starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-04-18 15:09:48 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

docs: deploy on a new machine

Browse Source
This commit is contained in:
Ryan Yin
2024-02-01 00:29:49 +08:00
parent 3f505194b5
commit 1126e8c6a7
4 changed files with 30 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -47,7 +47,7 @@ As for Flakes, refer to [Introduction to Flakes - NixOS & Nix Flakes Book](https
| **Text Editor** | [Neovim][Neovim] + [DoomEmacs][DoomEmacs] | [Neovim][Neovim] + [DoomEmacs][DoomEmacs] |
| **Fonts** | [Nerd fonts][Nerd fonts] | [Nerd fonts][Nerd fonts] |
| **Image Viewer** | [imv][imv] | [imv][imv] |
| **Screenshot Software** | [grim][grim] | [flameshot](https://github.com/flameshot-org/flameshot) |
| **Screenshot Software** | [flameshot][flameshot] + [grim][grim] | [flameshot][flameshot] |
| **Screen Recording** | [OBS][OBS] | [OBS][OBS] |
| **Filesystem & Encryption** | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] crypted partition for persistent, unlock via passphrase | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] crypted partition for persistent, unlock via passphrase |
| **Secure Boot** | [lanzaboote][lanzaboote] | [lanzaboote][lanzaboote] |
@@ -203,6 +203,7 @@ Other dotfiles that inspired me:
[DoomEmacs]: https://github.com/doomemacs/doomemacs
[flameshot]: https://github.com/flameshot-org/flameshot
[grim]: https://github.com/emersion/grim
[flameshot]: https://github.com/flameshot-org/flameshot
[imv]: https://sr.ht/~exec64/imv/
[OBS]: https://obsproject.com
[Mako]: https://github.com/emersion/mako

18
nixos-installer/README.md
View File

@@ -244,14 +244,23 @@ And then reboot.
## Deploying the main flake's NixOS configuration
After rebooting, we can deploy the main flake's NixOS configuration by running:
After rebooting, we need to generate a new SSH key for the new machine, and add it to GitHub, so that the new machine can pull my private secrets repo:
```bash
# 1. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private git repositories.
ssh-add ~/.ssh/xxx
# 1. Generate a new SSH key with a strong passphrase
ssh-keygen -t ed25519 -a 256 -C "ryan@idols-ai" -f ~/.ssh/idols_ai
# 2. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private secrets repo.
ssh-add ~/.ssh/idols_ai
```
Then follow the instructions in [../secrets/README.md](../secrets/README.md) to rekey all my secrets with the new host's system-level SSH key(`/etc/ssh/ssh_host_ed25519_key`),
so that agenix can decrypt them automatically on the new host when I deploy my NixOS configuration.
After all these steps, we can finally deploy the main flake's NixOS configuration by:
```bash
sudo mv /etc/nixos ~/nix-config
chown -R ryan:ryan ~/nix-config
sudo chown -R ryan:ryan ~/nix-config
cd ~/nix-config
@@ -262,7 +271,6 @@ just hypr
Finally, to enable secure boot, follow the instructions in [lanzaboote - Quick Start](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md) and [nix-config/ai/secure-boot.nix](https://github.com/ryan4yin/nix-config/blob/main/hosts/idols_ai/secureboot.nix)
## Change LUKS2's passphrase
```bash

19
nixos-installer/README.shoukei.md
View File

@@ -224,18 +224,27 @@ And then reboot.
## Deploying the main flake's NixOS configuration
After rebooting, we can deploy the main flake's NixOS configuration by running:
After rebooting, we need to generate a new SSH key for the new machine, and add it to GitHub, so that the new machine can pull my private secrets repo:
```bash
# 1. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private git repositories.
ssh-add ~/.ssh/xxx
# 1. Generate a new SSH key with a strong passphrase
ssh-keygen -t ed25519 -a 256 -C "ryan@idols-ai" -f ~/.ssh/shoukei
# 2. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private secrets repo.
ssh-add ~/.ssh/shoukei
```
Then follow the instructions in [../secrets/README.md](../secrets/README.md) to rekey all my secrets with the new host's system-level SSH key(`/etc/ssh/ssh_host_ed25519_key`),
so that agenix can decrypt them automatically on the new host when I deploy my NixOS configuration.
After all these steps, we can finally deploy the main flake's NixOS configuration by:
```bash
sudo mv /etc/nixos ~/nix-config
chown -R ryan:ryan ~/nix-config
sudo chown -R ryan:ryan ~/nix-config
cd ~/nix-config
# deploy the configuration
# deploy the configuration via Justfile
just s-hypr
```

2
secrets/README.md
View File

@@ -151,7 +151,7 @@ It will then symlink the secrets to the path defined by the `age.secrets.<name>.
## Adding a new host
1. `cat` the public key of the new host, send it to an old host.
1. `cat` the sytem-level public key(`/etc/ssh/ssh_host_ed25519_key`) of the new host, and send it to an old host which has already been configured.
2. On the old host:
1. Add the public key to `secrets.nix`, and rekey all the secrets via `sudo agenix -r -i /etc/ssh/ssh_host_ed25519_key`.
2. Commit and push the changes to `nix-secrets`.