## Preparation

Download NixOS. Burn to USB.

## Booting into install environment

Boot the ISO on PC to install.

Become root with `sudo su`

```bash
loadkeys fr
setfont sun12x22
```

Do network config if necessary, see [install guide](https://nixos.org/manual/nixos/stable/index.html#sec-installation-booting-networking)

## Make partitions

```bash
cgdisk /dev/sda
```

Recommended layout:

```
/dev/sda1 	512M 	ef00 	EFI System partition
/dev/sda2 	100% 	8309 	Linux LUKS 
```

## Setup cryptography 

```bash
cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda2 cryptlvm
```

## Create PV, VG and LVs

```bash
pvcreate /dev/mapper/cryptlvm
vgcreate NixosVG /dev/mapper/cryptlvm
lvcreate -L 8G NixosVG -n swap
lvcreate -l 100%FREE NixosVG -n root
```

## Format partitions

```bash
mkfs.fat -F 32 -n boot /dev/sda1
mkswap /dev/NixosVG/swap
mkfs.ext4 /dev/NixosVG/root
```

## Mount partitions

```bash
swapon /dev/NixosVG/swap
mount /dev/NixosVG/root /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
```

## Generate base NixOS configuration

```bash
nixos-generate-config --root /mnt
```

## Update `hardware-configuration.nix`

This section is needed:

```nix
  boot.initrd.luks.devices."cryptlvm" = {
    device = "/dev/disk/by-uuid/<uuid of sda2>";
    allowDiscards = true;
  };
```

And for the root filesystem, remember to add the `relatime` and `discard` options so that it looks like this:

```nix
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/<...>";
      fsType = "ext4";
      options = [ "relatime" "discard" ];
    };
```

## Update `configuration.nix`

Just enough so that basic tasks can be done from keyboard and remotely:

- timezone
- keyboard layout
- font `sun12x22`
- vim
- non-root user
- ssh
- tcp port 22 in firewall

## Do the installation

```bash
nixos-install
```

## First boot

Reboot machine. Login as `root`

```bash
passwd <nonroot user>
```

If necessary, assign static IP. E.g. `ip addr add 192.168.1.40/24 dev eno1` or sth (replace ip and device appropriately)

Remotely: `ssh-copy-id <user>@<ip>`. Check SSH access is good.

## Deploy from this repo

See the documentation in `/doc` in this repo. The old procedure described here is partly obsolete.

## Old guide

It's time!

**Files in this repo to create/change:**

- create node `.nix` file and symlink for node `.site.nix` (create site and
  cluster `.nix` files if necessary; use existing files of e.g.  the staging
  cluster as examples/templates)
- make sure values are filled in correctly
- add node to `ssh_config` with it's LAN IP, we don't have VPN at this stage

**Configuration steps on the node:**

```bash
# On node being installed
mkdir -p /var/lib/deuxfleurs/remote-unlock
cd /var/lib/deuxfleurs/remote-unlock
ssh-keygen -t ed25519 -N "" -f ./ssh_host_ed25519_key
```

**Try to deploy:**

```bash
# In nixcfg repository from your PC
./deploy.sh <cluster> <nodename>
```

Reboot.

Check remote unlocking works: `ssh -p 222 root@<ip>`

### Configure wireguard

```bash
# On node being installed
mkdir -p /var/lib/deuxfleurs/wireguard-keys
cd /var/lib/deuxfleurs/wireguard-keys
wg genkey | tee private | wg pubkey > public
```

Get the public key, make sure it is in `cluster.nix` so that nodes know one
another.  Also put it anywhere else like in your local wireguard config for
instance so that you can access the node from your PC by its wireguard address
and not only its LAN address.

Redo a deploy (`./deploy.sh <cluster> <nodename>`)

Check VPN works. Change IP in `ssh_config` to use VPN IP instead of LAN IP (required for deploy when away from home).

### Commit changes to `nixcfg` repo

This is a good point to commit your new/modified `.nix` files.

### Configure Nomad and Consul TLS

If you are bootstraping a new cluster, you need to `./genpki.sh <cluster>` to
make a TLS PKI for the Nomad+Consul cluster to work. Then redo a deploy.