This document will guide in configuring a new computer, starting from a fresh new NixOS installation. This document assumes that you have already installed NixOS in some way (e.g. using a USB stick).
The whole process should take a bit more than an hour, excluding compilation times (which could be significant).
A fresh NixOS installation should have Firefox as the default browser. Install a password manager like LastPass as a Firefox extension.
In order to clone git repositories from GitHub using SSH, you will need to generate an SSH keypair and upload the SSH public key to GitHub.
Generate an SSH keypair, start the SSH agent and store both the public key and the private key on the computer.
ssh-keygen -t ed25519 -C "[email protected]"
eval $(ssh-agent -s)
ssh-add $HOME/.ssh/id_ed25519Double check that the SSH agent has loaded the SSH key you have just generated.
ssh-add -lCopy the SSH public key and paste it on GitHub, in Settings > SSH and GPG keys > New SSH key.
cat $HOME/.ssh/id_ed25519.pubYou may consider backing up the SSH keypair in a safe place:
- If you have an hardware device like the Trezor, you can store your SSH keypair there.
- If you trust your password manager, you can store your SSH keypair there.
- If you have a USB stick you consider safe (e.g. a USB stick that never leaves your home), you can store your SSH keypair there.
If git is not yet available on the new NixOS machine, install it using nix-env.
nix-env --install gitSet your name and email in the git global config.
git config --global user.name "John Smith"
git config --global user.email "[email protected]"Create a directory for all of your repositories:
mkdir ~/reposClone the nix-config repository from GitHub using SSH.
git clone [email protected]:jackdbd/nix-config.gitAll of my NixOS configurations for my computers contain some age-encrypted secrets. These secrets are automatically encrypted and decrypted by sops-nix, provided that age is installed and that there is a valid age private key on the machine that uses sops-nix.
Since age is not yet available on the new NixOS machine, you'll have to install it using nix-env.
nix-env --install ageIf that doesn't work, install Go and compile age.
nix-env --install go
go install filippo.io/age/cmd/...@latestℹ️ If you had to install Go and compile age, you will find the
ageandage-keygenbinaries in$HOME/go/bin.
In order to decrypt the age-encrypted secrets found in this repository, you will need to generate an age keypair, copy the age public key and paste it in this .sops.yaml file.
mkdir -p ~/.config/sops/age
age-keygen -o ~/.config/sops/age/keys.txtCopy the age public key and paste it in the .sops.yaml file of this repository. Give it a name to clearly identify the authorized device.
Add the age public key to the list of authorized keys listed in the secrets/.sops.yaml file in this repository.
You may consider backing up the age keypair:
If you have an hardware device like the Trezor, you can store your age keypair there. If you trust your password manager, you can store your age keypair there. If you have a USB stick you consider safe (e.g. a USB stick that never leaves your home), you can store your age keypair there.
On a machine that can already decrypt age-encrypted secrets, update all .sops files to accept the new age key.
cd ~/repos/nix-config/secrets
sops updatekeys secrets.sops.yaml
sops updatekeys aws/default.sops.yaml
sops updatekeys gcp/prj-kitchen-sink.sops.yaml
# etc...Push the changes to the repository.
cd ~/repos/nix-config
git add secrets/
git commit -m 'add new age key in SOPS files'
git pushOn the new NixOS machine, pull the changes.
cd ~/repos/nix-config
git pullDouble check that the new computer can decrypt age-encrypted secrets using sops.
cd ~/repos/nix-config/secrets
sops secrets.sops.yamlA fresh NixOS installation will probably have no editor (not even vi!). You can install VS Code using nix-env. Don't forget to set the environment variable NIXPKGS_ALLOW_UNFREE to 1, since VS Code is an unfree package.
export NIXPKGS_ALLOW_UNFREE=1
nix-env --install codeOn a fresh new NixOS installation, the entire configuration of your system will be stored in two files:
/etc/nixos/configuration.nix/etc/nixos/hardware-configuration.nix
Let's say that your new NixOS host is a ThinkPad L390. You can create a subdirectory in this repository and store the configuration there.
mkdir -p ~/repos/nix-config/nixos/hosts/l390
cp /etc/nixos/* ~/repos/nix-config/nixos/hosts/l390/Important
Make sure your new NixOS computer is configured with full-disk encryption. Double check that in your configuration.nix there is a line that says boot.initrd.luks.devices.
You will also need to update the flake.nix file to include the new NixOS host configuration in nixosConfigurations and homeConfigurations.
cd ~/repos/nix-config
git add .
git commit -m 'update NixOS configuration for <DEVICE>' # e.g. ThinkPad L390
git pushWarning
The reason why you should commit these files is that nix flakes do not include untracked files.
You are now ready to rebuild the NixOS configuration and switch to it. From the root of this repository, apply both the NixOS configuration and the Home Manager for this host (see nixosConfigurations in the flake.nix).
For example:
sudo nixos-rebuild switch \
--flake $HOME/repos/nix-config#l390-nixosUninstall all packages installed with nix-env, since they are now available in the NixOS / Home Manager configuration.
nix-env -e age
nix-env -e code
nix-env -e git
nix-env -e goIn the Syncthing web UI (http://127.0.0.1:8384/), go to Actions > Show ID and copy the ID of the new machine. Add/update this ID in the config section of the nixos/modules/syncthing.nix. For example:
settings.devices = {
"ThinkPad L390" = {
id = "KPVHYCY-WBF7QTW-UVEOQN4-BKQDYZB-QFBSYOQ-65SCSFR-LGIFVE4-ESN6GQQ";
};
};Double check that all Syncthing devices start syncing folders.
Configure FlowCrypt (PGP encryption for GMail).