How best to deploy to Raspberry Pi

Help
1

Assume the following setup:

  • A flake.nix which configures an instance of nixos.
  • The flake uses sops-nix for secrets management, where the secrets are stored in a separate, private, github repo.
  • I want to deploy this flake with nixos-anywhere (i.e. there is a disko config, etc).

This has so far worked for me very nicely and turned out to be a quite sustainable way to have reoccurring deployments.

My issue is that I need to repeat this for a Raspberry Pi 4B. Getting the image onto the SD card is a bit more of a headache than I would like, but that worked fine. The issues started with the disko config. This is somewhat more complicated than I would like and even discouraged by the maintainer of disko (see this thread here).

Before continuing into this directioin, I thought it might make more sense to just create the correct image, with everything I want so that I can just flash that from the start onto the Pi. Building the image worked fine after some tinkering, but my issue here is that I dont know how to sanely deploy the ssh key needed to decrypt the sops secrets.

So to summarize options and maybe ask questions:

  • nixos-anywhere + disko: Is this feasible, i.e. has anybody tried it and had success with it?
  • Build SD Image: Not sure how to get the secrets to decrypt the sops-file to the SD card correctly. Any ideas on how to approach this?

Does the community have any input on which method is preferable?

2

One thing to note is that the kernel used on Raspberry Pi’s seems not to support kexec as can be seen in this issue: kexec fails on Raspberry Pi OS: missing /proc/kcore · Issue #183 · nix-community/nixos-anywhere · GitHub and as I found to still be the case when I tried it ~3 months ago.

This means one must boot a nixos installer image, probably from USB which requires a little bit of setup on a Raspberry Pi as I recall, and then using Nixos-Anywhere through that.

Which is all a little awkward, which is why I elected to not bother reinstalling, and keep my existing install based on the prebuilt sdimage.

This is not to say that using Nixos-Anywhere and Disko is not possible, I am pretty sure it is possible, just that I looked into it and elected not to bother.

Regarding the build sdimage sops issue, I think I just used the prebuilt image, login as nixos, update sops config with the autogenerated sshkeys, and rebuild to my config. Pretty manual, but I last did this when my nix skills were up to nothing more interesting.

Your mileage may vary.

3

Didnt know that kexec was disabled on the Pi by default. Thanks for this…

I think I just used the prebuilt image, login as nixos, update sops config with the autogenerated sshkeys, and rebuild to my config.

To clarify, assume that Host A is a host that can add and change sops secrets.

  1. Download the correct NixOS image and flash it onto the Pi over the Pi flasher tool.
  2. Go through the standard setup procedure for NixOS and install it.
  3. Once installed, reboot the system, and get the age key from the /etc/ssh/ssh_host_ed25519_key.
  4. On Host A add this key to .sops.yaml and update your secrets.
  5. Create a ssh key and add it to Github so that the Pi has access to your flakes.
  6. Run
    sudo nixos-rebuild switch --flake github:username/nix-config-flake#rpi
    on the Pi.

Does that sum up your proposed solution correctly?

4

Yep, that seems exactly right, and is how I recall doing it some months ago. Except my flake is public, and so no ssh key adding to any git provider was required, just use https.

Again, there are almost certainly more elegant solutions requiring less manual work, but that is what I used when I last did this.

5

Getting secrets into an sd card image is annoying. You can look into mcopy or virt-edit or similar

In Thymis for example we inject secrets onto a raspberry pi sd card image using mcopy