README: nixos-anywhere and Raspberry Pi

This commit is contained in:
Daniel Langbein 2023-10-24 10:00:17 +02:00
parent aa60fe1eaa
commit 363a6118f1
Signed by: langfingaz
GPG Key ID: 6C47C753F0823002
2 changed files with 95 additions and 7 deletions

View File

@ -2,6 +2,12 @@
- [NixOS](#nixos) - [NixOS](#nixos)
- [NixOS installation](#nixos-installation) - [NixOS installation](#nixos-installation)
- [Graphical installation](#graphical-installation)
- [Remote installation: disko and nixos-anywhere](#remote-installation-disko-and-nixos-anywhere)
- [ARM device: Raspberry Pi 3B+](#arm-device-raspberry-pi-3b)
- [ISO](#iso)
- [Default configuration](#default-configuration)
- [Apply modified configuration](#apply-modified-configuration)
- [Update, build and switch](#update-build-and-switch) - [Update, build and switch](#update-build-and-switch)
- [Update](#update) - [Update](#update)
- [Build and switch: Using Colmena](#build-and-switch-using-colmena) - [Build and switch: Using Colmena](#build-and-switch-using-colmena)
@ -12,7 +18,6 @@
- [niv: Dependency management](#niv-dependency-management) - [niv: Dependency management](#niv-dependency-management)
- [Add Home Manager with niv](#add-home-manager-with-niv) - [Add Home Manager with niv](#add-home-manager-with-niv)
- [Add NUR with niv](#add-nur-with-niv) - [Add NUR with niv](#add-nur-with-niv)
- [disko and nixos-anywhere: Remote installation](#disko-and-nixos-anywhere-remote-installation)
- [Colmena: Deployment and secret management](#colmena-deployment-and-secret-management) - [Colmena: Deployment and secret management](#colmena-deployment-and-secret-management)
- [BTRFS swap file](#btrfs-swap-file) - [BTRFS swap file](#btrfs-swap-file)
- [LUKS Parameters](#luks-parameters) - [LUKS Parameters](#luks-parameters)
@ -38,6 +43,8 @@
## NixOS installation ## NixOS installation
### Graphical installation
For beginners, NixOS can be installed with a graphical installer. For beginners, NixOS can be installed with a graphical installer.
Getting the ISO: Getting the ISO:
@ -55,6 +62,52 @@ During installation:
* One 512MB (or larger) Fat32 partition, mounted at `/boot`, "boot" flag enabled * One 512MB (or larger) Fat32 partition, mounted at `/boot`, "boot" flag enabled
* Another partition (e.g. BTRFS) covering the rest of the drive, mounted at `/`, encryption enabled * Another partition (e.g. BTRFS) covering the rest of the drive, mounted at `/`, encryption enabled
## Remote installation: disko and nixos-anywhere
Install NixOS via SSH everywhere.
There is a separate repository for these steps. Its README can be found here: https://codeberg.org/privacy1st/nixos-anywhere-example/src/template/README.md
## ARM device: Raspberry Pi 3B+
### ISO
If you are on an architecture other than aarch64, enable emulation: `boot.binfmt.emulatedSystems = [ "aarch64-linux" ];`.
An ISO for the Raspberry Pi 3B+ can then be built with:
```shell
# If on aarch64
#nix-build '<nixpkgs/nixos>' -A config.system.build.sdImage -I nixos-config=./iso-aarch64.nix
# If not on aarch64
nix-build '<nixpkgs/nixos>' -A config.system.build.sdImage -I nixos-config=./iso-aarch64.nix --argstr system aarch64-linux
ls result/sd-image/*.img
```
**Note** about cross compilation
Alternatively to emulating the aarch64 architecture we could also cross compile from e.g. x86 to it. However, this has one big drawback: The binary cache (https://cache.nixos.org/) won't be used. The reason for this is that packages built with cross compilation are (slightly) different from native built ones. Their checksums don't match.
### Default configuration
When the Raspberry Pi is booted, run `nixos-generate-config` to generate the default `configuration.nix` and `hardware-configuration.nix` files.
### Apply modified configuration
The Rapberry Pi 3B+ has only 1GB RAM, which is not enough for `nixos-rebuild`. It is recommended to create and activate a SWAP file first: https://wiki.archlinux.org/title/swap#Swap_file_creation
```shell
nix-channel --list
#=> nixos https://nixos.org/channels/nixos-23.05
nix-channel --update nixos
```
```shell
nixos-rebuild boot
reboot
```
## Update, build and switch ## Update, build and switch
Local (yodaTux): Local (yodaTux):
@ -199,12 +252,6 @@ niv add nix-community/home-manager -n home-manager -b release-23.05
niv add nix-community/NUR -n NUR niv add nix-community/NUR -n NUR
``` ```
## disko and nixos-anywhere: Remote installation
Install NixOS via SSH everywhere.
There is a separate repository for these steps. Its README can be found here: https://codeberg.org/privacy1st/nixos-anywhere-example/src/template/README.md
## Colmena: Deployment and secret management ## Colmena: Deployment and secret management
* https://github.com/zhaofengli/colmena#colmena * https://github.com/zhaofengli/colmena#colmena

41
iso-aarch64.nix Normal file
View File

@ -0,0 +1,41 @@
# Great overview: https://rbf.dev/blog/2020/05/custom-nixos-build-for-raspberry-pis/
# https://nixos.wiki/wiki/NixOS_on_ARM#Cross-compiling
# https://nixos.wiki/wiki/NixOS_on_ARM#Compiling_through_binfmt_QEMU
# https://nix.dev/tutorials/nixos/installing-nixos-on-a-raspberry-pi
# Using the 64-bit AArch64 image is highly recommended.
# https://nixos.wiki/wiki/NixOS_on_ARM/Raspberry_Pi#Raspberry_Pi_3_.2F_3B.2B
{ config, pkgs, lib, ... }: {
imports = [
<nixpkgs/nixos/modules/installer/sd-card/sd-image-aarch64.nix>
];
boot = {
# New tags are published not so often ...
# https://github.com/raspberrypi/linux/tags
#kernelPackages = pkgs.linuxKernel.packages.linux_rpi3;
# The mainline kernel is also supported.
kernelPackages = pkgs.linuxPackages_latest;
# TODO:
# Not every kernel (pkgs.linuxPackages_latest) is ZFS compatible.
# In that case, we can use mkForce to remove "zfs" from the list.
#
# Open issue to build two kernels, one with and one without zfs: https://github.com/NixOS/nixpkgs/issues/189184
# List values were taken from here: https://github.com/NixOS/nixpkgs/blob/3f339f3cf44d090e2cc624f89df81fdb29810a0a/nixos/modules/profiles/base.nix#L54
supportedFilesystems = lib.mkForce [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "ntfs" "cifs" ];
};
# Compression takes loads of time with emulation, skip it.
sdImage.compressImage = false;
services.openssh = {
enable = true;
passwordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keys = [
(builtins.readFile ./assets/ssh/nitrokey.pub)
];
hardware.enableRedistributableFirmware = true;
system.stateVersion = "23.05";
}