nixos-configs

IaC for my NixOS machines. So many hours.

Structure

.
├── flakeHelpers.nix    <-- Function to assemble flake.nix (generic module imports)
├── flake.lock  <-- Lock file with hashed flake inputs
├── flake.nix   <--- Flake with per host module inports
├── homeManagerRoles    <-- Custom modules for configuring home-manager
│   ├── default.nix
│   ├── home.nix
│   ├── programs
│   │   └── git.nix
│   ├── sops.nix
│   ├── template.nix
│   └── users
│       ├── dan.nix
│       └── deploy.nix
├── hosts
│   ├── example
│   │   ├── configuration.nix
│   │   └── hardware-configuration.nix
│   └── template.nix
├── nixosRoles  <-- Custom modules for configuring NixOS
│   ├── default.nix
│   ├── options <-- More complex custom modules
│   │   └── example.nix
│   ├── services    <-- Modules that configure services (generally)
│   │   ├── example.nix
│   ├── system  <-- Modules that configure the system (generally)
│   │   ├── example.nix
│   └── template.nix
├── packages    <-- Overlays and custom packages
│   ├── default.nix
│   ├── examplePatchedPackage
│   │   ├── default.nix
│   │   └── examplePatch.patch
│   └── exampleCustomPackage
│       ├── default.nix
│       └── customPackage.sh
├── README.md
└── scripts <-- Custom scripts
    └── exampleScript.sh

Deployment (NixOS)

If using proxmox

Generate a generic VM/CT image and copy it to the Proxmox host

sudo nixos-generate -f proxmox --flake .#[generic-vm|generic-ct]
sudo cp <iso path> /mnt/nixos-vma-builds/

For a VM

On Proxmox, restore the generated .vma image as a new VM

qmrestore /mnt/bindmounts/nixos-vma-builds/<BUILT IMAGE>.vma.zst <VMID> --unique true

• NB: '--unique true' creates a MAC address for net0, instead of the default 00:00:00:00:00:00.

For an LXC container

!! add container instructions !!

Universal

Configure host and deploy secret keys with nixos-anywhere script

./nixos-anywhere-script.sh <NIXOS CONFIG HOST> <TARGET HOST> <EXTRA SSH OPTS>

Rebuilding (Updating)

Local host

rebuild [-u | --update]

Remote host

Single

rebuild-remote one <HOST>

Multiple

rebuild-remote many [ -i | --ignore <HOSTS> ]

Inspiration

• https://github.com/Misterio77/nix-starter-configs (Inital flake structure)
• https://github.com/vimjoyer/modularize-video (Switchable module system)
• https://github.com/notthebee/nix-config (Flake and flakeHelpers.nix structure)
• https://github.com/30350n/nixos-config (Overlays (packages/) and custom rebulid / rebuild-remote packages)
• https://blog.korfuri.fr/posts/2022/11/autogenerated-prometheus-configs-for-multiple-nixos-hosts/ and https://github.com/connorfeeley/dotfiles/blob/f44fd0b2f13d5d0ac9e69d52191c628d87999a2c/nixos/profiles/grafana.nix (Using the flake self attribute for interdependant cross-host configuration)

Todo:

• Add failure (and success?) notifications to borgbackup jobs. Probably easiest done using a .postHook bash script and the gotify command line client
• Put user passwords into sops secrets management
• Make options.roles.myBorgbackup.paths into a list and not a string
• Look into replacing sops.age.keyfile with sops.age.sshKeyPaths for easier remote secrets deployment
  • Maybe use keyfile for build time secrets (adds priv ssh key to remote build) and ssh/age keys for runtime secrets (this might not work)
• Finish database backup situation for nextcloud
• Add a secure user for remote deployments
• Add a modulesHelper.nix so you can just whack all the custom modules enabled by default in a list (could do a similar thing with the imports)