secret
In `flake.nix`, replace
```nix
inputs = {
secrets.url = "git+ssh://git@git.caem.dev/caem/secrets";
```
with your url.
```nix
inputs = {
secrets.url = "git+ssh://git@git.example.com/username/secrets";
```
#### 4. Update flake.lock (optional)
```sh
nix --extra-experimental-features 'nix-command flakes' flake update
```
#### 5. Run the installation script
2025-01-18 16:12:32 +01:00
```sh
2025-01-19 19:50:43 +01:00
./install.sh --host [your host] --device [the device to install NixOS on]
2025-01-18 16:12:32 +01:00
```