Introducing nixos-up, a dead-simple installer for NixOS

Great! Yeah, I was thinking of adding a step to let the user edit /etc/nixos/configuration.nix right before nixos-install, but I figured that it would be just as easy to boot into the new install and edit it from there. But I’m open to this as a feature if there’s enough demand for it.

Thanks! I haven’t tackled the multi-boot situation yet since that seems like quite a can of worms, but I agree this would be great to have!

I would definitely like it. My NixOS systems use either Plasma or i3, adding entirety of gnome will add extra bandwidth and more importantly delay to download all of Gnome and then all of Plasma. My country isn’t the greatest in internet connectivity, so it hurts particularly.

In that case there is an option to do a “server” install which is just the most minimal install: no window manager is configured, audio/printing services aren’t enabled, etc. You could try doing that and then configure your desired setup from there!

Yep, I could. I was more of wondering how it would go for first time NixOS, but veteran Linux user.

For eg. like postmarketOS, during setup, we can ask for inputs on set of predetermined DEs and user that to setup. I admit, its a nice-to-have rather than necessity, but it makes the experience that much sweeter and friendlier.

Since you seem okay with putting the password hash of the user in the world-readable nix store, it may also be possible to put the root password in there, or choose to not have a root password !. That would allow all the steps to happen at the beginning.

Is mutableUsers = false considered an anti pattern? I didn’t see any warnings in the docs. I wanted to set the root password to be the same as the user, but I couldn’t figure out a way to pass it into nixos-install.

I personally think mutableUsers = true is an antipattern.

If you use users.users.<name>.hashedPassword it does put the hashed password into the world-readable nix store, which some would consider a security risk, because any user on your system could access the hashed password and try to reverse it with dictionary attacks, offline brute force, etc.

users.users.<name>.passwordFile may be a more secure alternative, but it requires a side-channel way to deploy the secret file (or a way to decrypt files in the nix store like agenix), but in your case, you do have a side-channel available!

I haven’t tested it, but I was hoping that nixos-install would be smart enough to realize if the root password was set in the configuration and not ask for it. Since you have the user in the wheel group, I think it would make sense to not set a root password with users.users.root.hashedPassword="!";.

3 Likes

Ah ok… Yeah I think I can make that happen!

Ok, I took a stab at using passwordFile, but ran into the issue here: How to use users.users.<name>.passwordFile?

1 Like

All done! Disabled password-based login for root, set up passwordFile instead of hashedPassword, and it no longer asks for a root password part way through the install process.

3 Likes

Great. Next, I think it should be possible to improve the invocation by using a nix-shell invocation.

Yeah I’m not super pleased with the one-liner right now, but I’m also not sure that the alternatives are much better. I brought this up in another thread: Curl to nix-shell.

Right now it’s

curl --fail --silent https://raw.githubusercontent.com/samuela/nixos-up/main/nixos-up.ml > nixos-up.ml && chmod +x nixos-up.ml && sudo ./nixos-up.ml

and I’m just not totally sure that

curl --fail --silent https://raw.githubusercontent.com/samuela/nixos-up/main/nixos-up.ml | sudo nix-shell -p ocaml jq -c ocaml

is much better. Especially considering that most people will not be able to copy-paste this command, so I think it’s better to optimize for remember-ability more than length.

I made a pull request to show how I think you should do it:

https://github.com/samuela/nixos-up/pull/1/files

1 Like

oooh thank you! i see what you mean. i wasn’t aware you could use nix-shell that way!

1 Like

@samuela are you able to edit the OP with the newer way to run it?

yup, good catch! just updated it

1 Like

Ended up here while trying to figure out how to properly use agenix for users.users.<name>.passwordFile on a fresh install — does anyone have a working example? I’m using flakes and starting the bootstrap process with custom live media built from minimalIso as a base, but seem to be running into a chicken-and-egg problem with the password and the ssh keys. I’ll prune down to a minimal example to share here (or start a new thread, if that’s preferred).

Yeah, the docs for passwordFile were limited in my experience. You can check out how I handled it here: https://github.com/samuela/nixos-up/blob/525a5cefd676d8686adf08bb4a49294f8a1df7c5/nixos-up.py#L237-L259. Not sure if it necessarily helps in your situation, but it’s all I’ve got…

Thanks. I did get both hashedPassword & passwordFile working earlier, without agenix, and it ended up looking similar to your approach.

I’ve pruned and sanitized my example config and posted it on github. The main branch uses passwordFile without agenix and is a rough equivalent of your (much more polished) nixos-up, but with LUKS, and implemented in shell scripts instead of python.

Now I’m working on adding agenix in another branch, step-by-step. I’ve started a post in “Learn” if anyone wants to follow along or offer advice. My goal is to get to a (fairly) minimal example on how to bootstrap a new system using agenix for secret management.

1 Like