colin
4689d49d9f
|
||
|---|---|---|
| helpers | ||
| machines | ||
| modules | ||
| nixpatches | ||
| pkgs | ||
| secrets | ||
| .gitignore | ||
| .sops.yaml | ||
| TODO.md | ||
| configuration.nix | ||
| flake.lock | ||
| flake.nix | ||
| image.nix | ||
| readme.md | ||
readme.md
after checking out, drop secrets into secrets/
to build:
nixos-rebuild --flake "/etc/nixos/#uninsane" {build,switch}
query with:
nix flake show
secrets
secrets/default.nix declares the secrets exposed at evaluation time.
these are defined outside git by writing the actual values to secrets/local.nix.
don't check in the local.nix file. use git update-index --assume-unchanged secrets/local.nix to prevent it from ever being added.
but after that you can set them to their real value and run git update-index --assume-unchanged secrets/*
building images
to build a distributable image (GPT-formatted image with rootfs and /boot partition):
nix build .#imgs.lappy
this can then be dd'd onto a disk and directly booted from a EFI system.
there's some post-processing to do before running a rebuild on the deployed system (e.g. change fstab UUIDs)
refer to flake.nix for more details
admin tips
online: https://nixos.wiki/wiki/Cheatsheet
verify ALL nix store contents with:
sudo nix-store --verify --check-contents # add the --repair flag to auto-repair as well
search for a package with:
nix search nixpkgs <query string>
find which package owns some file with:
nix-locate /bin/vim # or any other package-relative path