I like my Linux installs heavily customized and security hardened, to the extent that copying over /home won’t cut it, but not so much that it breaks when updating Debian. Whenever someone mentions reinstalling Linux, I am instinctively nervous thinking about the work it would take for me to get from a vanilla install to my current configuration.
It started a couple of years ago, when dreading the work of configuring Debian to my taste on a new laptop, I decided to instead just shrink my existing install to match the new laptop’s drive and dd it over. I later made a VM from my install, stripped out personal files and obvious junk, and condensed it to a 30 GB raw disk image, which I then deployed on the rest of my machines.
That was still a bit too janky, so once my configuration and installed packages stabilized, I bit the bullet, spun up a new VM, and painstakingly replicated my configuration from a fresh copy of Debian. I finished with a 24 GB raw disk image, which I can now deploy as a “fresh” yet pre-configured install, whether to prepare new machines, make new VMs, fix broken installs, or just because I want to.
All that needs to be done after dd’ing the image to a new disk is:
- Some machines: boot grubx64.efi/shimx64.efi from Ventoy and “bless” the new install with
grub-installandupdate-grub - Reencrypt LUKS root partition with new password
- Configure user and GRUB passwords
- Set hostname
- Install updates and drivers as needed
- Configure for high DPI if needed
I’m interested to hear if any of you have a similar workflow or any feedback on mine.
You should check out Nixos. You make a config file that you can just copy over to as many machines as you want.
Yeah this is a good use case for it, if I remember right you can also trivially generate a live installer iso from the same nix configuration you’d use to run any usual updates. So you can make a custom installer for your exact configuration and copy that onto a flash drive to bootstrap you into a working environment. I think the live installer would generate something like a hardware-configuration.nix too.
You could also use nixos-anywhere + disko. This is what I use. If you have SSH and root access to a linux machine, you can live swap to a NixOS installer, load a configuration over SSH, install and reboot. It gives a similar experience to Ansible.
That’s sweet, I didn’t think about using nixos-anywhere for this purpose (just simplifying the install process on a new machine). I used it to great success to install NixOS on a VPS that only had a few OS options like Debian.
That or Ansible, if you will have a machine to deploy from
You can run ansible against localhost, so you don’t even need that.
You don’t need a machine to deploy from. You just need a git repo and Ansible pull. It will pulldown and run playbooks against the host. (Use the self target to run it on the local machine)