fujin/Nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TLDR for installation

Browse Source
This commit is contained in:
Alexander Derevianko
2025-07-26 14:41:38 +02:00
parent 274872ec95
commit 945b8ade7a
1 changed files with 73 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.org
+73 -48
View File
@@ -6,16 +6,41 @@
*Abstract* *Abstract*
This guide documents the process for a minimal installation of NixOS on a Proxmox virtual machine. It leverages the =nixos-anywhere= tool for remote deployment and =disko= for declarative disk partitioning. It also covers the essential post-installation steps for integrating the new host with =sops-nix= for secrets management. This guide documents the process for a minimal installation of NixOS on a Proxmox virtual machine. It leverages the =nixos-anywhere= tool for remote deployment and =disko= for declarative disk partitioning. It also covers the essential post-installation steps for integrating the new host with =sops-nix= for secrets management.
* TL;DR: Quick Install Guide
1. *Prepare VM:* Boot the target Proxmox VM from a NixOS ISO and set a root password:
#+begin_src sh
passwd
#+end_src
2. *Deploy NixOS:* From your workstation, run =nixos-anywhere=, pointing to your flake and the VM's IP address.
#+begin_src sh
nix run github:nix-community/nixos-anywhere -- \
--flake .#your-machine-name \
--target-host root@<vm-ip-address>
#+end_src
3. *Get Host Key:* After installation, SSH into the new VM and get its host AGE key.
#+begin_src sh
ssh root@<vm-ip-address>
nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
#+end_src
4. *Update Secrets:* On your workstation, add the new AGE key to =.sops.yaml= and re-encrypt secrets.
#+begin_src sh
sops updatekeys secrets/secrets.yaml
#+end_src
* Table of Contents :TOC: * Table of Contents :TOC:
- [[#tldr-quick-install-guide][TL;DR: Quick Install Guide]]
- [[#prerequisites-on-the-target-vm][Prerequisites on the Target VM]] - [[#prerequisites-on-the-target-vm][Prerequisites on the Target VM]]
- [[#installation-process][Installation Process]] - [[#installation-process][Installation Process]]
- [[#deploying-nixos][Deploying NixOS]] - [[#deploying-nixos][Deploying NixOS]]
- [[#note-on-hardware-configuration][Note on Hardware Configuration]]
- [[#key-configuration-details][Key Configuration Details]]
- [[#disko-configuration-for-proxmox-mbr-boot][Disko Configuration for Proxmox (MBR Boot)]]
- [[#post-installation-secrets-management][Post-Installation: Secrets Management]] - [[#post-installation-secrets-management][Post-Installation: Secrets Management]]
- [[#step-1-generating-the-host-age-key][Step 1: Generating the Host AGE Key]] - [[#step-1-generating-the-host-age-key][Step 1: Generating the Host AGE Key]]
- [[#step-2-updating-sops-and-re-encrypting-secrets][Step 2: Updating SOPS and Re-encrypting Secrets]] - [[#step-2-updating-sops-and-re-encrypting-secrets][Step 2: Updating SOPS and Re-encrypting Secrets]]
- [[#notes-and-configuration-details][Notes and Configuration Details]]
- [[#disko-configuration-for-proxmox-mbr-boot][Disko Configuration for Proxmox (MBR Boot)]]
- [[#generating-hardware-configuration][Generating Hardware Configuration]]
- [[#todos][TODOs]] - [[#todos][TODOs]]
* Prerequisites on the Target VM * Prerequisites on the Target VM
@@ -43,51 +68,6 @@ nix run github:nix-community/nixos-anywhere -- \
--target-host root@192.168.1.85 --target-host root@192.168.1.85
#+end_src #+end_src
** Note on Hardware Configuration
While not used in the command above, =nixos-anywhere= can automatically generate a hardware configuration file from the target machine. This is useful for capturing machine-specific settings.
To do this, include the =--generate-hardware-config= flag in your command. The following example shows how to generate the file and save it as =./hardware-configuration.nix= in your local flake directory.
#+begin_src sh
nix run github:nix-community/nixos-anywhere -- \
--flake .#your-flake-output \
--target-host root@192.168.1.85 \
--generate-hardware-config ./hardware-configuration.nix
#+end_src
* Key Configuration Details
** Disko Configuration for Proxmox (MBR Boot)
A critical requirement for ensuring a NixOS VM can boot correctly in Proxmox is the disk partition scheme. Proxmox expects a Master Boot Record (MBR) compatible setup.
When using =disko= for declarative disk management, you must configure it to create a GPT partition table that includes a special 1M BIOS boot partition (type =EF02=). This partition is specifically used by GRUB for MBR compatibility.
Here is an example snippet for the =disko= configuration:
#+begin_src nix
{
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
# ... your other partitions like root, swap, etc.
};
};
};
};
};
}
#+end_src
For a complete example, you can refer to the official =disko= repository: [[https://github.com/nix-community/disko/blob/master/example/gpt-bios-compat.nix][gpt-bios-compat.nix]].
* Post-Installation: Secrets Management * Post-Installation: Secrets Management
** Step 1: Generating the Host AGE Key ** Step 1: Generating the Host AGE Key
After the initial installation is complete, you will need its host AGE key to manage secrets with tools like =sops-nix=. This key is derived from the host's SSH key. After the initial installation is complete, you will need its host AGE key to manage secrets with tools like =sops-nix=. This key is derived from the host's SSH key.
@@ -128,6 +108,51 @@ The new AGE key must be added to your =.sops.yaml= configuration file. This allo
#+end_src #+end_src
Your secrets are now encrypted for both the primary key and the new host's key. Your secrets are now encrypted for both the primary key and the new host's key.
* Notes and Configuration Details
** Disko Configuration for Proxmox (MBR Boot)
A critical requirement for ensuring a NixOS VM can boot correctly in Proxmox is the disk partition scheme. Proxmox expects a Master Boot Record (MBR) compatible setup.
When using =disko= for declarative disk management, you must configure it to create a GPT partition table that includes a special 1M BIOS boot partition (type =EF02=). This partition is specifically used by GRUB for MBR compatibility.
Here is an example snippet for the =disko= configuration:
#+begin_src nix
{
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for grub MBR
};
# ... your other partitions like root, swap, etc.
};
};
};
};
};
}
#+end_src
For a complete example, you can refer to the official =disko= repository: [[https://github.com/nix-community/disko/blob/master/example/gpt-bios-compat.nix][gpt-bios-compat.nix]].
** Generating Hardware Configuration
The =nixos-anywhere= tool can automatically generate a hardware configuration file from the target machine. This is useful for capturing machine-specific settings.
To do this, include the =--generate-hardware-config= flag in your command. The following example shows how to generate the file and save it as =./hardware-configuration.nix= in your local flake directory.
#+begin_src sh
nix run github:nix-community/nixos-anywhere -- \
--flake .#your-flake-output \
--target-host root@192.168.1.85 \
--generate-hardware-config ./hardware-configuration.nix
#+end_src
* TODOs * TODOs
- [ ] Refactor the =disko= configuration to make the disk device name (e.g., =/dev/sda=) a variable. This will avoid hardcoding the value and make the configuration more portable across different hardware setups. - [ ] Refactor the =disko= configuration to make the disk device name (e.g., =/dev/sda=) a variable. This will avoid hardcoding the value and make the configuration more portable across different hardware setups.
- [ ] Investigate and resolve the issue where updating a user's password declaratively using a secret managed by =sops= failed after the initial installation. - [ ] Investigate and resolve the issue where updating a user's password declaratively using a secret managed by =sops= failed after the initial installation.