This repository contains the Nix / NixOS configuration for all of my systems.

Setup

To use this repository as base configuration for your new machine running:

NixOS Linux

• Install NixOS
  • Hetzner dedicated from Linux Rescue system: https://github.com/serokell/nixos-install-scripts/pull/1#pullrequestreview-746593205
  • Digital Ocean: https://github.com/elitak/nixos-infect
  • X1 Carbon: https://srid.ca/x1c7-install
  • Windows (via WSL): https://github.com/nix-community/NixOS-WSL
• Clone this repo at /etc/nixos
• Edit flake.nix to use your system hostname in the nixosConfigurations set
• Edit users/config.nix to contain your users
• Run nix develop -c , activate. That's it. Re-open your terminal.

put secure boot in to setup mode, then boot your install media.

sudo systemctl start wpa_supplicant.service
sudo wpa_cli
> add_network
0
> set_network 0 ssid "net"
OK
> set_network 0 psk "pass"
OK
> set_network 0 key_mgmt WPA-PSK
OK
> enable_network 0
OK
#wait for it to connect
> quit
ip a #to get the ip address
passwd #set a password so you can ssh in

#ssh in with:
ssh -o "UpdateHostKeys=false" nixos@ip

# Create partitions, replace 32GiB with the desired swap size
sudo parted /dev/nvme0n1 -- mklabel gpt
sudo parted /dev/nvme0n1 -- mkpart ESP fat32 1MiB 512MiB
sudo parted /dev/nvme0n1 -- mkpart primary 512MiB 100%
sudo parted /dev/nvme0n1 -- set 1 esp on
sudo mkfs.vfat /dev/nvme0n1p1

nix-shell https://git.cleverthis.com/cleverthis/infrastructure/nixos-yubikey-luks-shell/-/archive/master/nixos-yubikey-luks-shell-master.tar.gz
#insert yubikey, replav=ce 2 with desired slot
#replace the access code below (all x) with actual 12 character long hex vale
# IMPORTANT! Before confirming save the values displayed on the screen so it can be recovered
ykpersonalize -2 -ochal-resp -ochal-hmac -ochal-btn-trig -a "h:xxxxxxxxxxxx"


# Type in desired password
read -s USER_PASSPHRASE

SALT_LENGTH=16
SALT="$(dd if=/dev/random bs=1 count=$SALT_LENGTH 2>/dev/null | rbtohex)"
CHALLENGE="$(echo -n $SALT | openssl dgst -binary -sha512 | rbtohex)"
RESPONSE=$(ykchalresp -2 -x $CHALLENGE 2>/dev/null)
KEY_LENGTH=512
ITERATIONS=1000000
LUKS_KEY="$(echo -n $USER_PASSPHRASE | pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $RESPONSE | rbtohex)"
CIPHER=aes-xts-plain64
HASH=sha512

echo -n "$LUKS_KEY" | hextorb > keyfile
sudo cryptsetup luksFormat -q --cipher="$CIPHER" --key-size="$KEY_LENGTH" --hash="$HASH" --key-slot=1 --key-file=./keyfile /dev/nvme0n1p2
#Enter the master backup password when prompted
sudo cryptsetup luksAddKey --cipher="$CIPHER" --key-size="$KEY_LENGTH" --hash="$HASH" --key-slot=2 --key-file=./keyfile /dev/nvme0n1p2
rm keyfile

sudo mkdir /boot
sudo mount /dev/nvme0n1p1 /boot
sudo mkdir -p /boot/crypt-storage
sudo sh -c "echo -ne \"$SALT\n$ITERATIONS\" > /boot/crypt-storage/default"
sudo umount /boot
sudo rm -rf /boot

echo -n "$LUKS_KEY" | hextorb | sudo cryptsetup open /dev/nvme0n1p2 pv_main --key-file=-

sudo pvcreate /dev/mapper/pv_main
sudo vgcreate vg_main /dev/mapper/pv_main
#select swap size
sudo lvcreate -L 128G -n swap vg_main
sudo lvcreate -l 100%FREE -n root vg_main
sudo vgchange -ay

sudo mkswap -L swap /dev/mapper/vg_main-swap
sudo mkfs.btrfs -L root /dev/mapper/vg_main-root

sudo mount /dev/mapper/vg_main-root /mnt
cd /mnt
sudo btrfs subvolume create root
sudo btrfs subvolume create home
cd ~
sudo umount /mnt
sudo mount -o subvol=root /dev/mapper/vg_main-root /mnt
sudo mkdir /mnt/home
sudo mount -o subvol=home /dev/mapper/vg_main-root /mnt/home
sudo mkdir -p /mnt/boot/efi
sudo mount /dev/nvme0n1p1 /mnt/boot/efi
sudo swapon /dev/mapper/vg_main-swap

sudo nixos-generate-config --dir ~ --root /mnt
sudo mkdir /mnt/etc
cd /mnt/etc
sudo touch /mnt/crypto_keyfile.bin
nix-shell -p git

sudo git clone https://git.cleverthis.com/cleverthis/infrastructure/nixos-config /mnt/etc/nixos

At this point in /mnt/etc/nixos you want to create a config for the new machine under the config sub directory. Incorporate the hardware-configuration.nix file that was generated into the new setup. Add the new host in flake.nix. Make sure you commit to the repo so it detects new files.

Edit /mnt/etc/nixos/users/all_users.nix add the user, make sure you add a hashed password and any public ssh keys.

Make a myself config in users/myself/<username> and add this as an import in the config for the host.

To create a hashed password from plain text:

mkpasswd

Make the user's computer have a static ip in our dhcp server and then update the hosts file to add the new computer at /mnt/etc/nixos/pkgs/hardware/common/hosts/default.nix.

Change hostname to new hostname then install.

HOSTNAME="foo" sudo nixos-install -v --flake /mnt/etc/nixos#foo

bootloader installation will fail due to missing keys, fix it:

sudo nixos-enter --root /mnt
sbctl create-keys
NIXOS_INSTALL_BOOTLOADER=1 /nix/var/nix/profiles/system/bin/switch-to-configuration boot
exit

sudo systemctl reboot

once we're up in the new OS, we need to securing the boot process

sbctl enroll-keys --microsoft
#fix the immutable files
sbctl enroll-keys --microsoft (again)
sbctl verify #make sure its done

reboot to test that secureboot didn't mess anything up, then configure the BIOS as company policy.

More info on using yubikey to encrypt drives: https://github.com/sgillespie/nixos-yubikey-luks

To create pgp key for the user:

https://keys.openpgp.org/vks/v1/by-fingerprint/3C1EA4C0A376F880280D3C1B15ABBB20ED615997


To create pgp key for the user:
```bash
# Generate key
gpg --expert --full-gen-key

# execute tsign at the prompt and save when done, pick a depth of 1
gpg --expert --ask-cert-level --edit-key <user>@scentech-medical.com -u security@scentech-medical.com

# Sign both direction
gpg --expert --ask-cert-level -u <user>@scentech-medical.com --edit-key security@scentech-medical.com

#send both keys to key server, remember to verify your email
gpg --keyserver keys.openpgp.org --send-keys <New key fingerprint>
gpg --keyserver keys.openpgp.org --send-keys <Company key fingerprint>

Next add the users key as a proof to the DNS server's registry as a TXT record. The format should be <email username>.u.scentech-medical.com with the domain being left off. The value should be openpgp4fpr:<key fingerprint>

Next add it as a notation on the uid. Edit the key in gpg and select the uid with the uid command. Then use the notation command to add a notation. You then add a notation of the format proof@ariadne.id=dns:<email username>.u.scentech-medical.com?type=TXT.

Verify the proof shows on keyoxide: https://keyoxide.org/<fingerprint>

Architecture

Start from flake.nix (see Flakes). flake-parts is used as the module system.

Directory layout

• home: home-manager config (shared between Linux and macOS)
• nixos: nixos modules for Linux
• nix-darwin: nix-darwin modules for macOS
• users: user information
• secrets: sops-nix secrets (encrypted using ssh keys)
• systems: top-level configuration.nix('ish) for various systems

Important files

• home/default.nix: This defines all the packages/modules applied to all users in home-manager.
• hardware/common/users/main_user/default.nix: Sets up the main user for all systems. This is where the home-manager controlled packages that apply to all local main users can be defined. For per-user packages see below.
• hardware/common/users/admin_user/default.nix: Sets up the admin user for all systems. This is where the home-manager controlled packages that apply to the remote admin user can be defined. For per-user packages see below.
• hardware/common/core_packages/default.nix: Installs core packages required on a minimal system. This is typically utilities that dont require configuration.
• hardware/systems/*/default.nix: Configuration for specific machines. This is where you define hardware-specific needs that apply to a specific computer.
• nixos/default.nix: System-wide imports are defined here. This is where packages installed system wide should be defined that apply to all systems.
• nixos/hosts/default.nix: This is the shared hosts file, every machine in the company should have an entry here and dhcp should be configured to give a static ip.
• users/all_users.json: This file defines all users across the whole company as well as their ssh-keys and other important information.
• users/myself/: Each user that owns a physical machine should have a directory here, this is then included in the flake.nix file for each host. This is how the host knows who the main user for a computer is.
• users/myself/*/packages/default.nix: This is where user specific packages, under home-manager, are defined.
• flake.nix: The root configuration where everything starts. There is an entry for each physical computer here (keyed by hostname). You can also define machine-specific imports here, particularly if they arent specific to the hardware.

Tips

• Run , in nix develop shell (tip: direnv is better) to see available scripts.
  • (, is provided by the mission-control module)
• To update NixOS (and other inputs) run nix flake update
  • You may also update a subset of inputs, e.g.

    nix flake lock --update-input nixpkgs --update-input darwin --update-input home-manager
    # Also, in the dev shell: , update-primary
    

• To free up disk space,

  sudo nix-env -p /nix/var/nix/profiles/system --delete-generations +2
  sudo nixos-rebuild boot
  

• To autoformat the project tree using nixpkgs-fmt, run nix fmt.