nixos-anywhere-example/template/README.md

nixos-anywhere and disko

This is an example repository for nixos-anywhere and disko.

Inspiration:

• Introductory presentation: https://pad.lassul.us/cccamp-workshop
• https://github.com/numtide/nixos-anywhere-examples

Manuals:

• disko reference: https://github.com/nix-community/disko/blob/master/docs/reference.md
• nixos-anywhere reference: https://github.com/nix-community/nixos-anywhere/blob/main/docs/reference.md

Build installer ISO with password-less SSH

In ./iso.nix, replace ./nitrokey.pub with your SSH public key.

sudo nix-channel --update

nix-build '<nixpkgs/nixos>' -A config.system.build.isoImage -I nixos-config=iso.nix
# aarch64 ISO (requires emulation)
#nix-build '<nixpkgs/nixos>' -A config.system.build.isoImage -I nixos-config=iso.nix --argstr system aarch64-linux

ls result/iso/*.iso

Hardware Configuration

Boot the target machine into NixOS live ISO. Then execute the following, ideally while connected as root via SSH:

nixos-generate-config --no-filesystems --root /mnt
cat /mnt/etc/nixos/hardware-configuration.nix

Save the output to a new file in ./hardware-configs. In ./flake.nix replace ./hardware-configs/yodaHP.nix with it.

Note: The hardware configuration should not contain any fileSystems.<name> options as these are generated based on your disko configuration.

---

Furthermore, in ./flake.nix replace disko.devices.disk.disk1.device with the id of your target block device.

---

Additionally, adjust networking.hostName.

---

Lastly, in ./flake.nix replace pbkdf-memory with your amount of RAM - 500 MB.

---

Optionally, if ssh-fde-unlock.nix is imported in ./flake.nix, replace boot.initrd.availableKernelModules with the kernel network driver in use.

Installation

To run the interactive vm test run:

nix --extra-experimental-features nix-command --extra-experimental-features flakes \
  run github:numtide/nixos-anywhere -- -f '.#mysystem' --vm-test

To install on remote target machine (if fde is not configured):

nix --extra-experimental-features nix-command --extra-experimental-features flakes \
  run github:numtide/nixos-anywhere -- --flake '.#mysystem' -p 22 root@192.168.178.106

To install on remote target machine (with or without fde) and print the SSH fingerprint of the new system. If fde is not set up, then the disk password can be left empty when asked for it:

./install-helper.sh 22 root@192.168.178.106

Connect to installed system

fde unlock:

ssh root@192.168.178.106

Once unlocked, connect with SSH. If the connection fails, double check on your router if the system was assigned to another IP address.

ssh root@192.168.178.106

Updating dependencies

Recreate the lock file (i.e. update all inputs) and commit the new lock file:

nix --extra-experimental-features nix-command --extra-experimental-features flakes \
  flake update --commit-lock-file

TODOs

• Hetzner Cloud example: https://github.com/numtide/nixos-anywhere-examples/blob/main/flake.nix

Appendix - LUKS Parameters

Warning: NixOS has a hardcoded timeout of 10 seconds when opening encrypted drives during boot. Please choose --iter-time <= 7500.

• ed2ccd4d17/nixos/modules/system/boot/luksroot.nix (L498)
• ed2ccd4d17/nixos/modules/system/boot/luksroot.nix (L30)
• ed2ccd4d17/nixos/modules/system/boot/luksroot.nix (L36C7-L36C7)