nix-config

NixOS flake configuration for all my machines. These instructions assume that just is installed. If not, inspect the justfile and run the underlying commands directly.

Machines

Host	Role	Arch
phinix	Workstation	x86_64-linux
sol	AMD AI NUC	x86_64-linux
fenrix	Lenovo laptop	x86_64-linux
ygdrasil	NAS server	x86_64-linux
idun	VM (config dev)	x86_64-linux
heimdall	Raspberry Pi	aarch64-linux

Build images

just build <my-image>

Available images:

• iso: minimal x86_64 installer image (contains this repository)
• rpi: minimal NixOS image for Raspberry Pi SD cards

A symlink ./result/ will appear pointing to the built image.

For cross-platform (e.g. Raspberry Pi) builds, enable system emulation on the build host:

boot.binfmt.emulatedSystems = ["aarch64-linux"];

Flash to a USB stick:

just flash /dev/sdX

Flash to an SD card:

just flash-sd /dev/sdX

Fresh install from ISO

Overview

The ISO contains no secret keys. All sensitive keys (AGE decryption key, SSH key registered with GitHub) must be copied onto the booted ISO session from a trusted machine before running the installer.

The full flow is:

1. Build and flash the ISO
2. Boot the target machine from the USB
3. From a trusted host, push keys onto the ISO session
4. Run the installer (via SSH or directly on the machine)

Boot the ISO

Boot the target machine from the flashed USB. The ISO starts an SSH server automatically. Root login is permitted and authorized keys from existing machines are already embedded.

Find the machine’s IP (with e.g. ip -c a) and verify access:

ssh root@<target-ip>

Keys from a trusted host

The following commands are run from a trusted machine (e.g. phinix or sol), not from inside the ISO session.

Push the AGE decryption key so that sops-nix can decrypt secrets.yaml during install:

just send-age-keys <target-ip>

Push the SSH key registered with GitHub so that Nix can fetch private flake inputs (e.g. phd-wallpapers) during install:

just send-ssh-keys <target-ip>

Run the installer

SSH into the ISO session:

ssh root@<target-ip>

The repository should already be present at /home/nixos/nix-config. If not, clone it:

git clone https://github.com/phdenzel/nix-config.git

Run the installer:

cd nix-config
nix-shell -p just
just install <machine>

This command will:

1. Run disko to partition and format the disk (if not already done; caution: wipes all disks)
2. Generate hardware-configuration.nix
3. Copy the repository and AGE keys into /mnt/root/
4. Run nixos-install

Register the new host with sops (post-install)

After first boot on the newly installed machine, derive its AGE key from the host SSH key and add it to .sops.yaml:

just host-age-key <machine>

Then re-encrypt all secrets files so the new host can decrypt them:

just update-secrets

Apply the configuration with the re-encrypted secrets:

just rbs <machine>

Without this step, any sops secret declared in the host configuration will fail to decrypt on the new machine.

Rebuild an existing NixOS installation

Log in and pull the latest configuration:

cd nix-config
git pull

Rebuild and switch:

just rbs <machine>

Or equivalently:

sudo nixos-rebuild switch --flake .#<machine>

Secrets management

Secrets are managed with sops-nix using AGE encryption.

Each host decrypts secrets using its own host SSH key (/etc/ssh/ssh_host_ed25519_key). The corresponding AGE public key for each host must be listed in .sops.yaml under hosts, and all secrets files must be re-encrypted whenever hosts are added or removed.

The personal AGE key lives at ~~/.config/sops/age/keys.txt~ and is the key used during development to edit secrets directly with sops.

To add a new secret key to a host configuration, declare it in the host’s sops-host block:

sops-host = {
  enable = true;
  keys = [ "my-service/some-key" ];
};

Without this declaration, config.sops.secrets."my-service/some-key".path will be an error at evaluation time even if the key exists in secrets.yaml.

To edit secrets interactively:

sops hosts/secrets.yaml
sops home/phdenzel/secrets.yaml