My NixOS configuration and deployment.
Go to file
2024-11-26 10:01:45 +01:00
.vscode add shell.nix and vscode settings 2023-11-01 11:51:47 +01:00
assets chore: reinstalled enchilada 2024-11-21 18:23:06 +01:00
dconf gnome dconf backup restore diff 2024-08-31 13:18:41 +02:00
examples docs 2024-01-13 12:34:17 +01:00
hosts solve todo 2024-11-21 22:06:37 +01:00
modules docs 2024-11-24 14:37:18 +01:00
nix chore 2024-11-26 10:01:45 +01:00
secrets add sendmail (OpenSMTPD) and journalwatch 2023-09-18 15:32:43 +02:00
.gitignore gnome dconf backup restore diff 2024-08-31 13:18:41 +02:00
gstreamer.nix add gstreamer.nix 2024-01-12 22:21:14 +01:00
hive.nix solve todo 2024-09-06 11:45:59 +02:00
iso-aarch64.nix chore: NixOS 23.11 2023-12-15 13:03:18 +01:00
LICENSE add MIT License 2023-10-06 14:58:15 +02:00
NixOS Upgrades.md NixOS 24.05: add notes 2024-08-20 17:15:16 +02:00
NixOS.md docs 2024-11-24 14:37:18 +01:00
README.md update README 2024-11-21 18:22:37 +01:00
shell.nix add shell.nix and vscode settings 2023-11-01 11:51:47 +01:00
TODO.md docs 2024-10-07 20:10:15 +02:00

nix-git

This repository contains my NixOS configuration files with some guidance on how to use them.

See also:

Table of Contents

NixOS installation

Graphical installation

For beginners, NixOS can be installed with a graphical installer.

Getting the ISO:

During installation:

  • If the installation target is a SSD
    • Trim the whole disk to mark all cells as unused and restore its initial performance
    • sudo blkdiscard -f /dev/nvmeXXX
  • Select manual partitioning:
    • One 512MB (or larger) Fat32 partition, mounted at /boot, "boot" flag enabled
    • Another partition (e.g. BTRFS) covering the rest of the drive, mounted at /, encryption enabled

Remote installation: disko and nixos-anywhere

Install NixOS via SSH everywhere.

There is a separate repository for these steps. Its README can be found here: https://codeberg.org/privacy1st/nixos-anywhere-example/src/template/README.md

ARM: SD image for the Raspberry Pi 3B+

ISO creation

If you are on an architecture other than aarch64, enable emulation: boot.binfmt.emulatedSystems = [ "aarch64-linux" ];.

An ISO for the Raspberry Pi 3B+ can then be built with:

# If on aarch64
#nix-build '<nixpkgs/nixos>' -A config.system.build.sdImage -I nixos-config=./iso-aarch64.nix
# If not on aarch64
nix-build '<nixpkgs/nixos>' -A config.system.build.sdImage -I nixos-config=./iso-aarch64.nix --argstr system aarch64-linux

ls result/sd-image/*.img

Note about cross compilation

Alternatively to emulating the aarch64 architecture we could also cross compile from e.g. x86 to it. However, this has one big drawback: The binary cache (https://cache.nixos.org/) won't be used. The reason for this is that packages built with cross compilation are (slightly) different from native built ones. Their checksums don't match.

Default configuration

When the Raspberry Pi is booted, run nixos-generate-config to generate the default configuration.nix and hardware-configuration.nix files.

A slightly modified config can be found in ./hosts/pi3bplus

Apply modified configuration

The Raspberry Pi 3B+ has only 1GB RAM, which is not enough for nixos-rebuild. It is recommended to create and activate a SWAP file first: https://wiki.archlinux.org/title/swap#Swap_file_creation

nix-channel --list
#=> nixos https://nixos.org/channels/nixos-23.05
nix-channel --update nixos
passwd
nixos-rebuild boot
reboot

ARM: Vanilla UEFI bootloader for the Raspberry Pi 3B+

TODO: The EFI menu was working. But I got many squashfs errors when booting an USB stick with the NixOS installer.

Preparing a micro SD card with an UEFI bootloader:

nix-shell -p parted gptfdisk
sudo parted --script /dev/SDX -- \
	mklabel gpt \
	mkpart ESP fat32 2Mib 512MiB \
	set 1 esp on \
	mkpart primary 512MiB 100% \
	print

sudo wipefs --all /dev/SDX1
sudo wipefs --all /dev/SDX2

sudo mkfs.fat -F32 /dev/SDX1

sudo gdisk /dev/SDX
# r
# p
# h
# 1
# N
# 0c
# N
# N
# o
# w
# Y

In addition to the SD card, attach an USB stick with NixOS ARM (https://nixos.org/download.html#nixos-iso, https://hydra.nixos.org/job/nixos/release-23.05/nixos.iso_minimal.aarch64-linux, https://hydra.nixos.org/job/nixos/release-23.05/nixos.iso_minimal_new_kernel_no_zfs.aarch64-linux or https://hydra.nixos.org/job/nixos/trunk-combined/nixos.iso_minimal.aarch64-linux) to the Raspberry Pi.

sudo umount /dev/SDX
sudo dd if=nixos-minimal-XXX-aarch64-linux.iso of=/dev/SDX bs=4M conv=fsync

Then install NixOS the way you prefer, but don't touch/modify the partition table!

See https://nixos.wiki/wiki/NixOS_on_ARM/UEFI#Installing

Update, build and switch

tldr

Local (yodaTux):

sudo nix-channel --update && niv update
niv update && colmena build --on $(hostname) -v --show-trace && colmena apply-local --sudo boot

Remote (yodaTab):

niv update
colmena build --on remoteTab -v --show-trace && colmena apply --on remoteTab boot
colmena exec --on remoteTab "nix-channel --update"

Remote (@server):

niv update
colmena build --on @server -v --show-trace && colmena apply --on @server boot
colmena exec --on @server "nix-channel --update"

Update

Update channel and configuration:

sudo nix-channel --update && niv update

To apply the updates, continue with "Build and switch".

Build and switch: Using Colmena

See section "Colmena: Deployment and secret management" to build and apply updates.

Build and switch: Manually

Option I: Build new config and activate it:

sudo nixos-rebuild -I nixos-config=hosts/$(hostname)/configuration.nix switch

To view changes, see section "Compare two versions of NixOS system profile".

Option II: Build new config and activate it during next boot:

sudo nixos-rebuild -I nixos-config=hosts/$(hostname)/configuration.nix boot

Option III: Build config and view changes:

# This leaves a symlink named `result` in the current directory.
sudo nixos-rebuild -I nixos-config=hosts/$(hostname)/configuration.nix build
nix --extra-experimental-features nix-command store diff-closures /run/current-system ./result
#=> ...
#=> linux: 6.1.47, 6.1.47-modules → 6.1.51, 6.1.51-modules, -11.8 KiB

Depending on if there are large kernel changes, either switch to it directly or wait until next boot:

sudo ./result/bin/switch-to-configuration switch
# or
sudo ./result/bin/switch-to-configuration boot

Note: The Perl script executed by both above commands should create a new bootloader menu entry and mark it as default. However, if I remember correctly, the menu entry was once missing and the configuration change thus not permanent. This might need further testing. See also: https://nixos.wiki/wiki/Nixos-rebuild#Internals

Colmena: Deployment and secret management

Colmena is a simple, stateless NixOS deployment tool modeled after NixOps and morph, written in Rust.

Alternative: Deployment with Morph: https://xeiaso.net/blog/morph-setup-2021-04-25

Configuration is done inside hive.nix.

Build config:

colmena build -v

Apply to all non-local nodes:

colmena apply --on @server switch
#colmena apply --on @server boot

#colmena apply --on remoteTab switch
#colmena apply --on remoteTab boot

Apply to local node:

colmena apply-local --sudo switch
#colmena apply-local --sudo boot

Filtering:

  • You can filter hosts by tags with --on @tag-a,@tag-b.
  • You can use globs in tag matching as well: colmena apply --on '@infra-*'

BTRFS swap file

Summary:

  • Create subvolume @swap directly below top-level subvolume.
  • Mount at /swap
  • Create swapfile: sudo btrfs filesystem mkswapfile --size 8g --uuid clear /swap/swapfile
  • Regenerate hardware-configuration: sudo nixos-generate-config --dir hosts/$(hostname)
  • Add swapDevices = [ { device = "/swap/swapfile"; } ]; to hardware configuration and run nixos-rebuild switch (see above).

BTRFS CoW

The Arch wiki has the following warning about disabling CoW:

Disabling CoW in Btrfs also disables checksums. Btrfs will not be able to detect corrupted nodatacow files. When combined with RAID 1, power outages or other sources of corruption can cause the data to become out of sync.

Thus, we e.g. don't disable CoW for increased DB performance.

When systemd initially creates its journal file, it warns us about enabled CoW:

Creating journal file /var/log/journal/.../system.journal on a btrfs file system, and copy-on-write is enabled. This is likely to slow down journal access substantially, please consider turning off the copy-on-write file attribute on the journal directory, using chattr +C.

As corruption of log files is not dramatic, we disable CoW for /var/log with

sudo chattr +C /var/log

Note from Arch wiki:

If the 'C' flag is set on a directory, it will have no effect on the directory, but new files created in that directory will have the No_COW attribute.

Automount encrypted drive

sudo nixos-generate-config --dir hosts/$(hostname)
  • If it is an SSD, enable boot.initrd.luks.devices.<name>.allowDiscards

List active and failed services

If there are e.g. file conflicts due to preexisting dotfiles, the Home Manager user service might fail. To list all failed services, run:

systemctl --failed

List all active services:

systemctl list-units --type=service --state=running
systemctl --user list-units --type=service --state=running

View system log

# Kernel message log with timestamps
dmesg --ctime
# System journal: Errors since last boot.
journalctl -p err -b
# GNOME session logs since last boot. https://help.gnome.org/admin/system-admin-guide/stable/session-debug.html.en
journalctl _UID="${UID}" -b

Server maintenance with a smartphone

While I was on a bike tour I did some config changes to update my NixOS servers using only my smartphone and Nitrokey (GPG smartcard):

  • ome-manager.users.yoda.programs.git.signing.signByDefault = false;
  • Import ../../modules/git.nix in hosts/yodaNas/configuration.nix
  • Import ./../modules/docker-pushrm.nix in hosts/yodaNas/configuration.nix
  • In hieve.nix, set allowLocalDeployment to true for yodaNas and yodaHedgehog

This allowed me to connect with my servers via ssh, git clone this NixOS configuration, build and switch to it with colmena and git commit and git push any changes.

On my smartphone I was using a terminal emulator with ssh and GPG smartcard support.

Another approach would have been to run colmena directly on the phone.