diff --git a/docs/weller-dualboot-2025.md b/docs/weller-dualboot-2025.md index 2dc44824..a6c6b55d 100644 --- a/docs/weller-dualboot-2025.md +++ b/docs/weller-dualboot-2025.md @@ -95,58 +95,77 @@ Configure UDM Pro: --- -## 5. Installation Steps - -### 5.1 Boot NixOS Installer via PXE - -1. Boot the machine and press F11/F12 for boot menu -2. Select "UEFI: Network Boot" or similar -3. netboot.xyz will load → select Linux Network Installs → NixOS -4. Connect to network (should already be connected via PXE) - -### 5.2 Verify Target Disk - -```bash -# List disks and find the Seagate by-id -ls -la /dev/disk/by-id/ | grep -i seagate - -# Should show something like: -# nvme-Seagate_FireCuda_510_SSD_ZP2000GM30001_0024_CF01_4800_43D3 - -# Verify this matches the disk-config.nix device path -``` - -### 5.3 Partition, Encrypt, and Format with Disko - -```bash -# Clone cosmo repo -nix-shell -p git -git clone https://github.com/patflynn/cosmo /tmp/cosmo -cd /tmp/cosmo - -# Run disko to partition, encrypt, and mount -# This will prompt for the LUKS encryption password -sudo nix --experimental-features "nix-command flakes" \ - run github:nix-community/disko -- \ - --mode disko ./hosts/weller/disk-config.nix -``` - -Disko will: -- Create GPT partition table -- Create 1GB EFI partition -- Create LUKS2 encrypted partition (prompts for password) -- Format with Btrfs and create subvolumes (@root, @home, @nix, @swap) -- Mount everything to /mnt -- Create 16GB swapfile - -### 5.4 Install NixOS - -```bash -# Install NixOS from the flake -nixos-install --no-write-lock-file --flake /tmp/cosmo#weller - -# Set root password when prompted (or skip if using SSH keys only) -``` +## 5. Installation Steps (Two-Stage Process) + +To avoid "chicken-and-egg" problems with secrets (`agenix`) and SSH keys, we use a two-stage installation process. + +### 5.1 Stage 1: Bootstrap Install + +The first stage installs a minimal system with: +- **Mutable users** (allows setting/changing passwords) +- **SSH enabled** with password authentication +- **No secrets/agenix** (prevents decryption errors on first boot) + +1. **Boot NixOS Installer via PXE** + - Boot the machine and press F11/F12 for boot menu + - Select "UEFI: Network Boot" or similar + - netboot.xyz will load → select Linux Network Installs → NixOS + +2. **Partition and Format with Disko** + ```bash + # Clone cosmo repo + nix-shell -p git + git clone https://github.com/patflynn/cosmo /tmp/cosmo + cd /tmp/cosmo + + # Run disko to partition, encrypt, and mount + # This will prompt for the LUKS encryption password + sudo nix --experimental-features "nix-command flakes" \ + run github:nix-community/disko -- \ + --mode disko ./hosts/weller/disk-config.nix + ``` + +3. **Install the Bootstrap Configuration** + ```bash + # Install using the weller-bootstrap target + nixos-install --no-write-lock-file --flake /tmp/cosmo#weller-bootstrap + ``` + +4. **Reboot and Access via SSH** + - Reboot into the new system. + - From your laptop, log in as `root` (using your SSH keys): + ```bash + ssh root@weller-bootstrap + ``` + - No initial password is required as your keys from `secrets/keys.nix` are pre-authorized in the bootstrap image. + - For better security, password authentication is disabled by default. + +### 5.2 Stage 2: Full Configuration + +Once the bootstrap system is running, we can finalize the setup. + +1. **Generate Host SSH Key** + ```bash + # The host key is usually at /etc/ssh/ssh_host_ed25519_key.pub + cat /etc/ssh/ssh_host_ed25519_key.pub + ``` + +2. **Update Repository Secrets (on your laptop)** + - Copy the new host key to `secrets/keys.nix`. + - Rekey secrets: `agenix -r`. + - Commit and push changes to GitHub. + +3. **Apply Full Configuration (on weller)** + ```bash + cd ~/hack/cosmo # or wherever you keep the repo + git pull + sudo nixos-rebuild switch --flake .#weller + ``` + +The system will now have: +- Immutable users (managed by Nix) +- Secrets decrypted via `agenix` +- Full workstation environment (NVIDIA, Hyprland, etc.) --- diff --git a/flake.nix b/flake.nix index 316bfbad..4c6fe2c8 100644 --- a/flake.nix +++ b/flake.nix @@ -71,6 +71,33 @@ } ]; }; + + mkBootstrap = + { + system ? "x86_64-linux", + hardware, + disk ? null, + hostName ? "nixos-bootstrap", + hostId ? null, + user ? "patrick", + email ? "big.pat@gmail.com", + }: + nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs; }; + modules = [ + hardware + (if disk != null then disk else { }) + (if disk != null then inputs.disko.nixosModules.disko else { }) + ./modules/bootstrap.nix + { + networking.hostName = hostName; + cosmo.user.default = user; + cosmo.user.email = email; + } + (if hostId != null then { networking.hostId = hostId; } else { }) + ]; + }; in { formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-tree; @@ -103,6 +130,13 @@ ]; }; + # Hostname: classic-laddie-bootstrap + classic-laddie-bootstrap = mkBootstrap { + hardware = ./hosts/classic-laddie/hardware.nix; + hostName = "classic-laddie-bootstrap"; + hostId = "8425e349"; + }; + # Hostname: makers-nix makers-nix = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -156,6 +190,13 @@ ]; }; + # Hostname: weller-bootstrap (Initial install target) + weller-bootstrap = mkBootstrap { + hardware = ./hosts/weller/hardware.nix; + disk = ./hosts/weller/disk-config.nix; + hostName = "weller-bootstrap"; + }; + # Hostname: weller (dual-boot Windows 11 + NixOS workstation) weller = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; diff --git a/hosts/classic-laddie/default.nix b/hosts/classic-laddie/default.nix index 9a4cff61..c15b78ac 100644 --- a/hosts/classic-laddie/default.nix +++ b/hosts/classic-laddie/default.nix @@ -7,7 +7,7 @@ { imports = [ - ./hardware-configuration.nix + ./hardware.nix ../../modules/common/system.nix ../../modules/common/users.nix ../../modules/common/workstation.nix @@ -18,6 +18,11 @@ cosmo.user.default = "patrick"; cosmo.user.email = "big.pat@gmail.com"; + # --------------------------------------------------------------------------- + # Networking + # --------------------------------------------------------------------------- + networking.hostName = "classic-laddie"; + # --------------------------------------------------------------------------- # Remote Desktop Streaming (Sunshine/Moonlight) # --------------------------------------------------------------------------- @@ -40,41 +45,9 @@ mode = "0440"; }; - # Bootloader (Keep what matches your hardware!) - # If your hardware-configuration.nix says you are EFI, use systemd-boot: - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - # If you are Legacy BIOS, you might need: boot.loader.grub.device = "/dev/sda"; - - # Enable proprietary software (required for Nvidia drivers) - nixpkgs.config.allowUnfree = true; - - # Graphics - hardware.graphics.enable = true; - - # Nvidia Driver Configuration - services.xserver.videoDrivers = [ "nvidia" ]; - hardware.nvidia = { - modesetting.enable = true; - powerManagement.enable = false; - powerManagement.finegrained = false; - open = false; - nvidiaSettings = true; - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; - - # Allow qemu-libvirtd to access the GPU - users.groups.video.members = [ "qemu-libvirtd" ]; - users.groups.render.members = [ "qemu-libvirtd" ]; - - networking.hostName = "classic-laddie"; - networking.hostId = "8425e349"; # Required for ZFS - networking.networkmanager.enable = true; - - # Storage Support (Roadmap Phase 1) - boot.supportedFilesystems = [ "zfs" ]; - + # --------------------------------------------------------------------------- # Remote Access (Roadmap Phase 1) + # --------------------------------------------------------------------------- services.tailscale = { enable = true; useRoutingFeatures = "server"; diff --git a/hosts/classic-laddie/hardware.nix b/hosts/classic-laddie/hardware.nix new file mode 100644 index 00000000..f7ff16ca --- /dev/null +++ b/hosts/classic-laddie/hardware.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + ./hardware-configuration.nix + ]; + + # --------------------------------------------------------------------------- + # Bootloader + # --------------------------------------------------------------------------- + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # --------------------------------------------------------------------------- + # Networking + # --------------------------------------------------------------------------- + networking.hostId = "8425e349"; # Required for ZFS + networking.networkmanager.enable = true; + + # --------------------------------------------------------------------------- + # Hardware - NVIDIA + # --------------------------------------------------------------------------- + nixpkgs.config.allowUnfree = true; + hardware.graphics.enable = true; + + services.xserver.videoDrivers = [ "nvidia" ]; + hardware.nvidia = { + modesetting.enable = true; + powerManagement.enable = false; + powerManagement.finegrained = false; + open = false; + nvidiaSettings = true; + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + + # Allow qemu-libvirtd to access the GPU + users.groups.video.members = [ "qemu-libvirtd" ]; + users.groups.render.members = [ "qemu-libvirtd" ]; + + # --------------------------------------------------------------------------- + # Storage Support + # --------------------------------------------------------------------------- + boot.supportedFilesystems = [ "zfs" ]; +} diff --git a/hosts/weller/default.nix b/hosts/weller/default.nix index 0feaae48..da758183 100644 --- a/hosts/weller/default.nix +++ b/hosts/weller/default.nix @@ -1,6 +1,5 @@ { config, - lib, pkgs, modulesPath, inputs, @@ -9,7 +8,7 @@ { imports = [ - (modulesPath + "/installer/scan/not-detected.nix") + ./hardware.nix ../../modules/common/system.nix ../../modules/common/users.nix ../../modules/common/workstation.nix @@ -19,94 +18,10 @@ cosmo.user.default = "patrick"; cosmo.user.email = "big.pat@gmail.com"; - # --------------------------------------------------------------------------- - # Hardware (normally in hardware-configuration.nix, but disko handles mounts) - # --------------------------------------------------------------------------- - boot.initrd.availableKernelModules = [ - "nvme" - "xhci_pci" - "ahci" - "usbhid" - "sd_mod" - ]; - boot.kernelModules = [ "kvm-amd" ]; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - - # --------------------------------------------------------------------------- - # Bootloader - systemd-boot - # --------------------------------------------------------------------------- - # Windows is on Disk 0, NixOS on Disk 1 - use UEFI boot menu (F11/F12) to switch - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.initrd.systemd.enable = true; - - # Seagate FireCuda 510 firmware crashes with APST power saving (#263) - boot.kernelParams = [ - "nvme_core.default_ps_max_latency_us=0" - "btusb.enable_autosuspend=n" - ]; - - # --------------------------------------------------------------------------- - # Filesystem - Btrfs with LUKS encryption (managed by disko) - # --------------------------------------------------------------------------- - boot.supportedFilesystems = [ - "btrfs" - "ntfs" - ]; - # --------------------------------------------------------------------------- # Networking # --------------------------------------------------------------------------- networking.hostName = "weller"; - networking.networkmanager.enable = true; - - # --------------------------------------------------------------------------- - # Hardware - NVIDIA RTX 4090 - # --------------------------------------------------------------------------- - nixpkgs.config.allowUnfree = true; - - hardware.graphics.enable = true; - - services.xserver.videoDrivers = [ "nvidia" ]; - hardware.nvidia = { - modesetting.enable = true; - powerManagement.enable = false; - powerManagement.finegrained = false; - open = false; # Use proprietary driver for best compatibility - nvidiaSettings = true; - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; - - # --------------------------------------------------------------------------- - # Bluetooth – optimised for Kinesis Advantage 360 Pro (ZMK / BLE) - # --------------------------------------------------------------------------- - hardware.bluetooth = { - enable = true; - powerOnBoot = true; - settings = { - General = { - # Keep adapter in page-scan mode for instant reconnects - FastConnectable = "true"; - # ZMK uses "Just Works" pairing – always allow re-pairing - JustWorksRepairing = "always"; - # Better LE handling & battery reporting - Experimental = "true"; - }; - LE = { - # Tighter polling interval (7.5–11.25 ms) for lower input latency - MinConnectionInterval = 6; - MaxConnectionInterval = 9; - ConnectionLatency = 0; - }; - Policy = { - AutoEnable = "true"; - ReconnectAttempts = 7; - ReconnectIntervals = "1,2,4,8,16,32,64"; - }; - }; - }; - environment.systemPackages = with pkgs; [ bluetuith ]; # --------------------------------------------------------------------------- # Remote Access diff --git a/hosts/weller/hardware.nix b/hosts/weller/hardware.nix new file mode 100644 index 00000000..f8ae5c1c --- /dev/null +++ b/hosts/weller/hardware.nix @@ -0,0 +1,101 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + # --------------------------------------------------------------------------- + # Hardware (normally in hardware-configuration.nix, but disko handles mounts) + # --------------------------------------------------------------------------- + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; + boot.kernelModules = [ "kvm-amd" ]; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + # --------------------------------------------------------------------------- + # Bootloader - systemd-boot + # --------------------------------------------------------------------------- + # Windows is on Disk 0, NixOS on Disk 1 - use UEFI boot menu (F11/F12) to switch + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.initrd.systemd.enable = true; + + # Seagate FireCuda 510 firmware crashes with APST power saving (#263) + boot.kernelParams = [ + "nvme_core.default_ps_max_latency_us=0" + "btusb.enable_autosuspend=n" + ]; + + # --------------------------------------------------------------------------- + # Filesystem - Btrfs with LUKS encryption (managed by disko) + # --------------------------------------------------------------------------- + boot.supportedFilesystems = [ + "btrfs" + "ntfs" + ]; + + # --------------------------------------------------------------------------- + # Networking + # --------------------------------------------------------------------------- + networking.networkmanager.enable = true; + + # --------------------------------------------------------------------------- + # Hardware - NVIDIA RTX 4090 + # --------------------------------------------------------------------------- + nixpkgs.config.allowUnfree = true; + + hardware.graphics.enable = true; + + services.xserver.videoDrivers = [ "nvidia" ]; + hardware.nvidia = { + modesetting.enable = true; + powerManagement.enable = false; + powerManagement.finegrained = false; + open = false; # Use proprietary driver for best compatibility + nvidiaSettings = true; + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + + # --------------------------------------------------------------------------- + # Bluetooth – optimised for Kinesis Advantage 360 Pro (ZMK / BLE) + # --------------------------------------------------------------------------- + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + settings = { + General = { + # Keep adapter in page-scan mode for instant reconnects + FastConnectable = "true"; + # ZMK uses "Just Works" pairing – always allow re-pairing + JustWorksRepairing = "always"; + # Better LE handling & battery reporting + Experimental = "true"; + }; + LE = { + # Tighter polling interval (7.5–11.25 ms) for lower input latency + MinConnectionInterval = 6; + MaxConnectionInterval = 9; + ConnectionLatency = 0; + }; + Policy = { + AutoEnable = "true"; + ReconnectAttempts = 7; + ReconnectIntervals = "1,2,4,8,16,32,64"; + }; + }; + }; + environment.systemPackages = with pkgs; [ bluetuith ]; +} diff --git a/modules/bootstrap.nix b/modules/bootstrap.nix new file mode 100644 index 00000000..6a4887ec --- /dev/null +++ b/modules/bootstrap.nix @@ -0,0 +1,51 @@ +{ + config, + pkgs, + lib, + ... +}: + +let + keys = import ../secrets/keys.nix; +in +{ + imports = [ + ./common/system.nix + ]; + + # Define the default user options here since we are importing system.nix + cosmo.user.default = lib.mkDefault "patrick"; + cosmo.user.email = lib.mkDefault "big.pat@gmail.com"; + + # Enable SSH + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; # Only allow key-based root login + PasswordAuthentication = false; # Disable password-based login for better security + }; + }; + + # Mutable users for bootstrap + users.mutableUsers = true; + + users.users.root.openssh.authorizedKeys.keys = keys.users; + + users.users.${config.cosmo.user.default} = { + isNormalUser = true; + uid = 1000; + extraGroups = [ + "wheel" + "networkmanager" + "video" + ]; + # No initial password - use SSH keys for access + openssh.authorizedKeys.keys = keys.users; + }; + + # For bootstrap, we want a balance of security and convenience + security.sudo.wheelNeedsPassword = lib.mkDefault true; + + # Ensure compatibility + system.stateVersion = "25.11"; +}