Tools, scripts, and configurations for my machines.

Installation

Steps for a new Darwin machine

Start by installing nix, using nix-installer from DeterminateSystems.

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install

Now you can build the configuration (remember, the host name is in lower case):

nix run nix-darwin -- switch --flake .

Finally, switch the default shell via chsh, and set it to /run/current-system/sw/bin/fish.

Best to reboot to complete the installation.

Steps for a new droplet on DigitalOcean

Start by creating a droplet using Debian. Create a new host configuration.

Once the droplet is provisioned, we can use nixos-anywhere to convert the droplet to a NixOS installation.

nix run github:nix-community/nixos-anywhere -- --flake .#<host> --target-host root@<IP>

Once the host reboots, check that it's converted to NixOS by running uname -a.

Steps for a new VM on the Synology NAS

• chose VGA for the display (otherwise systemd-udevd gets stuck)
• use UEFI for boot
• use the ISO generated with nix build .#nixosConfigurations.iso.config.system.build.isoImage
• boot to the installer
• run =nix run github:nix-community/nixos-anywhere – –flake .#<name> –target-host <ip>

Create the nixos installer

Run

nix build .#nixosConfigurations.iso.config.system.build.isoImage

Then copy to a USB stick with:

sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress

Bare metal machine

We can install remotely a machine with nixos-anywhere, including full disk encryption.

First, create a password in 1password for the machine (using the convention "nix/<hostname>/encryption"). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it).

set temp (mktemp -d)
ssh-keygen -t ed25519 -N "" -C "initrd-root-ssh" -f "$temp/etc/initrd/ssh_host_ed25519_key"
nix run github:nix-community/nixos-anywhere -- --flake .#rivendell --build-on remote --disk-encryption-keys /tmp/pass (op read "op://Private/vmifhwbjtvaqp3422gfbjxdq2y/password"|psub) --target-host root@192.168.1.112 --extra-files "$temp"

DNS

Update records through the console.

Secrets

Start by synchronizing the SSH key by running sync-ssh-key in the repository. Then, to create or edit a secret:

cd (git rev-parse --show-toplevel)/secrets
agenix -i ~/.ssh/agenix -e users/fcuny/llm.age

And to rekey a secret:

cd (git rev-parse --show-toplevel)/secrets
agenix -i ~/.ssh/agenix -r

Network

Wireguard

New host

On a host, run the following:

wg genkey > wireguard
wg pubkey < wireguard > wireguard.pub

Then create the secret in ../secrets/secrets.nix with

agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age

Then add the following to the host's configuration:

age.secrets.wireguard.file = ../../../../secrets/rivendell/wireguard.age;

networking.wireguard = {
  enable = true;
  interfaces.wg0 = {
    ips = [ "10.100.0.60/32" ];
    listenPort = 51871;
    privateKeyFile = config.age.secrets.wireguard.path;
    peers = [
      {
        # digital ocean droplet
        publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
        allowedIPs = [ "10.100.0.0/24" ];
        endpoint = "165.232.158.110:51871";
        persistentKeepalive = 25;
      }
    ];
  };
};

networking.firewall.allowedUDPPorts = [ 51871 ];

Backups

Backups are done with restic and are stored on the local machine, and they are then synchronized to the NAS.