config/README.md

Initial setup (old)

nixos-generate-config

Reading list

• https://nixos.wiki/wiki/Flakes
• https://teu5us.github.io/nix-lib.html
• https://ryantm.github.io/nixpkgs/builders/trivial-builders/
• https://nixos.wiki/wiki/Nix-writers

TODOs:

• Split stuff into multiple files
• Make a flake
• merge hosted docs into a single subdomain
• autogenerate ssh keys
• pre-commit hook with 'nix eval ...outPath'
• use nom when deploying
• figure out how to reuse system flake lock while deplying, leave the night job to upgrade
• Setup some remote-development and deploy flow
• users/pbsds: Support multiple profiles, like headless, nixpkgs-dev, various desktops, hpc, pvv, etc
• nixos-generate-config instructions for new hosts
• zfs, declarative pools?
• secrets - nix-sops ?
  • flexget
  • transmission
  • domeneshop
• hydra
• self-hosted binary cache (single-machine) (nix-serve, carinae, harmonia, eris or attic)
  • https://discourse.nixos.org/t/announcing-harmonia-a-nix-binary-cache-written-in-rust/19855
  • https://discourse.nixos.org/t/introducing-attic-a-self-hostable-nix-binary-cache-server/24343/1
• profiles/web: make ACME/nginx helper a function
  • Support multiple tlds
  • Support multiple acme accounts
  • Support a per-account provider?
  • Support DNS auth
  • Setup aliases instead of a per-vhost cert?
    • Preferably setup a wildchar cert per host

Cheatsheet

How to deploy

Build locally, deploy on local, with nom:

sudo true && sudo nixos-rebuild test --flake . --recreate-lock-file --no-write-lock-file |& nom

Via git, build on remote:

ssh -t HOST sudo nixos-rebuild test --flake git+ssh://gitea@gitea.noximilien.pbsds.net/pbsds/nix-config.git --recreate-lock-file --no-write-lock-file

or

ssh -t HOST sudo nixos-rebuild test --flake git+ssh://git@github.com/pbsds/nix-dotfiles.git --recreate-lock-file --no-write-lock-file

From local checkout to remote where you're not a trusted user, build on remote:

tar cf - --directory="$(nix eval --raw .#inputs.self.outPath)" . | ssh -tt HOST -- bash -c '"set -x; cd $(mktemp -d); tar xf - && nixos-rebuild test --flake . "$@""' -- --print-build-logs --recreate-lock-file --no-write-lock-file

.. wait doesn't that litter /tmp or /run/user/.../tmp?

¯_(ツ)_/¯

From local checkout to remote if local nix daemon has ssh keys, then build on remote:

nix copy --from "$(nix eval .#inputs.self.outPath)" --to TODO

Build locally, copy to remote

TODO

• https://nixos.wiki/wiki/Nixos-rebuild
• https://www.haskellforall.com/2023/01/announcing-nixos-rebuild-new-deployment.html

How to evaluate nixos flake/configuration.nix, checking if the drv hash is equal

nix eval .#nixosConfigurations.noximilien.config.system.build.toplevel.outPath

old way:

nix-instantiate '<nixpkgs/nixos>' -A system -I nixos-config=./configuration.nix