From 737b74c58de0712973f81c91aa07748c02deef70 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sat, 24 Jan 2026 10:55:16 -0800 Subject: adding a new VM for testing Re-key all the secrets. --- README.org | 33 ++++++++++++--------------------- 1 file changed, 12 insertions(+), 21 deletions(-) (limited to 'README.org') diff --git a/README.org b/README.org index dac91fb..df66363 100644 --- a/README.org +++ b/README.org @@ -17,14 +17,13 @@ nix run nix-darwin -- switch --flake . Finally, switch the default shell via =chsh=, and set it to =/run/current-system/sw/bin/fish=. Best to reboot to complete the installation. - ** Steps for a new droplet on DigitalOcean Start by creating a droplet using Debian. Create a new host configuration. Once the droplet is provisioned, we can use =nixos-anywhere= to convert the droplet to a NixOS installation. #+begin_src sh -nix run github:nix-community/nixos-anywhere -- --flake .# --target-host root@ +just deploy-nixos flake ip #+end_src Once the host reboots, check that it's converted to NixOS by running =uname -a=. @@ -33,31 +32,31 @@ Once the host reboots, check that it's converted to NixOS by running =uname -a=. - use UEFI for boot - use the ISO generated with =nix build .#nixosConfigurations.iso.config.system.build.isoImage= - boot to the installer -- run =nix run github:nix-community/nixos-anywhere -- --flake .# --target-host +- run =just deploy-nixos name ip= ** Create the nixos installer Run #+begin_src sh nix build .#nixosConfigurations.iso.config.system.build.isoImage #+end_src +If you need to install this on a USB drive, use the Samsung disk for this. Follow these steps: +- =diskutil list= to identify the disk (e.g. =/dev/disk5=) +- =diskutil unmountDisk /dev/disk5= to un-mount the drive + Then copy to a USB stick with: #+begin_src sh sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress #+end_src - ** Bare metal machine We can install remotely a machine with =nixos-anywhere=, including full disk encryption. -First, create a password in 1password for the machine (using the convention "nix//encryption"). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it). +First, create a password in =passage= for the machine (using the convention =hosts//disk-encryption/passphrase=), and the ssh private key (=ed25519=). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it). #+begin_src sh -set temp (mktemp -d) -ssh-keygen -t ed25519 -N "" -C "initrd-root-ssh" -f "$temp/etc/initrd/ssh_host_ed25519_key" -nix run github:nix-community/nixos-anywhere -- --flake .#rivendell --build-on remote --disk-encryption-keys /tmp/pass (op read "op://Private/vmifhwbjtvaqp3422gfbjxdq2y/password"|psub) --target-host root@192.168.1.112 --extra-files "$temp" +just deploy-nixos name ip #+end_src * DNS Update records through the [[https://dash.cloudflare.com/2c659eeaf2ae9a0206c589c706b3748e/fcuny.net][console]]. - * Secrets Get the identity under =secrets/identity.txt= with: #+begin_src sh @@ -68,7 +67,7 @@ age-plugin-yubikey --list --slot 1 > identity.txt To create or edit a secret: #+begin_src sh cd (git rev-parse --show-toplevel)/secrets -agenix -i identity.txt -e users/fcuny/llm.age +age -R $PASSAGE_RECIPIENTS_FILE -o users/fcuny/llm.age #+end_src And to rekey the secrets: @@ -80,8 +79,10 @@ agenix -i identity.txt -r You can validate that the file is correct with: #+begin_src sh cd (git rev-parse --show-toplevel)/secrets -nix eval --file secrets.nix +nix eval --json --pretty --file secrets.nix +age-inspect --json users/fcuny/llm.age #+end_src +The output of =age-inspect= should list in the =stanza_types= key at least one =ssh-ed25519= (it indicates one of the recipient is using a SSH key). * Network ** Wireguard *** New host @@ -138,13 +139,3 @@ Then: #+begin_src shell psql -U postgres -h localhost -p 35432 #+end_src -** Build the ISO -To install nixos, we can build our own iso. For this, run: -#+begin_src shell -just build-iso -#+end_src - -If you need to install this on a USB drive, use the Samsung disk for this. Follow these steps: -- =diskutil list= to identify the disk (e.g. =/dev/disk5=) -- =diskutil unmountDisk /dev/disk5= to un-mount the drive -- =sudo dd if=result/iso/nixos-minimal-25.11git.30a3c519afc-x86_64-linux.iso of=/dev/rdisk5 status=progress= -- cgit v1.2.3