diff --git a/README.md b/README.md index f79ee6f..cba101d 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,29 @@ Secrets are stored in secrets/secrets.yaml. You can edit these secrets with `sop To decrypt these secrets with sops-nix during a rebuild, you must add your host public key to the `.sops.yaml` file. Generate it with `cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age`, add it to the file, then run `sops updatekeys secrets/secrets.yaml`. +# Provisioning A New Machine + +On the target system, boot into the NixOS installer and run: + +```bash +# Create a password for the nixos user for SSH access. +passwd + +# Start wpa_supplicant and connect to a wifi network. +sudo systemctl start wpa_supplicant +wpa_cli +> add_network +> set_network 0 ssid "SSID" +> set_network 0 psk "password" +> enable_network 0 +> quit + +# Get the IP address of the target system. +ip addr +``` + +On the host machine, run the command `deploy --flake .# --target-host @` to build the new system configuration and copy it over SSH along with the sops age key and ssh keys. + # Acknowledgements - https://www.youtube.com/watch?v=CwfKlX3rA6E for piquing my interest in this OS in the first place diff --git a/configs/shell/scripts/default.nix b/configs/shell/scripts/default.nix index 61c3289..253a820 100644 --- a/configs/shell/scripts/default.nix +++ b/configs/shell/scripts/default.nix @@ -11,6 +11,7 @@ (pkgs.writeShellScriptBin "rebuild" (builtins.readFile ./rebuild.sh)) (pkgs.writeShellScriptBin "byebye" (builtins.readFile ./byebye.sh)) + (pkgs.writeShellScriptBin "deploy" (builtins.readFile ./deploy.sh)) ]; }; } diff --git a/configs/shell/scripts/deploy.sh b/configs/shell/scripts/deploy.sh new file mode 100755 index 0000000..1aa7c5c --- /dev/null +++ b/configs/shell/scripts/deploy.sh @@ -0,0 +1,43 @@ +# Set default values +flake=".#default" # Default flake attribute if none is provided +target_host="nixos@" # Default target host + +# Process command-line arguments +while [[ $# -gt 0 ]]; do + case "$1" in + --flake) + flake="$2" + shift # past argument + shift # past value + ;; + --target-host) + target_host="$2" + shift # past argument + shift # past value + ;; + *) + echo "Unknown option: $1" >&2 + exit 1 + ;; + esac +done + +# Prepare temporary directory and copy necessary files +root=$(mktemp -d) +sudo mkdir -p ${root}/home/rafiq/.config/sops/age +sudo cp ~/.config/sops/age/keys.txt "${root}/home/rafiq/.config/sops/age/keys.txt" +sudo mkdir -p ${root}/home/rafiq/.ssh +sudo cp ~/.ssh/id_ed25519 "${root}/home/rafiq/.ssh/id_ed25519" +sudo cp ~/.ssh/id_ed25519.pub "${root}/home/rafiq/.ssh/id_ed25519.pub" + +# Run nixos-anywhere +sudo nix run github:nix-community/nixos-anywhere -- \ + --flake "${flake}" \ + --target-host "${target_host}" \ + --copy-host-keys \ + --extra-files "${root}" \ + --chown /home/rafiq/.config 1000:100 \ + --chown /home/rafiq/.ssh 1000:100 + +# Clean up the temporary directory +sudo rm -rf "$root" diff --git a/configs/users.nix b/configs/users.nix index 33cc601..07d849f 100644 --- a/configs/users.nix +++ b/configs/users.nix @@ -18,19 +18,27 @@ time.timeZone = "Asia/Singapore"; i18n.defaultLocale = "en_SG.UTF-8"; - users.mutableUsers = false; # Always reset users on system activation + users = { + mutableUsers = false; # Always reset users on system activation - users.users.rafiq = { - isNormalUser = true; - description = "rafiq"; - hashedPasswordFile = config.sops.secrets.password.path; - extraGroups = [ - "networkmanager" - "wheel" - ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n" - ]; + groups.users = { + gid = 100; + members = [ "rafiq" ]; + }; + + users.rafiq = { + isNormalUser = true; + description = "rafiq"; + hashedPasswordFile = config.sops.secrets.password.path; + uid = 1000; + extraGroups = [ + "networkmanager" + "wheel" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n" + ]; + }; }; home-manager.users.rafiq.home = { @@ -38,5 +46,4 @@ homeDirectory = "/home/rafiq"; stateVersion = "25.05"; }; - }