starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-04-25 10:18:37 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: remove x86_64-darwin, add new nixos host on macbook pro m2

Browse Source
This commit is contained in:
Ryan Yin
2025-07-12 16:51:48 +08:00
parent 77a792710a
commit db82d2d8c5
38 changed files with 308 additions and 387 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixos-installer/.gitignore vendored
View File

@@ -1,2 +1,2 @@
# generate lock file every time
# ignore flake.lock here, generate a new one every time install a new host
flake.lock

196
nixos-installer/README.shoukei.md
View File

@@ -4,67 +4,118 @@
> machine :exclamation: Please write your own configuration from scratch, and use my configuration
> and documentation for reference only.**
> https://wiki.t2linux.org/distributions/nixos/installation/
> https://github.com/NixOS/nixos-hardware/tree/master/apple/t2
This flake prepares a Nix environment for setting my desktop
[/hosts/12kingdoms_shoukei](/hosts/12kingdoms_shoukei)(in main flake) up on a new machine.
[/hosts/12kingdoms-shoukei](/hosts/12kingdoms-shoukei)(in main flake) up on a new machine.
## Steps to Deploying
First, create a USB install medium from Apple T2's NixOS installer image:
https://github.com/t2linux/nixos-t2-iso.git
### 1. Prepare & boot into the nixos installer
### 2. Connecting to the Internet
Just follow this Guide:
1. configure wifi: <https://wiki.t2linux.org/guides/wifi-bluetooth/#on-macos>
2. copy wifi firmware to the NixOS installer:
- https://github.com/nix-community/nixos-apple-silicon/blob/main/docs/uefi-standalone.md
### 2. Connect to WiFi & SSH
If you have another machine, configure the new host through a SSH connection will be much
comfortable than using the raw terminal of the nixos installer. So after booting into the nixos
installer, let's configure WiFi in the installer using `iwctl` first:
> This is copied from
> <https://github.com/nix-community/nixos-apple-silicon/blob/main/docs/uefi-standalone.md#nixos-installation>
```bash
sudo mkdir -p /lib
sudo tar -axvf ../hosts/12kingdoms_shoukei/brcm-firmware/firmware.tar.gz -C /lib/
sudo modprobe -r brcmfmac && sudo modprobe brcmfmac
# check whether the wifi firmware is loaded
dmesg | tail
# now start wpa_supplicant
sudo systemctl start wpa_supplicant
nixos# iwctl
NetworkConfigurationEnabled: enabled
StateDirectory: /var/lib/iwd
Version: 2.4
[iwd]# station wlan0 scan
[iwd]# station wlan0 connect <SSID>
Type the network passphrase for <SSID> psk.
Passphrase: <your passphrase>
[iwd]# station wlan0 show
[...]
[iwd] exit
```
connect to wifi via `wpa_cli`:
And then set a password for the `root` user:
```bash
wpa_cli -i wlan0
> scan
> scan_results
# add a new network, this command returns a network ID, which is 0 in this case.
> add_network
# associate the network with the network ID we just got
# NOTE: the quotes are required!
> set_network 0 ssid "<wifi_name>"
# for a WPA2 network, set the passphrase
# NOTE: the quotes are required!
> set_network 0 psk "xxx"
# enable the network
> enable_network 0
# save the configuration file
> save_config
# show the status
> status
# Switch to root
[nixos@nixos:~]$ sudo su
# Change the password
[root@nixos:~]# passwd
New password:
Retype new password:
passwd: password updated successfully
# Get the IP address
[root@nixos:~]# ip addr show wlan0
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 9c:3e:53:6e:ef:8d brd ff:ff:ff:ff:ff:ff
inet 192.168.5.13/24 brd 192.168.5.255 scope global dynamic noprefixroute wlan0
# Change default router(if need)
ip route del default via 192.168.5.1
ip route add default via 192.168.5.178
```
### 2. Encrypting with LUKS(everything except ESP)
The nixos installer has sshd service enabled by default, so we can now connect to it via ssh
directly.
### 3. Encrypting with LUKS(everything except ESP)
Disk layout before installation:
1. `/dev/nvme0n1p1`: EFI system partition, 300MB, contains macOS's bootloader.
2. `/dev/nvme0n1p2`: macOS's root partition.
3. `/dev/nvme0n1p3`: transfer area, 10GB, used to transfer files between macOS and NixOS.
4. `/dev/nvme0n1p4`: Empty partition, used to install NixOS.
```bash
[root@nixos:~]# sudo parted /dev/nvme0n1 print free
Model: APPLE SSD AP0256Z (nvme)
Disk /dev/nvme0n1: 251GB
Sector size (logical/physical): 4096B/4096B
Partition Table: gpt
Disk Flags:
Now let's recreate the 4th partition via `fdisk`, and then encrypting the root partition:
Number Start End Size File system Name Flags
1 24.6kB 524MB 524MB iBootSystemContainer
2 524MB 66.2GB 65.7GB
3 66.2GB 68.7GB 2500MB
4 68.7GB 69.2GB 500MB fat32 boot, esp
69.2GB 246GB 176GB Free Space
5 246GB 251GB 5369MB RecoveryOSContainer
```
1. `/dev/nvme0n1p1`: "iBootSystemContainer" - system-wide boot data
2. `/dev/nvme0n1p2`: macOS's root partition.
3. `/dev/nvme0n1p4`: The EFI partition for NixOS.
4. `/dev/nvme0n1p5`: "RecoveryOSContainer" - System RecoveryOS
Now let's recreate the root partition via `sgdisk`:
```bash
# Create the root partition to fill up the free space
# --new=partnum:start:end - 0 means calculate it automatically
[root@nixos:~]# sgdisk /dev/nvme0n1 --new=0:0:0 --change-name=0:"NixOS rootfs"
The operation has completed successfully.
[root@nixos:~]# sudo parted /dev/nvme0n1 print free
Model: APPLE SSD AP0256Z (nvme)
Disk /dev/nvme0n1: 251GB
Sector size (logical/physical): 4096B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 24.6kB 524MB 524MB iBootSystemContainer
2 524MB 66.2GB 65.7GB
3 66.2GB 68.7GB 2500MB
4 68.7GB 69.2GB 500MB fat32 boot, esp
6 69.2GB 246GB 176GB NixOS rootfs
5 246GB 251GB 5369MB RecoveryOSContainer
```
And then encrypting the new partition via LUKS:
```bash
lsblk
@@ -73,13 +124,13 @@ cryptsetup --help
# NOTE: `cat shoukei.md | grep luks > format.sh` to generate this script
# encrypt the root partition with luks2 and argon2id, will prompt for a passphrase, which will be used to unlock the partition.
cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 256 --pbkdf argon2id --use-random --verify-passphrase /dev/nvme0n1p4
cryptsetup luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 256 --pbkdf argon2id --use-random --verify-passphrase /dev/nvme0n1p6
# show status
cryptsetup luksDump /dev/nvme0n1p4
cryptsetup luksDump /dev/nvme0n1p6
# open(unlock) the device with the passphrase you just set
cryptsetup luksOpen /dev/nvme0n1p4 crypted-nixos
cryptsetup luksOpen /dev/nvme0n1p6 crypted-nixos
# show disk status
lsblk
@@ -88,9 +139,13 @@ lsblk
Formatting the root partition:
```bash
# If btrfs is not included in the liveos, run this before formatting
nix-shell -p btrfs-progs
# NOTE: `cat shoukei.md | egrep "create-btrfs" > create-btrfs.sh` to generate this script
# format the root partition with btrfs and label it
mkfs.btrfs -L crypted-nixos /dev/mapper/crypted-nixos # create-btrfs
# set sectorsize to match the CPU page size
mkfs.btrfs --sectorsize 16384 -L crypted-nixos /dev/mapper/crypted-nixos # create-btrfs
# mount the root partition and create subvolumes
mount /dev/mapper/crypted-nixos /mnt # create-btrfs
btrfs subvolume create /mnt/@nix # create-btrfs
@@ -114,12 +169,13 @@ mount -o compress-force=zstd:1,subvol=@tmp /dev/mapper/crypted-nixos /mnt/tmp
mount -o subvol=@swap /dev/mapper/crypted-nixos /mnt/swap # mount-1
mount -o compress-force=zstd:1,noatime,subvol=@persistent /dev/mapper/crypted-nixos /mnt/persistent # mount-1
mount -o compress-force=zstd:1,noatime,subvol=@snapshots /dev/mapper/crypted-nixos /mnt/snapshots # mount-1
mount /dev/nvme0n1p1 /mnt/boot # mount-1
mount /dev/nvme0n1p4 /mnt/boot # mount-1
# create a swapfile on btrfs file system
# This command will disable CoW / compression on the swap subvolume and then create a swapfile.
# because the linux kernel requires that swapfile must not be compressed or have copy-on-write(CoW) enabled.
btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile # mount-1
btrfs filesystem mkswapfile --size 16g --uuid clear /mnt/swap/swapfile # mount-1
# check whether the swap subvolume has CoW disabled
# the output of `lsattr` for the swap subvolume should be:
@@ -128,27 +184,37 @@ btrfs filesystem mkswapfile --size 96g --uuid clear /mnt/swap/swapfile # mount-
lsattr /mnt/swap
# mount the swapfile as swap area
swapon /mnt/swap/swapfile # mount-1
swapon /mnt/swap/swapfile --fixpgsz # mount-1
```
Now, the disk status should be:
```bash
# show disk status
$ lsblk
nvme0n1 259:0 0 1.8T 0 disk
├─nvme0n1p1 259:2 0 600M 0 part /mnt/boot
└─nvme0n1p4 259:3 0 1.8T 0 part
└─crypted-nixos 254:0 0 1.8T 0 crypt /mnt/swap
[nix-shell:~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 302.1M 1 loop /nix/.ro-store
sda 8:0 1 0B 0 disk
sdb 8:16 1 58.2G 0 disk /iso
nvme0n1 259:0 0 233.8G 0 disk
├─nvme0n1p1 259:1 0 500M 0 part
├─nvme0n1p2 259:2 0 61.2G 0 part
├─nvme0n1p3 259:3 0 2.3G 0 part
├─nvme0n1p4 259:4 0 477M 0 part /mnt/boot
├─nvme0n1p5 259:5 0 5G 0 part
└─nvme0n1p6 259:14 0 164.3G 0 part
└─crypted-nixos 252:0 0 164.3G 0 crypt /mnt/snapshots
/mnt/persistent
/mnt/snapshots
/mnt/nix
/mnt/swap
/mnt/tmp
/mnt/nix
nvme0n2 259:6 0 3M 0 disk
nvme0n3 259:7 0 128M 0 disk
# show swap status
$ swapon -s
Filename Type Size Used Priority
/swap/swapfile file 100663292 0 -2
[nix-shell:~]# swapon -s
Filename Type Size Used Priority
/mnt/swap/swapfile file 16777200 0 -2
```
### 3. Generating the NixOS Configuration and Installing NixOS
@@ -157,7 +223,7 @@ Clone this repository:
```bash
# enter an shell with git/vim/ssh-agent/gnumake available
nix-shell -p git vim gnumake
nix-shell -p git neovim just --option substituters "https://mirrors.ustc.edu.cn/nix-channels/store"
# clone this repository
git clone https://github.com/ryan4yin/nix-config.git
@@ -171,13 +237,13 @@ nixos-generate-config --root /mnt
# we need to update our filesystem configs in old hardware-configuration.nix according to the generated one.
cp /etc/nixos/hardware-configuration.nix ./nix-config/hosts/12kingdoms_shoukei/hardware-configuration-new.nix
vim .
vim ./nix-config
```
Then, Install NixOS:
```bash
cd ~/nix-config/hosts/12kingdoms_shoukei/nixos-installer/
cd ~/nix-config/nixos-installer/
# run this command if you're retrying to run nixos-install
rm -rf /mnt/etc
@@ -188,7 +254,7 @@ nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --ve
# if you want to use a cache mirror, run this command instead
# replace the mirror url with your own
nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --verbose --option substituters "https://mirror.ustc.edu.cn/nix-channels/store" # install-2
nixos-install --root /mnt --flake .#shoukei --no-root-password --show-trace --verbose --option substituters "https://mirrors.ustc.edu.cn/nix-channels/store" # install-2
# enter into the installed system, check password & users
# `su ryan` => `sudo -i` => enter ryan's password => successfully login
@@ -235,7 +301,7 @@ that the new machine can pull my private secrets repo:
```bash
# 1. Generate a new SSH key with a strong passphrase
ssh-keygen -t ed25519 -a 256 -C "ryan@idols-ai" -f ~/.ssh/shoukei
ssh-keygen -t ed25519 -a 256 -C "ryan@shoukei" -f ~/.ssh/shoukei
# 2. Add the ssh key to the ssh-agent, so that nixos-rebuild can use it to pull my private secrets repo.
ssh-add ~/.ssh/shoukei
```

3
nixos-installer/configuration.nix
View File

@@ -16,7 +16,6 @@
networking = {
# configures the network interface(include wireless) via `nmcli` & `nmtui`
networkmanager.enable = true;
defaultGateway = "192.168.5.101";
};
system.stateVersion = "25.05";
system.stateVersion = "25.11";
}

30
nixos-installer/flake.nix
View File

@@ -4,25 +4,23 @@
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
preservation.url = "github:nix-community/preservation";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nuenv.url = "github:DeterminateSystems/nuenv";
};
outputs = inputs @ {
nixpkgs,
nixos-hardware,
nuenv,
...
}: {
outputs = inputs @ {nixpkgs, ...}: let
inherit (inputs.nixpkgs) lib;
mylib = import ../lib {inherit lib;};
myvars = import ../vars {inherit lib;};
in {
nixosConfigurations = {
ai = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs =
inputs
// {
myvars.username = "ryan";
myvars.userfullname = "Ryan Yin";
inherit mylib myvars;
};
modules = [
{networking.hostName = "ai";}
@@ -39,22 +37,14 @@
};
shoukei = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
system = "aarch64-linux";
specialArgs =
inputs
// {
myvars.username = "ryan";
myvars.userfullname = "Ryan Yin";
inherit mylib myvars;
};
modules = [
# Building on a USB installer is buggy, lack of disk space, memory, trublesome to setup substituteers, etc.
# so we disable apple-t2 module here to avoid build kernel during the initial installation, and enable it after the first boot.
# nixos-hardware.nixosModules.apple-t2
({pkgs, ...}: {
networking.hostName = "shoukei";
boot.kernelPackages = pkgs.linuxPackages_latest; # Use latest kernel for the initial installation.
# hardware.apple-t2.enableAppleSetOsLoader = true;
})
{networking.hostName = "shoukei";}
./configuration.nix