This config is intended for my own use and won't work for you out of the box. Feel free to use as inspiration ✨
- Add a nixosConfiguration for the new machine and set up secrets.
- Boot into the Nix minimal installer on the target machine and run
passso we can ssh to it. - Add a Disko config for the new machine.
- Generate a hardware-configuration for the target machine.
# On target machine
nixos-generate-config --no-filesystems --show-hardware-config- Setup disk encryption. (Optional)
- Format and install the system with nixos-anywhere.
# On source machine
nix run github:nix-community/nixos-anywhere -- \
--disk-encryption-keys /dev/disk/by-partlabel/CRYPTKEY "$KEYPATH" \
--flake .#<nixosConfiguration> nixos@<ip>This section generates a disk encryption key and writes it to a regular flash drive for decryption.
Q. Why a regular flash drive?
A. I don't have a YubiKey :(
- Generate and backup keyfile.
# On source machine
KEYPATH=$(mktemp)
dd bs=1024 count=4 if=/dev/random of="$KEYPATH" iflag=fullblock
chmod 0400 "$KEYPATH"- Write the keyfile to a flash drive. Simply plug it in and run:
# On source machine
./utils/create_keypart.sh "$KEYPATH"
⚠️ Backup the LUKS header(s) after installation!# On target machine sudo cryptsetup luksHeaderBackup --header-backup-file ./"$(hostname)".luksheader <crypt-partition>
- Run the devshell
nix develop- Apply the configuration
deploy .#<deployNode>- Generate SSH keypair or use system keys if OpenSSH is enabled.
ssh-keygen -t ed25519- Add secrets
nix run github:ryantm/agenix -- -e secret.age
⚠️ To add a user password, use the sha hash given by executing:
mkpasswd -m sha-512We can use vmWithDisko to build a VM that uses the Disko config to format and create the filesystems.
nix run -L '.#nixosConfigurations.kanan.config.system.build.vmWithDisko'