From b06f459e9a2da4facb42e2680d30e26bae0d37d8 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sun, 23 Nov 2025 08:45:51 -0800 Subject: simplify the configuration --- README.org | 108 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 README.org (limited to 'README.org') diff --git a/README.org b/README.org new file mode 100644 index 0000000..7a1005c --- /dev/null +++ b/README.org @@ -0,0 +1,108 @@ +Tools, scripts, and configurations for my machines. + +* Installation +** Steps for a new Darwin machine +Start by installing nix, using [[https://github.com/DeterminateSystems/nix-installer][nix-installer]] from [[https://determinate.systems][DeterminateSystems]]. + +#+begin_src sh +curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install +#+end_src + +Now you can build the configuration (remember, the host name is in lower case): + +#+begin_src sh +nix run nix-darwin -- switch --flake . +#+end_src + +Finally, switch the default shell via =chsh=, and set it to =/run/current-system/sw/bin/fish=. + +Best to reboot to complete the installation. + +** Steps for a new droplet on DigitalOcean +Start by creating a droplet using Debian. Create a new host configuration. + +Once the droplet is provisioned, we can use =nixos-anywhere= to convert the droplet to a NixOS installation. + +#+begin_src sh +nix run github:nix-community/nixos-anywhere -- --flake .# --target-host root@ +#+end_src + +Once the host reboots, check that it's converted to NixOS by running =uname -a=. + +** Create the nixos installer +Run +#+begin_src sh +nix build .#nixosConfigurations.iso.config.system.build.isoImage +#+end_src + +Then copy to a USB stick with: +#+begin_src sh +sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress +#+end_src + +** Bare metal machine +We can install remotely a machine with =nixos-anywhere=, including full disk encryption. + +First, create a password in 1password for the machine (using the convention "nix//encryption"). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it). + +#+begin_src sh +set temp (mktemp -d) +ssh-keygen -t ed25519 -N "" -C "initrd-root-ssh" -f "$temp/etc/initrd/ssh_host_ed25519_key" +nix run github:nix-community/nixos-anywhere -- --flake .#rivendell --build-on remote --disk-encryption-keys /tmp/pass (op read "op://Private/vmifhwbjtvaqp3422gfbjxdq2y/password"|psub) --target-host root@192.168.1.112 --extra-files "$temp" +#+end_src +* DNS +Update records through the [[https://dash.cloudflare.com/2c659eeaf2ae9a0206c589c706b3748e/fcuny.net][console]]. + +* Secrets +Start by synchronizing the SSH key by running =sync-ssh-key= in the repository. Then, to create or edit a secret: +#+begin_src sh +cd (git rev-parse --show-toplevel)/secrets +agenix -i ~/.ssh/agenix -e users/fcuny/llm.age +#+end_src + +And to rekey a secret: +#+begin_src sh +cd (git rev-parse --show-toplevel)/secrets +agenix -i ~/.ssh/agenix -r +#+end_src + +* Network +** Wireguard +*** New host +On a host, run the following: +#+begin_src sh +wg genkey > wireguard +wg pubkey < wireguard > wireguard.pub +#+end_src + +Then create the secret in ../secrets/secrets.nix with +#+begin_src sh +agenix -i ~/.ssh/agenix -e /wireguard.age +#+end_src + +Then add the following to the host's configuration: +#+begin_src nix +age.secrets.wireguard.file = ../../../../secrets/rivendell/wireguard.age; + +networking.wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ "10.100.0.60/32" ]; + listenPort = 51871; + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { + # digital ocean droplet + publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "165.232.158.110:51871"; + persistentKeepalive = 25; + } + ]; + }; +}; + +networking.firewall.allowedUDPPorts = [ 51871 ]; +#+end_src +* Backups +Backups are done with =restic= and are stored on the local machine, and they are then synchronized to the NAS. -- cgit v1.2.3