Config of my NixOS hosts
- Nix 82.5%
- Emacs Lisp 8.3%
- Lua 6.9%
- CSS 1.7%
- TypeScript 0.6%
| hosts | ||
| lib | ||
| modules | ||
| packages/mia | ||
| ssh_keys | ||
| .gitignore | ||
| common.nix | ||
| flake.lock | ||
| flake.nix | ||
| overlay.nix | ||
| README.adoc | ||
| UNLICENSE | ||
== Build a config and switch to it [source,bash] ---- sudo nixos-rebuild switch --flake .#thehostname ---- If `#thehostname` is not provided, it defaults to the current hostname == Try to build a configuration [source,bash] ---- nix build .#nixosConfigurations.thehostname.config.system.build.toplevel ---- == Update lock file to the latest inputs [source,bash] ---- nix flake update ---- == Build the Aegis installer ISO [source,bash] ---- nix build .#nixosConfigurations.aegis-installer.config.system.build.isoImage ---- The built image is available under `result/iso/`. == Write installer ISO to USB [source,bash] ---- sudo dd if=result/iso/*.iso of=/dev/sdX bs=4M conv=fsync status=progress ---- Replace `/dev/sdX` with your USB device. == Install Aegis from the custom ISO Boot the Protectli from the USB stick, then run: [source,bash] ---- install-aegis ---- The installer wipes `/dev/nvme0n1`, creates EFI + ext4 partitions, and installs `.#aegis`. You can target another disk with `install-aegis /dev/your-disk`. After first boot, connect with SSH as user `admin` using your configured SSH key. == Aegis DNS and DHCP - `aegis` provides DNS filtering with AdGuard Home on `192.168.1.1:53`. - The AdGuard web UI is available on LAN at `http://192.168.1.1:3000`. - `dnsmasq` provides DHCP on LAN (`192.168.1.100-192.168.1.199`). AdGuard web authentication is required. Create the admin hash file on `aegis`: [source,bash] ---- PASSWORD='choose-a-strong-password' HASH="$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbBC 12 "" "$PASSWORD" | tr -d ':\n')" sudo install -d -m 0755 /etc/secrets sudo sh -c 'printf "%s\n" "$1" > /etc/secrets/aegis-adguard-admin-password-hash' _ "$HASH" sudo chmod 0644 /etc/secrets/aegis-adguard-admin-password-hash ---- == Aegis Wi-Fi (WPA2) - SSID: `NSA honeypot`. - Create the WPA2 passphrase file on `aegis`: [source,bash] ---- sudo install -d -m 0755 /etc/secrets sudo install -m 0600 /dev/null /etc/secrets/aegis-wifi-passphrase sudo sh -c 'printf "%s\n" "your-8-to-63-char-passphrase" > /etc/secrets/aegis-wifi-passphrase' ---- == Aegis Mullvad VPN gateway (kill-switch) `aegis` can run a Mullvad WireGuard client and route all LAN traffic through it. 1. Copy your Mullvad WireGuard `.conf` files to `aegis`: [source,bash] ---- sudo install -d -m 0755 /etc/secrets/mullvad/servers sudo cp /path/to/mullvad/*.conf /etc/secrets/mullvad/servers/ sudo ln -sfn /etc/secrets/mullvad/servers/your-default.conf /etc/secrets/mullvad/current.conf ---- 2. Control it on `aegis`: [source,bash] ---- sudo mullvad-gw list sudo mullvad-gw up sudo mullvad-gw status sudo mullvad-gw switch nl-ams-wg-001 sudo mullvad-gw down ---- `up` enables a LAN kill-switch (LAN forwarding is blocked unless traffic exits via `mullvad`). 3. Control it remotely from `stellaris`: [source,bash] ---- aegis-vpn list aegis-vpn up aegis-vpn status aegis-vpn switch nl-ams-wg-001 aegis-vpn down ----