forked from cheng/wallet
260 lines
8.3 KiB
Markdown
260 lines
8.3 KiB
Markdown
|
---
|
|||
|
title:
|
|||
|
Nixos
|
|||
|
sidebar: true
|
|||
|
...
|
|||
|
|
|||
|
Nixos is primarily a package manager with a declarative functional language as its package manager.
|
|||
|
|
|||
|
Which makes it possible to reproducibly create a setup. Unfortunately the packages are hard to customise, because access to the
|
|||
|
configuration files is restricted and non trivial -- you have to create your own package.
|
|||
|
|
|||
|
Nixos solves the problem of dll hell by having any number of configurations living on the same machine -- which leads to massive and rapid accumulation of garbage. Garbage collection is very slow, and requires either a lot of ram or a lot of swap (12GB swap recommended. This is a feature I do not want, but wind up suffering, for the advantage of reproducible setups.
|
|||
|
|
|||
|
To avoid bloat, can use a strategy of re-install from scratch, which Nixos makes less painful. I notice the mail server insists
|
|||
|
on pinning to a specific Nixos release.
|
|||
|
|
|||
|
# Install Nixos
|
|||
|
|
|||
|
# minimal server
|
|||
|
|
|||
|
ssh and avahi daemon, pubkeys setup for ssh, users created.
|
|||
|
|
|||
|
## configuration.nix
|
|||
|
|
|||
|
```nix
|
|||
|
# Edit this configuration file to define what should be installed on
|
|||
|
# your system. Help is available in the configuration.nix(5) man page, on
|
|||
|
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
|
|||
|
|
|||
|
{ config, lib, pkgs, ... }:
|
|||
|
|
|||
|
{
|
|||
|
imports =
|
|||
|
[ # Include the results of the hardware scan.
|
|||
|
./hardware-configuration.nix
|
|||
|
];
|
|||
|
|
|||
|
# Use the systemd-boot EFI boot loader.
|
|||
|
boot.loader.systemd-boot.enable = true;
|
|||
|
boot.loader.efi.canTouchEfiVariables = true;
|
|||
|
|
|||
|
# networking.hostName = "nixos"; # Define your hostname.
|
|||
|
# Pick only one of the below networking options.
|
|||
|
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
|||
|
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
|||
|
|
|||
|
# Set your time zone.
|
|||
|
# time.timeZone = "Europe/Amsterdam";
|
|||
|
|
|||
|
# Configure network proxy if necessary
|
|||
|
# networking.proxy.default = "http://user:password@proxy:port/";
|
|||
|
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
|||
|
|
|||
|
# Select internationalisation properties.
|
|||
|
i18n.defaultLocale = "en_US.UTF-8";
|
|||
|
# console = {
|
|||
|
# font = "Lat2-Terminus16";
|
|||
|
# keyMap = "us";
|
|||
|
# useXkbConfig = true; # use xkb.options in tty.
|
|||
|
# };
|
|||
|
|
|||
|
# Enable the X11 windowing system.
|
|||
|
# services.xserver.enable = true;
|
|||
|
|
|||
|
# Configure keymap in X11
|
|||
|
# services.xserver.xkb.layout = "us";
|
|||
|
# services.xserver.xkb.options = "eurosign:e,caps:escape";
|
|||
|
|
|||
|
# Enable CUPS to print documents.
|
|||
|
# services.printing.enable = true;
|
|||
|
|
|||
|
# Enable sound.
|
|||
|
# hardware.pulseaudio.enable = true;
|
|||
|
# OR
|
|||
|
# services.pipewire = {
|
|||
|
# enable = true;
|
|||
|
# pulse.enable = true;
|
|||
|
# };
|
|||
|
|
|||
|
# Enable touchpad support (enabled default in most desktopManager).
|
|||
|
services.libinput.enable = false;
|
|||
|
|
|||
|
#enable avahi-daemon
|
|||
|
services.avahi = {
|
|||
|
enable = true;
|
|||
|
ipv6 = true;
|
|||
|
ipv4 = true;
|
|||
|
publish = {
|
|||
|
enable = true;
|
|||
|
addresses = true;
|
|||
|
};
|
|||
|
# nssmdns4 = true;
|
|||
|
};
|
|||
|
|
|||
|
# guest additions
|
|||
|
# not very useful unless desktop enabled, or maybe it just does not work at all
|
|||
|
#virtualisation.virtualbox.guest.enable = true;
|
|||
|
|
|||
|
# Define a user account. Don't forget to set a password with ‘passwd’.
|
|||
|
users.users.cherry = {
|
|||
|
isNormalUser = true;
|
|||
|
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
|||
|
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVcyLSWwsa8aN+v2PaS1wuHXGVhTdC+43B3eZ9j/C/M" ];
|
|||
|
# packages = with pkgs; [
|
|||
|
# firefox
|
|||
|
# tree
|
|||
|
# ];
|
|||
|
};
|
|||
|
|
|||
|
# Define a user account. Don't forget to set a password with ‘passwd’.
|
|||
|
users.users.root = {
|
|||
|
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVcyLSWwsa8aN+v2PaS1wuHXGVhTdC+43B3eZ9j/C/M" ];
|
|||
|
};
|
|||
|
|
|||
|
# List packages installed in system profile. To search, run:
|
|||
|
# $ nix search wget
|
|||
|
# environment.systemPackages = with pkgs; [
|
|||
|
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
|||
|
# wget
|
|||
|
# ];
|
|||
|
|
|||
|
# Some programs need SUID wrappers, can be configured further or are
|
|||
|
# started in user sessions.
|
|||
|
# programs.mtr.enable = true;
|
|||
|
# programs.gnupg.agent = {
|
|||
|
# enable = true;
|
|||
|
# enableSSHSupport = true;
|
|||
|
# };
|
|||
|
|
|||
|
# List services that you want to enable:
|
|||
|
|
|||
|
# Enable the OpenSSH daemon.
|
|||
|
services.openssh = {
|
|||
|
enable = true;
|
|||
|
hostKeys = [
|
|||
|
{
|
|||
|
path = "/etc/ssh/ssh_host_ed25519_key";
|
|||
|
rounds = 100;
|
|||
|
type = "ed25519";
|
|||
|
}
|
|||
|
];
|
|||
|
settings = {
|
|||
|
PasswordAuthentication = false;
|
|||
|
PubkeyAuthentication = true;
|
|||
|
PermitRootLogin = "prohibit-password";
|
|||
|
UsePAM = false;
|
|||
|
ChallengeResponseAuthentication = false;
|
|||
|
Ciphers = [ "chacha20-poly1305@openssh.com" ];
|
|||
|
GatewayPorts = "Yes";
|
|||
|
KbdInteractiveAuthentication = false;
|
|||
|
KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
|
|||
|
Macs = [ "hmac-sha2-256-etm@openssh.com" ];
|
|||
|
};
|
|||
|
};
|
|||
|
|
|||
|
# Open ports in the firewall.
|
|||
|
# networking.firewall.allowedTCPPorts = [ ... ];
|
|||
|
# networking.firewall.allowedUDPPorts = [ ... ];
|
|||
|
# Or disable the firewall altogether.
|
|||
|
networking.firewall.enable = false;
|
|||
|
|
|||
|
# Copy the NixOS configuration file and link it from the resulting system
|
|||
|
# (/run/current-system/configuration.nix). This is useful in case you
|
|||
|
# accidentally delete configuration.nix.
|
|||
|
# system.copySystemConfiguration = true;
|
|||
|
|
|||
|
# This option defines the first version of NixOS you have installed on this particular machine,
|
|||
|
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
|
|||
|
#
|
|||
|
# Most users should NEVER change this value after the initial install, for any reason,
|
|||
|
# even if you've upgraded your system to a new NixOS release.
|
|||
|
#
|
|||
|
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
|
|||
|
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
|
|||
|
# to actually do that.
|
|||
|
#
|
|||
|
# This value being lower than the current NixOS release does NOT mean your system is
|
|||
|
# out of date, out of support, or vulnerable.
|
|||
|
#
|
|||
|
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
|
|||
|
# and migrated your data accordingly.
|
|||
|
#
|
|||
|
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
|
|||
|
system.stateVersion = "24.05"; # Did you read the comment?
|
|||
|
}
|
|||
|
```
|
|||
|
|
|||
|
## hardware-configuration.nix
|
|||
|
|
|||
|
This should be set up automatically by the install
|
|||
|
process. For a human to do it is very difficult.
|
|||
|
|
|||
|
```nix
|
|||
|
{
|
|||
|
imports = [ ];
|
|||
|
|
|||
|
boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" ];
|
|||
|
boot.initrd.kernelModules = [ ];
|
|||
|
boot.kernelModules = [ ];
|
|||
|
boot.extraModulePackages = [ ];
|
|||
|
|
|||
|
fileSystems."/" =
|
|||
|
{ device = "/dev/disk/by-uuid/bf0ee7f8-0397-44d6-a3f7-462b848d0912";
|
|||
|
fsType = "ext4";
|
|||
|
};
|
|||
|
|
|||
|
fileSystems."/boot" =
|
|||
|
{ device = "/dev/disk/by-uuid/B4E2-93D5";
|
|||
|
fsType = "vfat";
|
|||
|
options = [ "fmask=0077" "dmask=0077" ];
|
|||
|
};
|
|||
|
|
|||
|
swapDevices =
|
|||
|
[ { device = "/dev/disk/by-uuid/2b67021b-3b31-4e2d-a521-05362ffb39f8"; }
|
|||
|
];
|
|||
|
|
|||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
|||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|||
|
networking.useDHCP = lib.mkDefault true;
|
|||
|
# networking.interfaces.enp0s3.useDHCP = lib.mkDefault true;
|
|||
|
|
|||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|||
|
virtualisation.virtualbox.guest.enable = true;
|
|||
|
}
|
|||
|
```
|
|||
|
|
|||
|
# change config
|
|||
|
|
|||
|
```bash
|
|||
|
nano /etc/nixos/conf*.nix
|
|||
|
df -h .
|
|||
|
nixos-rebuild test
|
|||
|
nixos-rebuild boot
|
|||
|
df -h .
|
|||
|
```
|
|||
|
|
|||
|
## garbage collect old configs
|
|||
|
|
|||
|
```bash
|
|||
|
nix-env --delete-generations old
|
|||
|
nix-store --gc --print-dead
|
|||
|
nix-store --gc --print-live
|
|||
|
nix-store --gc
|
|||
|
```
|
|||
|
|
|||
|
# Install nginx, mariadb, and php
|
|||
|
|
|||
|
[Nginx setup](https://wiki.nixos.org/wiki/Nginx#LEMP_stack)
|
|||
|
|
|||
|
# Nixos mail server
|
|||
|
|
|||
|
[This](https://nixos-mailserver.readthedocs.io/en/latest/) has the huge advantage that it only needs a small computer.
|
|||
|
|
|||
|
Setup is also decribed as ridiculously easy -- compare and contrast with much grief while setting up on debian.
|
|||
|
|
|||
|
And the huge disadvantage that it only exists for Nix 23.05, while the latest "stable" (not very stable at all) release is 24.05
|
|||
|
|
|||
|
It also has only a minimal nginx setup. Not at all sure what will happen when I combine it with a real nginx setup.
|