1 files changed, 108 insertions, 0 deletions
diff --git a/README.org b/README.org
new file mode 100644
index 0000000..7a1005c
--- /dev/null
+++ b/README.org
@@ -0,0 +1,108 @@
+Tools, scripts, and configurations for my machines.
+
+* Installation
+** Steps for a new Darwin machine
+Start by installing nix, using [[https://github.com/DeterminateSystems/nix-installer][nix-installer]] from [[https://determinate.systems][DeterminateSystems]].
+
+#+begin_src sh
+curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
+#+end_src
+
+Now you can build the configuration (remember, the host name is in lower case):
+
+#+begin_src sh
+nix run nix-darwin -- switch --flake .
+#+end_src
+
+Finally, switch the default shell via =chsh=, and set it to =/run/current-system/sw/bin/fish=.
+
+Best to reboot to complete the installation.
+
+** Steps for a new droplet on DigitalOcean
+Start by creating a droplet using Debian. Create a new host configuration.
+
+Once the droplet is provisioned, we can use =nixos-anywhere= to convert the droplet to a NixOS installation.
+
+#+begin_src sh
+nix run github:nix-community/nixos-anywhere -- --flake .#<host> --target-host root@<IP>
+#+end_src
+
+Once the host reboots, check that it's converted to NixOS by running =uname -a=.
+
+** Create the nixos installer
+Run
+#+begin_src sh
+nix build .#nixosConfigurations.iso.config.system.build.isoImage
+#+end_src
+
+Then copy to a USB stick with:
+#+begin_src sh
+sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress
+#+end_src
+
+** Bare metal machine
+We can install remotely a machine with =nixos-anywhere=, including full disk encryption.
+
+First, create a password in 1password for the machine (using the convention "nix/<hostname>/encryption"). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it).
+
+#+begin_src sh
+set temp (mktemp -d)
+ssh-keygen -t ed25519 -N "" -C "initrd-root-ssh" -f "$temp/etc/initrd/ssh_host_ed25519_key"
+nix run github:nix-community/nixos-anywhere -- --flake .#rivendell --build-on remote --disk-encryption-keys /tmp/pass (op read "op://Private/vmifhwbjtvaqp3422gfbjxdq2y/password"|psub) --target-host root@192.168.1.112 --extra-files "$temp"
+#+end_src
+* DNS
+Update records through the [[https://dash.cloudflare.com/2c659eeaf2ae9a0206c589c706b3748e/fcuny.net][console]].
+
+* Secrets
+Start by synchronizing the SSH key by running =sync-ssh-key= in the repository. Then, to create or edit a secret:
+#+begin_src sh
+cd (git rev-parse --show-toplevel)/secrets
+agenix -i ~/.ssh/agenix -e users/fcuny/llm.age
+#+end_src
+
+And to rekey a secret:
+#+begin_src sh
+cd (git rev-parse --show-toplevel)/secrets
+agenix -i ~/.ssh/agenix -r
+#+end_src
+
+* Network
+** Wireguard
+*** New host
+On a host, run the following:
+#+begin_src sh
+wg genkey > wireguard
+wg pubkey < wireguard > wireguard.pub
+#+end_src
+
+Then create the secret in ../secrets/secrets.nix with
+#+begin_src sh
+agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age
+#+end_src
+
+Then add the following to the host's configuration:
+#+begin_src nix
+age.secrets.wireguard.file = ../../../../secrets/rivendell/wireguard.age;
+
+networking.wireguard = {
+  enable = true;
+  interfaces.wg0 = {
+    ips = [ "10.100.0.60/32" ];
+    listenPort = 51871;
+    privateKeyFile = config.age.secrets.wireguard.path;
+    peers = [
+      {
+        # digital ocean droplet
+        publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
+        allowedIPs = [ "10.100.0.0/24" ];
+        endpoint = "165.232.158.110:51871";
+        persistentKeepalive = 25;
+      }
+    ];
+  };
+};
+
+networking.firewall.allowedUDPPorts = [ 51871 ];
+#+end_src
+* Backups
+Backups are done with =restic= and are stored on the local machine, and they are then synchronized to the NAS.