wytch/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nix-config/hosts/iso/configuration.nix
wytch 613e37d58b remote install config
2026-04-24 14:48:12 -05:00

83 lines
2.7 KiB
Nix
Raw Permalink Blame History

{ pkgs, modulesPath, inputs, ... }:
{
imports = [
(modulesPath + "/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix")
];
# Tools needed for the install process
environment.systemPackages = with pkgs; [
# Disk setup
inputs.disko.packages.${pkgs.system}.disko
cryptsetup
# YubiKey enrollment (systemd-cryptenroll for FIDO2)
yubikey-personalization
yubikey-manager
libfido2
# Misc
git
# Install script — available as `install-coven` in PATH
(pkgs.writeShellScriptBin "install-coven" ''
set -euo pipefail
FLAKE="git+https://git.sassysalamander.net/wytch/nix-config?ref=main"
LUKS_PART="/dev/disk/by-partlabel/disk-main-luks"
echo "======================================================"
echo " coven install script"
echo " Flake: ''${FLAKE}"
echo "======================================================"
echo ""
echo "WARNING: This will ERASE ALL DATA on /dev/nvme0n1"
echo "Press Enter to continue or Ctrl-C to abort."
read -r
echo ""
echo "[1/5] Partitioning, formatting, and mounting via disko..."
echo "(You will be prompted to set a LUKS passphrase this becomes your recovery key.)"
disko --mode disko --flake "''${FLAKE}#coven"
echo ""
echo "[2/5] Enrolling YubiKey FIDO2 into LUKS container..."
echo " Insert your YubiKey and touch it when prompted."
systemd-cryptenroll --fido2-device=auto "''${LUKS_PART}"
echo ""
echo "[3/5] Installing NixOS..."
nixos-install --flake "''${FLAKE}#coven" --no-root-password --root /mnt
echo ""
echo "[4/5] Setting user password for sonja..."
nixos-enter --root /mnt -c 'passwd sonja'
echo ""
echo "[5/5] Done!"
echo ""
echo "Next steps after first boot:"
echo " 1. Fill in your GPG fingerprint in .sops.yaml"
echo " 2. Create and encrypt secrets/secrets.yaml"
echo " 3. Uncomment sops config in hosts/coven/configuration.nix"
echo ""
echo "Remove the install media and reboot."
read -rp "Reboot now? [y/N] " yn
if [[ "''${yn}" =~ ^[Yy]$ ]]; then
reboot
fi
'')
];
services.udev.packages = [ pkgs.yubikey-personalization ];
services.pcscd.enable = true;
# Enable SSH so the machine can be administered remotely during install
services.openssh.enable = true;
# Add your SSH public key here to allow passwordless remote access from the ISO
# users.users.nixos.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAA..." ];
nixpkgs.hostPlatform = "x86_64-linux";
isoImage.squashfsCompression = "zstd -Xcompression-level 6";
system.stateVersion = "25.11";
}
Reference in New Issue View Git Blame Copy Permalink