colin
b658b93c64
this approach lets me persist the password. persisting /etc/shadow directly wasn't so feasible. populating /etc/shadow at activation time is something nix already does and is easy to plug into. so we store the passwd hash in this repo, but encrypt it to the destination machine's ssh pubkey to add enough entropy that it's not brute-forceable through the public git repo. |
||
|---|---|---|
| helpers | ||
| machines | ||
| modules | ||
| nixpatches | ||
| pkgs | ||
| scripts | ||
| secrets | ||
| .gitignore | ||
| .sops.yaml | ||
| TODO.md | ||
| flake.lock | ||
| flake.nix | ||
| readme.md | ||
readme.md
to deploy:
nixos-rebuild --flake "./#servo" {build,switch}
more options (like building packages defined in this repo):
nix flake show
secrets
i use sops for secrets.
see modules/universal/secrets.nix for some tips.
building images
to build a distributable image (GPT-formatted image with rootfs and /boot partition):
nix build ./#imgs.lappy
this can then be dd'd onto a disk and directly booted from a EFI system.
there's some post-processing to do before running a rebuild on the deployed system (deploying ssh keys, optionally changing fs UUIDs, etc).
refer to flake.nix for more details.
building packages
to build one of the custom sane packages, just name it:
nix build ./#fluffychat-moby
to build a nixpkg:
nix build ./#nixpkgs.curl
to build a package for another platform:
nix build ./#packages.aarch64-linux.nixpkgs.ubootRaspberryPi4_64bit