diff --git a/lib/internal.md b/lib/internal.md index cd16505..6551d28 100644 --- a/lib/internal.md +++ b/lib/internal.md @@ -2,8 +2,85 @@ ## Update Server -```shell +**NOTE**: I want to establish a solid way to do this without `root@`. + +```fish g a; set host beefcake; nix run nixpkgs#nixos-rebuild -- --flake ".#$host" \ --target-host "root@$host" --build-host "root@$host" \ switch --show-trace ``` + +## Safer Method + +```bash +# make sure all files are at least staged so nix flakes will see them +git add -A + +# initialize a delayed reboot by a process you can kill later if things look good +# note that the amount of time you give it probably needs to be enough time to both complete the upgrade +# _and_ perform whatever testing you need +host=your_host +ssh -t "root@$host" "bash -c ' + set -m + (sleep 300; reboot;) & + jobs -p + bg + disown +'" + +# build the system and start running it, but do NOT set the machine up to boot to that system yet +# we will test things and make sure it works first +# if it fails, the reboot we started previously will automatically kick in once the timeout is reached +# and the machine will boot to the now-previous iteration +nix run nixpkgs#nixos-rebuild -- --flake ".#$host" \ + --target-host "root@$host" --build-host "root@$host" \ + test --show-trace + +# however you like, verify the system is running as expected +# if it is, run the same command with "switch" instead of "test" +# otherwise, we will wait until the machine reboots back into the +# this is crude, but should be pretty foolproof +# the main gotcha is that the system is already unbootable or non-workable, but +# if you always use this method, that should be an impossible state to get into + +# if we still have ssh access and the machine fails testing, just rollback +# instead of waiting for the reboot +ssh "root@$host" nixos-rebuild --rollback switch +``` + +## Provisioning New NixOS Hosts + +Note that for best results the target flake attribute should first be built and +cached to the binary cache at `nix.h.lyte.dev`. + +```bash +# establish network access +# plug in ethernet or do the wpa_cli song and dance for wifi +wpa_cli scan +wpa_cli scan_results +wpa_cli add_network 0 +wpa_cli set_network 0 ssid "MY_SSID" +wpa_cli set_network 0 psk "MY_WIFI_PASSWORD" +wpa_cli enable_network 0 +wpa_cli save_config + +# disk encryption key (if needed) +echo -n "password" > /tmp/secret.key + +# partition disks +nix-shell --packages git --run "sudo nix run \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + github:nix-community/disko -- \ + --flake 'git+https://git.lyte.dev/lytedev/nix#${PARTITION_SCHEME}' \ + --mode disko \ + --arg disks '[ \"/dev/${DISK}\" ]'" + +# install +nix-shell --packages git \ + --run "sudo nixos-install \ + --flake 'git+https://git.lyte.dev/lytedev/nix#${FLAKE_ATTR}' \ + --option trusted-substituters 'https://cache.nixos.org https://nix.h.lyte.dev' \ + --option trusted-public-keys 'cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0='" +``` + diff --git a/modules/home-manager/foxtrot.nix b/modules/home-manager/foxtrot.nix index f25264a..8d84116 100644 --- a/modules/home-manager/foxtrot.nix +++ b/modules/home-manager/foxtrot.nix @@ -1,5 +1,5 @@ {outputs, ...}: let - scale = 1.5; + scale = 1.25; in { imports = with outputs.homeManagerModules; [ sway diff --git a/readme.md b/readme.md index c1fe667..31afc33 100644 --- a/readme.md +++ b/readme.md @@ -13,14 +13,22 @@ here is useful inspiration. $ nixos-rebuild switch --flake git+https://git.lyte.dev/lytedev/nix#${FLAKE_ATTR} ``` -You don't have even have to clone this crap yourself. How cool is that! +You don't have even have to clone this crap yourself. How cool is that! But if you do, it looks like this: -But if you're gonna change stuff you had better setup the pre-commit hook: +```shell_session +$ nixos-rebuild switch --flake ./repo/dir/for/nix#${FLAKE_ATTR} +``` + +## Setup + +If you're gonna change stuff you had better setup the pre-commit hook: ```shell_session $ ln -s $PWD/pre-commit.bash .git/hooks/pre-commit ``` +## Secrets + If you're deploying anything secrets-related, you will need the proper keys: ```shell_session @@ -31,99 +39,23 @@ $ pass age-key >> ${XDG_CONFIG_HOME:-~/.config}/sops/age/keys.txt ## NixOS ```shell_session -$ nixos-rebuild switch --flake . +$ nixos-rebuild switch --flake ``` ## Not NixOS +**NOTE**: I pretty much solely use Home Manager as a NixOS module presently, so this is not fully supported. + ```shell_session $ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install $ nix profile install github:nix-community/home-manager -$ home-manager switch --flake git+https://git.lyte.dev/lytedev/nix +$ FLAKE_ATTR=base-x86_64-linux +$ home-manager switch --flake git+https://git.lyte.dev/lytedev/nix#$FLAKE_ATTR ``` -# Advanced Usage +# Internal/Advanced Usage -## Push NixOS Config - -```bash -host=your_host -nix run nixpkgs#nixos-rebuild -- --flake ".#$host" \ - --target-host "root@$host" --build-host "root@$host" \ - switch --show-trace -``` - -### Safer Method - -```bash -# initialize a delayed reboot by a process you can kill later if things look good -# note that the amount of time you give it probably needs to be enough time to both complete the upgrade -# _and_ perform whatever testing you need -host=your_host -ssh -t "root@$host" "bash -c ' - set -m - (sleep 300; reboot;) & - jobs -p - bg - disown -'" - -# build the system and start running it, but do NOT set the machine up to boot to that system yet -# we will test things and make sure it works first -# if it fails, the reboot we started previously will automatically kick in once the timeout is reached -# and the machine will boot to the now-previous iteration -nix run nixpkgs#nixos-rebuild -- --flake ".#$host" \ - --target-host "root@$host" --build-host "root@$host" \ - test --show-trace - -# however you like, verify the system is running as expected -# if it is, run the same command with "switch" instead of "test" -# otherwise, we will wait until the machine reboots back into the -# this is crude, but should be pretty foolproof -# the main gotcha is that the system is already unbootable or non-workable, but -# if you always use this method, that should be an impossible state to get into - -# if we still have ssh access and the machine fails testing, just rollback -# instead of waiting for the reboot -ssh "root@$host" nixos-rebuild --rollback switch -``` - -## Provisioning New NixOS Hosts - -```bash -# establish network access -# plug in ethernet or do the wpa_cli song and dance for wifi -wpa_cli scan -wpa_cli scan_results -wpa_cli add_network 0 -wpa_cli set_network 0 ssid "MY_SSID" -wpa_cli set_network 0 psk "MY_WIFI_PASSWORD" -wpa_cli enable_network 0 -wpa_cli save_config - -# disk encryption key (if needed) -echo -n "password" > /tmp/secret.key - -# partition disks -nix-shell --packages git --run "sudo nix run \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - github:nix-community/disko -- \ - --flake 'git+https://git.lyte.dev/lytedev/nix#${PARTITION_SCHEME}' \ - --mode disko \ - --arg disks '[ \"/dev/${DISK}\" ]'" - -# install -nix-shell --packages git \ - --run "sudo nixos-install \ - --flake 'git+https://git.lyte.dev/lytedev/nix#${FLAKE_ATTR}' \ - --option trusted-substituters 'https://cache.nixos.org https://nix.h.lyte.dev' \ - --option trusted-public-keys 'cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0='" -``` - -# Internal Usage - -Just for me, see [[lib/internal.md]] +See [lib/internal.md](./lib/internal.md). # To Do @@ -135,7 +67,6 @@ Just for me, see [[lib/internal.md]] - grafana and stuff for monitoring - alerts? - Fonts installed by home manager instead of nixos module -- Zellij config? - Broot config? ## Long Term