Secrets should never be world-readable, even to users who are logged in to one of the hosts managed by this configuration. These are generally managed by agenix, allowing them to still be put in the nix store.
-
Add a shell to the devShells output in
flake.nix. -
Execute
use_flake /path/to/repo#name-of-shell > .envrcto initialize the.envrcfile. -
Execute
direnv allowto load the.envrcfile which in turn loads your environment.
-
Create three partitions:
- Boot
- Swap
- ZFS
For example:
sgdisk -n 0:0:+512MiB -t 0:EF00 -c 0:boot $DISK sgdisk -n 0:0:+32GiB -t 0:8200 -c 0:swap $DISK sgdisk -n 0:0:0 -t 0:BF01 -c 0:ZFS $DISK
-
Configure swap and boot as usual.
-
Create ZPool:
zpool create -O mountpoint=none -O encryption=aes-256-gcm -O keyformat=passphrase rpool $ZFS_PARTLeave out
-O encryption=aes-256-gcm -O keyformat=passphraseif you don't want to fully encrypt the ZFS partition. -
Create datasets:
zfs create -o mountpoint=legacy rpool/local/root zfs snapshot rpool/local/root@blank zfs create -o mountpoint=legacy rpool/local/nix zfs set compression=lz4 rpool/local/nix zfs create -o mountpoint=legacy rpool/local/cache zfs set compression=lz4 rpool/local/cache zfs create -o mountpoint=legacy rpool/safe/data zfs set compression=lz4 rpool/local/data
-
Mount datasets:
mount -t zfs rpool/local/root /mnt mkdir /mnt/nix mount -t zfs rpool/local/nix /mnt/nix mkdir /mnt/boot mount $BOOT_PART /mnt/boot mkdir /mnt/cache mount -t zfs rpool/local/cache /mnt/cache mkdir /mnt/data mount -t zfs rpool/safe/data /mnt/data -
Configure Host ID
Set
networking.hostidin the nixos config tohead -c 8 /etc/machine-id.