From 9519804cc6a746b44f5c9e386bf2a6fd5bc2c25b Mon Sep 17 00:00:00 2001 From: DannyDannyDanny Date: Sun, 8 Mar 2026 19:05:06 +0100 Subject: [PATCH] Set danny password on disk after install (chroot chpasswd) so it always works; re-prompt LUKS once Made-with: Cursor --- docs/server-installer-usb.md | 18 ++++++++++++++++++ scripts/nixos-server-install.sh | 33 ++++++++++++++++++++++++++++++++- 2 files changed, 50 insertions(+), 1 deletion(-) diff --git a/docs/server-installer-usb.md b/docs/server-installer-usb.md index 1382c46..bcd320d 100644 --- a/docs/server-installer-usb.md +++ b/docs/server-installer-usb.md @@ -2,6 +2,24 @@ Bootable USB that installs NixOS on a new server with disk encryption (LUKS) and optional WiFi from first boot. Only required input is the hostname (and LUKS passphrase when disko creates the volume). Existing hosts are not modified. +## Quick path: boot USB → WiFi → SSH in → run bootstrap + +1. Boot the target machine from the NixOS installer USB. +2. On the live system, connect to Wi‑Fi (or plug in Ethernet). Check internet (e.g. `ping -c 2 8.8.8.8`). +3. On the **live** system, start SSH and set a password for the `nixos` user so you can log in from your Mac: + ```bash + sudo systemctl start sshd + sudo passwd nixos + hostname -I + ``` + Note the IP from `hostname -I`. +4. From your **Mac**: `ssh nixos@` (use the password you set). Now you can paste the bootstrap command instead of typing on the machine. +5. In that SSH session, run the bootstrap (installs NixOS with LUKS; prompts for hostname, disk, **danny password**, LUKS passphrase, then once more LUKS to set the password on disk): + ```bash + curl -sL https://raw.githubusercontent.com/DannyDannyDanny/dotfiles/server-installer-usb/scripts/bootstrap-install.sh | sudo bash + ``` +6. When it finishes, reboot and remove the USB. Unlock LUKS at boot, then log in as **danny** with the password you set during the install. + ## Option A: Official NixOS ISO (works from macOS) You **cannot** build the custom installer ISO on macOS (it is x86_64-linux only and `--system` is restricted). Use the official NixOS minimal ISO instead: diff --git a/scripts/nixos-server-install.sh b/scripts/nixos-server-install.sh index 27845e5..a70960b 100644 --- a/scripts/nixos-server-install.sh +++ b/scripts/nixos-server-install.sh @@ -94,8 +94,39 @@ if [[ "${confirm,,}" != "y" && "${confirm,,}" != "yes" ]]; then exit 0 fi -exec nix run --extra-experimental-features "nix-command flakes" \ +nix run --extra-experimental-features "nix-command flakes" \ github:nix-community/disko/latest#disko-install -- \ --flake "${FLAKE_REF}#server-install" \ --disk main "$disk" \ --system-config "$SYSTEM_CONFIG" + +# Set danny password directly on disk (Nix merge can fail); re-open LUKS and chroot +if [[ -n "${danny_pass:-}" ]]; then + echo "Setting password for danny on installed system (re-enter LUKS passphrase once)..." + read -s -r -p "LUKS passphrase: " luks_pass + echo + LUKS_DEV="/dev/disk/by-partlabel/disk-main-luks" + ESP_DEV="/dev/disk/by-partlabel/disk-main-ESP" + if [[ ! -b "$LUKS_DEV" ]]; then + LUKS_DEV="${disk}2" + ESP_DEV="${disk}1" + fi + if [[ -b "$LUKS_DEV" ]]; then + if ! echo -n "$luks_pass" | cryptsetup open "$LUKS_DEV" crypted --key-file -; then + echo "Wrong LUKS passphrase; set danny password after boot: passwd danny" + else + mount /dev/mapper/crypted /mnt + [[ -b "$ESP_DEV" ]] && mount "$ESP_DEV" /mnt/boot + mount --bind /dev /mnt/dev + mount --bind /proc /mnt/proc + mount --bind /sys /mnt/sys + echo "danny:${danny_pass}" | chroot /mnt chpasswd + umount -R /mnt + cryptsetup close crypted + echo "Password for danny set. Reboot and log in." + fi + unset luks_pass + else + echo "Could not find LUKS partition; set password after boot: passwd danny" + fi +fi