Skip to content

Latest commit

 

History

History
50 lines (36 loc) · 1.85 KB

README.md

File metadata and controls

50 lines (36 loc) · 1.85 KB

kczulko nixos-config

Config for my NixOS setups.

Deployment steps

All steps executed as root.

$ ####################
$ # clone nixos project
$ git clone [email protected]:kczulko/nixos-config.git
$ ####################
$ # download the private key and place it under /root/.ssh
$ mv id_ed25519 /root/.ssh/
$ ####################
$ # build your setup, e.g. workstation:
$ nixos-rebuild switch --flake ./nixos-config#workstation --impure

Secrets management

This repository is using agenix for secrets management.

In order to add a new secret use this guideline from agenix repository.

For hashed user password generation, please use following command: mkpasswd -m sha-512.

Shenanigans

There are some issues when obtaining agenix secret for an entry which is not a file. Pure mode flakes evaluation does not allow to e.g. check for OS paths existence, so e.g. builtins.pathExists evaluates to false for a pure mode. This is in general the reason why --impure is used here. Moreover, adding new secret and assigning it to a string field, may throw an error due to absence of a newly added secret file. Therefore following guards were added:

let
  new-secret-path = config.age.secrets.your-new-secret.path;
in
  lib.strings.optionalString (lib.pathExists new-secret-path)
    (lib.readFile new-secret-path)

which for initial evaluation returns an empty string (when path does not exist). It means that while introducing new secret, one may have to run nixos-rebuild ... twice... (sic!). Maybe this project may help here.

Inspiration intensifies

Jack of all trades, master of some: https://github.com/AleksanderGondek/nixos-config