path: root/README.org



Tools, scripts, and configurations for my machines.

* Installation
** Steps for a new Darwin machine
Start by installing nix, using [[https://github.com/DeterminateSystems/nix-installer][nix-installer]] from [[https://determinate.systems][DeterminateSystems]].

#+begin_src sh
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
#+end_src

Now you can build the configuration (remember, the host name is in lower case):

#+begin_src sh
nix run nix-darwin -- switch --flake .
#+end_src

Finally, switch the default shell via =chsh=, and set it to =/run/current-system/sw/bin/fish=.

Best to reboot to complete the installation.
** Steps for a new droplet on DigitalOcean
Start by creating a droplet using Debian. Create a new host configuration.

Once the droplet is provisioned, we can use =nixos-anywhere= to convert the droplet to a NixOS installation.

#+begin_src sh
just deploy-nixos flake ip
#+end_src

Once the host reboots, check that it's converted to NixOS by running =uname -a=.
** Steps for a new VM on the Synology NAS
- chose VGA for the display (otherwise ~systemd-udevd~ gets stuck)
- use UEFI for boot
- use the ISO generated with =nix build .#nixosConfigurations.iso.config.system.build.isoImage=
- boot to the installer
- run =just deploy-nixos name ip=
** Create the nixos installer
Run
#+begin_src sh
nix build .#nixosConfigurations.iso.config.system.build.isoImage
#+end_src

If you need to install this on a USB drive, use the Samsung disk for this. Follow these steps:
- =diskutil list= to identify the disk (e.g. =/dev/disk5=)
- =diskutil unmountDisk /dev/disk5= to un-mount the drive

Then copy to a USB stick with:
#+begin_src sh
sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress
#+end_src
** Bare metal machine
We can install remotely a machine with =nixos-anywhere=, including full disk encryption.

First, create a password in =passage= for the machine (using the convention =hosts/<hostname>/disk-encryption/passphrase=), and the ssh private key (=ed25519=). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it).

#+begin_src sh
just deploy-nixos name ip
#+end_src
* DNS
Update records through the [[https://dash.cloudflare.com/2c659eeaf2ae9a0206c589c706b3748e/fcuny.net][console]].
* Secrets
Get the identity under =secrets/identity.txt= with:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
age-plugin-yubikey --list --slot 1 > identity.txt
#+end_src

To create or edit a secret:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
age -R $PASSAGE_RECIPIENTS_FILE -o users/fcuny/llm.age
#+end_src

And to rekey the secrets:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
agenix -i identity.txt -r
#+end_src

You can validate that the file is correct with:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
nix eval --json --pretty --file secrets.nix
age-inspect --json users/fcuny/llm.age
#+end_src
The output of =age-inspect= should list in the =stanza_types= key at least one =ssh-ed25519= (it indicates one of the recipient is using a SSH key).
* Network
** Wireguard
*** New host
On a host, run the following:
#+begin_src sh
wg genkey > wireguard
wg pubkey < wireguard > wireguard.pub
#+end_src

Then create the secret in ../secrets/secrets.nix with
#+begin_src sh
agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age
#+end_src

Then add the following to the host's configuration:
#+begin_src nix
age.secrets.wireguard.file = ../../../../secrets/rivendell/wireguard.age;

networking.wireguard = {
  enable = true;
  interfaces.wg0 = {
    ips = [ "10.100.0.60/32" ];
    listenPort = 51871;
    privateKeyFile = config.age.secrets.wireguard.path;
    peers = [
      {
        # digital ocean droplet
        publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
        allowedIPs = [ "10.100.0.0/24" ];
        endpoint = "165.232.158.110:51871";
        persistentKeepalive = 25;
      }
    ];
  };
};

networking.firewall.allowedUDPPorts = [ 51871 ];
#+end_src
* Backups
Backups are done with =restic= and are stored on the local machine, and they are then synchronized to the NAS.
* Runbooks
** Remote builders
*** Clients
On the clients, you can run =nix config show builders= to see the list of the remote builders.
If a client is failing to run builds remotely due to some ssh errors, you can run the following command: =sudo ssh -o 'IdentityAgent none' -i /run/agenix/ssh-remote-builder builder@builder true=. We need to use =sudo= since the nix daemon runs as root.
*** Builders
On the builders, you can run =nix config show allowed-users= to see the list of users who can trigger nix builds.
** PostgreSQL
To connect from my local machine remotely:
#+begin_src shell
ssh framebox -L 35432:/var/run/postgresql/.s.PGSQL.5432
#+end_src
Then:
#+begin_src shell
psql -U postgres -h localhost -p 35432
#+end_src
Tools, scripts, and configurations for my machines.

* Installation
** Steps for a new Darwin machine
Start by installing nix, using [[https://github.com/DeterminateSystems/nix-installer][nix-installer]] from [[https://determinate.systems][DeterminateSystems]].

#+begin_src sh
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
#+end_src

Now you can build the configuration (remember, the host name is in lower case):

#+begin_src sh
nix run nix-darwin -- switch --flake .
#+end_src

Finally, switch the default shell via =chsh=, and set it to =/run/current-system/sw/bin/fish=.

Best to reboot to complete the installation.
** Steps for a new droplet on DigitalOcean
Start by creating a droplet using Debian. Create a new host configuration.

Once the droplet is provisioned, we can use =nixos-anywhere= to convert the droplet to a NixOS installation.

#+begin_src sh
just deploy-nixos flake ip
#+end_src

Once the host reboots, check that it's converted to NixOS by running =uname -a=.
** Steps for a new VM on the Synology NAS
- chose VGA for the display (otherwise ~systemd-udevd~ gets stuck)
- use UEFI for boot
- use the ISO generated with =nix build .#nixosConfigurations.iso.config.system.build.isoImage=
- boot to the installer
- run =just deploy-nixos name ip=
** Create the nixos installer
Run
#+begin_src sh
nix build .#nixosConfigurations.iso.config.system.build.isoImage
#+end_src

If you need to install this on a USB drive, use the Samsung disk for this. Follow these steps:
- =diskutil list= to identify the disk (e.g. =/dev/disk5=)
- =diskutil unmountDisk /dev/disk5= to un-mount the drive

Then copy to a USB stick with:
#+begin_src sh
sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress
#+end_src
** Bare metal machine
We can install remotely a machine with =nixos-anywhere=, including full disk encryption.

First, create a password in =passage= for the machine (using the convention =hosts/<hostname>/disk-encryption/passphrase=), and the ssh private key (=ed25519=). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it).

#+begin_src sh
just deploy-nixos name ip
#+end_src
* DNS
Update records through the [[https://dash.cloudflare.com/2c659eeaf2ae9a0206c589c706b3748e/fcuny.net][console]].
* Secrets
Get the identity under =secrets/identity.txt= with:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
age-plugin-yubikey --list --slot 1 > identity.txt
#+end_src

To create or edit a secret:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
age -R $PASSAGE_RECIPIENTS_FILE -o users/fcuny/llm.age
#+end_src

And to rekey the secrets:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
agenix -i identity.txt -r
#+end_src

You can validate that the file is correct with:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
nix eval --json --pretty --file secrets.nix
age-inspect --json users/fcuny/llm.age
#+end_src
The output of =age-inspect= should list in the =stanza_types= key at least one =ssh-ed25519= (it indicates one of the recipient is using a SSH key).
* Network
** Wireguard
*** New host
On a host, run the following:
#+begin_src sh
wg genkey > wireguard
wg pubkey < wireguard > wireguard.pub
#+end_src

Then create the secret in ../secrets/secrets.nix with
#+begin_src sh
agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age
#+end_src

Then add the following to the host's configuration:
#+begin_src nix
age.secrets.wireguard.file = ../../../../secrets/rivendell/wireguard.age;

networking.wireguard = {
  enable = true;
  interfaces.wg0 = {
    ips = [ "10.100.0.60/32" ];
    listenPort = 51871;
    privateKeyFile = config.age.secrets.wireguard.path;
    peers = [
      {
        # digital ocean droplet
        publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
        allowedIPs = [ "10.100.0.0/24" ];
        endpoint = "165.232.158.110:51871";
        persistentKeepalive = 25;
      }
    ];
  };
};

networking.firewall.allowedUDPPorts = [ 51871 ];
#+end_src
* Backups
Backups are done with =restic= and are stored on the local machine, and they are then synchronized to the NAS.
* Runbooks
** Remote builders
*** Clients
On the clients, you can run =nix config show builders= to see the list of the remote builders.
If a client is failing to run builds remotely due to some ssh errors, you can run the following command: =sudo ssh -o 'IdentityAgent none' -i /run/agenix/ssh-remote-builder builder@builder true=. We need to use =sudo= since the nix daemon runs as root.
*** Builders
On the builders, you can run =nix config show allowed-users= to see the list of users who can trigger nix builds.
** PostgreSQL
To connect from my local machine remotely:
#+begin_src shell
ssh framebox -L 35432:/var/run/postgresql/.s.PGSQL.5432
#+end_src
Then:
#+begin_src shell
psql -U postgres -h localhost -p 35432
#+end_src