diff options
| -rw-r--r-- | README.md | 40 | ||||
| -rw-r--r-- | README.org | 108 | ||||
| -rw-r--r-- | docs/backups.org | 4 | ||||
| -rw-r--r-- | docs/dns.org | 3 | ||||
| -rw-r--r-- | docs/install.org | 41 | ||||
| -rw-r--r-- | docs/network.org | 51 | ||||
| -rw-r--r-- | docs/secrets.org | 17 | ||||
| -rw-r--r-- | home/profiles/media.nix | 1 |
8 files changed, 109 insertions, 156 deletions
diff --git a/README.md b/README.md deleted file mode 100644 index 7398ad6..0000000 --- a/README.md +++ /dev/null @@ -1,40 +0,0 @@ -Tools, scripts, and configurations for my machines. - -## Steps for a new Darwin machine - -Start by installing nix, using [nix-installer](https://github.com/DeterminateSystems/nix-installer) from [DeterminateSystems](https://determinate.systems). - -```sh -curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install -``` - -Next, we need to install [homebrew](https://brew.sh): -```sh -/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" -``` - -Finally, we need a [GitHub personal access token](https://github.com/settings/personal-access-tokens). Create one with an expiration time, and renew it when ever it's about to expire (we will get an email about this). The token needs to be stored in `~/.config/nix/nix.conf`: - -``` -access-tokens = github.com=**** -``` - -Now you can build the configuration (remember, the host name is in lower case) : -```sh -nix run nix-darwin -- switch --flake . -``` - -Finally, switch the default shell via `chsh`, and set it to `/run/current-system/sw/bin/fish`. - -Best to reboot to complete the installation. - -## Steps for a new droplet on DigitalOcean - -Start by creating a droplet using Debian. Create a new host configuration. - -Once the droplet is provisioned, we can use `nixos-anywhere` to convert the droplet to a NixOS installation. -```sh -nix run github:nix-community/nixos-anywhere -- --flake .#<host> --target-host root@<IP> -``` - -Once the host reboots, check that it's converted to NixOS by running `uname -a`. diff --git a/README.org b/README.org new file mode 100644 index 0000000..7a1005c --- /dev/null +++ b/README.org @@ -0,0 +1,108 @@ +Tools, scripts, and configurations for my machines. + +* Installation +** Steps for a new Darwin machine +Start by installing nix, using [[https://github.com/DeterminateSystems/nix-installer][nix-installer]] from [[https://determinate.systems][DeterminateSystems]]. + +#+begin_src sh +curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install +#+end_src + +Now you can build the configuration (remember, the host name is in lower case): + +#+begin_src sh +nix run nix-darwin -- switch --flake . +#+end_src + +Finally, switch the default shell via =chsh=, and set it to =/run/current-system/sw/bin/fish=. + +Best to reboot to complete the installation. + +** Steps for a new droplet on DigitalOcean +Start by creating a droplet using Debian. Create a new host configuration. + +Once the droplet is provisioned, we can use =nixos-anywhere= to convert the droplet to a NixOS installation. + +#+begin_src sh +nix run github:nix-community/nixos-anywhere -- --flake .#<host> --target-host root@<IP> +#+end_src + +Once the host reboots, check that it's converted to NixOS by running =uname -a=. + +** Create the nixos installer +Run +#+begin_src sh +nix build .#nixosConfigurations.iso.config.system.build.isoImage +#+end_src + +Then copy to a USB stick with: +#+begin_src sh +sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress +#+end_src + +** Bare metal machine +We can install remotely a machine with =nixos-anywhere=, including full disk encryption. + +First, create a password in 1password for the machine (using the convention "nix/<hostname>/encryption"). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it). + +#+begin_src sh +set temp (mktemp -d) +ssh-keygen -t ed25519 -N "" -C "initrd-root-ssh" -f "$temp/etc/initrd/ssh_host_ed25519_key" +nix run github:nix-community/nixos-anywhere -- --flake .#rivendell --build-on remote --disk-encryption-keys /tmp/pass (op read "op://Private/vmifhwbjtvaqp3422gfbjxdq2y/password"|psub) --target-host root@192.168.1.112 --extra-files "$temp" +#+end_src +* DNS +Update records through the [[https://dash.cloudflare.com/2c659eeaf2ae9a0206c589c706b3748e/fcuny.net][console]]. + +* Secrets +Start by synchronizing the SSH key by running =sync-ssh-key= in the repository. Then, to create or edit a secret: +#+begin_src sh +cd (git rev-parse --show-toplevel)/secrets +agenix -i ~/.ssh/agenix -e users/fcuny/llm.age +#+end_src + +And to rekey a secret: +#+begin_src sh +cd (git rev-parse --show-toplevel)/secrets +agenix -i ~/.ssh/agenix -r +#+end_src + +* Network +** Wireguard +*** New host +On a host, run the following: +#+begin_src sh +wg genkey > wireguard +wg pubkey < wireguard > wireguard.pub +#+end_src + +Then create the secret in ../secrets/secrets.nix with +#+begin_src sh +agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age +#+end_src + +Then add the following to the host's configuration: +#+begin_src nix +age.secrets.wireguard.file = ../../../../secrets/rivendell/wireguard.age; + +networking.wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ "10.100.0.60/32" ]; + listenPort = 51871; + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { + # digital ocean droplet + publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "165.232.158.110:51871"; + persistentKeepalive = 25; + } + ]; + }; +}; + +networking.firewall.allowedUDPPorts = [ 51871 ]; +#+end_src +* Backups +Backups are done with =restic= and are stored on the local machine, and they are then synchronized to the NAS. diff --git a/docs/backups.org b/docs/backups.org deleted file mode 100644 index d636006..0000000 --- a/docs/backups.org +++ /dev/null @@ -1,4 +0,0 @@ -* General -Backups are managed with =restic= and are stored on the NAS. - -There's a single password for all the repositories, it's managed with =agenix=, and the file is under secrets (=restic_password.age=). diff --git a/docs/dns.org b/docs/dns.org deleted file mode 100644 index f04ec0d..0000000 --- a/docs/dns.org +++ /dev/null @@ -1,3 +0,0 @@ -* Cloudflare -** fcuny.net -To access the console: https://dash.cloudflare.com/2c659eeaf2ae9a0206c589c706b3748e/fcuny.net diff --git a/docs/install.org b/docs/install.org deleted file mode 100644 index b846cd3..0000000 --- a/docs/install.org +++ /dev/null @@ -1,41 +0,0 @@ -#+TITLE: Installation -#+AUTHOR: Franck Cuny -#+EMAIL: franck@fcuny.net - -* Darwin -** =agenix= -Create SSH host keys with =sudo ssh-keygen -A=. - -You then need to add the public key (=/etc/ssh/ssh_host_ed25519_key.pub=) to [[file+emacs:../secrets/secrets.nix][secrets.nix]] and re-key the secrets, running =agenix -i ~/.ssh/agenix -r=. - -You can then validate that they key is encrypted properly with =sudo agenix -i /etc/ssh/ssh_host_ed25519_key -d ssh-remote-builder.age=. -* Virtual machine running on the Synology NAS -** Creating the VM -- chose VGA for the display (otherwise ~systemd-udevd~ gets stuck) -** Install NixOS on the VM -1. Boot to the installer -2. Copy the local configuration to the remote host ~rsync -avz --exclude='.git' --exclude='result' world/ nixos@192.168.1.151:~/world/~ -3. On the VM, from the =world= directory: - 1. Run =sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount nix/machines/vm-synology/disk.nix= - 2. Run =nixos-install --root /mnt/ --flake .#vm-synology= -4. Reboot the VM -* Create the nixos installer -Run -#+begin_src fish -nix build .#nixosConfigurations.iso.config.system.build.isoImage -#+end_src - -Then copy to a USB stick with: -#+begin_src fish -sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress -#+end_src -* Bare metal machine -We can install remotely a machine with =nixos-anywhere=, including full disk encryption. - -First, create a password in 1password for the machine (using the convention "nix/<hostname>/encryption"). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it). - -#+begin_src fish -set temp (mktemp -d) -ssh-keygen -t ed25519 -N "" -C "initrd-root-ssh" -f "$temp/etc/initrd/ssh_host_ed25519_key" -nix run github:nix-community/nixos-anywhere -- --flake .#rivendell --build-on remote --disk-encryption-keys /tmp/pass (op read "op://Private/vmifhwbjtvaqp3422gfbjxdq2y/password"|psub) --target-host root@192.168.1.112 --extra-files "$temp" -#+end_src diff --git a/docs/network.org b/docs/network.org deleted file mode 100644 index d3801b0..0000000 --- a/docs/network.org +++ /dev/null @@ -1,51 +0,0 @@ -** Wireguard -*** New host -On a host, run the following: -#+begin_src shell -fcuny@vm-synology ~> wg genkey > wireguard -Warning: writing to world accessible file. -Consider setting the umask to 077 and trying again. -fcuny@vm-synology ~> wg pubkey < wireguard > wireguard.pub -fcuny@vm-synology ~> ll -total 12 -drwxr-xr-x 2 fcuny users 4096 Aug 10 14:24 tmp --rw-r--r-- 1 fcuny users 45 Oct 18 10:42 wireguard --rw-r--r-- 1 fcuny users 45 Oct 18 10:42 wireguard.pub -fcuny@vm-synology ~> cat wireguard.pub jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng= -#+end_src - -Then create the secret in ../secrets/secrets.nix with -#+begin_src shell -agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age -#+end_src - -Then add the following to the host's configuration: -#+begin_src nix -age = { - secrets = { - wireguard = { - file = ../../../../secrets/rivendell/wireguard.age; - }; - }; -}; - -networking.wireguard = { - enable = true; - interfaces.wg0 = { - ips = [ "10.100.0.60/32" ]; - listenPort = 51871; - privateKeyFile = config.age.secrets.wireguard.path; - peers = [ - { - # digital ocean droplet - publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; - allowedIPs = [ "10.100.0.0/24" ]; - endpoint = "165.232.158.110:51871"; - persistentKeepalive = 25; - } - ]; - }; -}; - -networking.firewall.allowedUDPPorts = [ 51871 ]; -#+end_src diff --git a/docs/secrets.org b/docs/secrets.org deleted file mode 100644 index 10d4e9b..0000000 --- a/docs/secrets.org +++ /dev/null @@ -1,17 +0,0 @@ -* Secrets - -** SSH keys - -Start by synchronizing the SSH key by running `sync-ssh-key` in the repository. - -Then, to create or edit a secret: -#+begin_src - cd (git rev-parse --show-toplevel)/secrets - agenix -i ~/.ssh/agenix -e users/fcuny/llm.age -#+end_src - -And to rekey a secret: -#+begin_src - cd (git rev-parse --show-toplevel)/secrets - agenix -i ~/.ssh/agenix -r -#+end_src diff --git a/home/profiles/media.nix b/home/profiles/media.nix index a2cfd9d..0d53f42 100644 --- a/home/profiles/media.nix +++ b/home/profiles/media.nix @@ -1,6 +1,7 @@ { pkgs, ... }: { home.packages = with pkgs; [ + darktable ffmpeg transmission_4 vlc-bin |