Tools, scripts, and configurations for my machines. * Installation ** Steps for a new Darwin machine Start by installing nix, using [[https://github.com/DeterminateSystems/nix-installer][nix-installer]] from [[https://determinate.systems][DeterminateSystems]]. #+begin_src sh curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install #+end_src Now you can build the configuration (remember, the host name is in lower case): #+begin_src sh nix run nix-darwin -- switch --flake . #+end_src Finally, switch the default shell via =chsh=, and set it to =/run/current-system/sw/bin/fish=. Best to reboot to complete the installation. ** Steps for a new droplet on DigitalOcean Start by creating a droplet using Debian. Create a new host configuration. Once the droplet is provisioned, we can use =nixos-anywhere= to convert the droplet to a NixOS installation. #+begin_src sh just deploy-nixos flake ip #+end_src Once the host reboots, check that it's converted to NixOS by running =uname -a=. ** Steps for a new VM on the Synology NAS - chose VGA for the display (otherwise ~systemd-udevd~ gets stuck) - use UEFI for boot - use the ISO generated with =nix build .#nixosConfigurations.iso.config.system.build.isoImage= - boot to the installer - run =just deploy-nixos name ip= ** Create the nixos installer Run #+begin_src sh nix build .#nixosConfigurations.iso.config.system.build.isoImage #+end_src If you need to install this on a USB drive, use the Samsung disk for this. Follow these steps: - =diskutil list= to identify the disk (e.g. =/dev/disk5=) - =diskutil unmountDisk /dev/disk5= to un-mount the drive Then copy to a USB stick with: #+begin_src sh sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress #+end_src ** Bare metal machine We can install remotely a machine with =nixos-anywhere=, including full disk encryption. First, create a password in =passage= for the machine (using the convention =hosts//disk-encryption/passphrase=), and the ssh private key (=ed25519=). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it). #+begin_src sh just deploy-nixos name ip #+end_src * DNS Update records through the [[https://dash.cloudflare.com/2c659eeaf2ae9a0206c589c706b3748e/fcuny.net][console]]. * Secrets Get the identity under =secrets/identity.txt= with: #+begin_src sh cd (git rev-parse --show-toplevel)/secrets age-plugin-yubikey --list --slot 1 > identity.txt #+end_src To create or edit a secret: #+begin_src sh cd (git rev-parse --show-toplevel)/secrets age -R $PASSAGE_RECIPIENTS_FILE -o users/fcuny/llm.age #+end_src And to rekey the secrets: #+begin_src sh cd (git rev-parse --show-toplevel)/secrets agenix -i identity.txt -r #+end_src You can validate that the file is correct with: #+begin_src sh cd (git rev-parse --show-toplevel)/secrets nix eval --json --pretty --file secrets.nix age-inspect --json users/fcuny/llm.age #+end_src The output of =age-inspect= should list in the =stanza_types= key at least one =ssh-ed25519= (it indicates one of the recipient is using a SSH key). * Network ** Wireguard *** New host On a host, run the following: #+begin_src sh wg genkey > wireguard wg pubkey < wireguard > wireguard.pub #+end_src Then create the secret in ../secrets/secrets.nix with #+begin_src sh agenix -i ~/.ssh/agenix -e /wireguard.age #+end_src Then add the following to the host's configuration: #+begin_src nix age.secrets.wireguard.file = ../../../../secrets/framebox/wireguard.age; networking.wireguard = { enable = true; interfaces.wg0 = { ips = [ "10.100.0.60/32" ]; listenPort = 51871; privateKeyFile = config.age.secrets.wireguard.path; peers = [ { # digital ocean droplet publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; allowedIPs = [ "10.100.0.0/24" ]; endpoint = "165.232.158.110:51871"; persistentKeepalive = 25; } ]; }; }; networking.firewall.allowedUDPPorts = [ 51871 ]; #+end_src * Backups Backups are done with =restic= and are stored on the local machine, and they are then synchronized to the NAS. * Runbooks ** Remote builders *** Clients On the clients, you can run =nix config show builders= to see the list of the remote builders. If a client is failing to run builds remotely due to some ssh errors, you can run the following command: =sudo ssh -o 'IdentityAgent none' -i /run/agenix/ssh-remote-builder builder@builder true=. We need to use =sudo= since the nix daemon runs as root. *** Builders On the builders, you can run =nix config show allowed-users= to see the list of users who can trigger nix builds. ** PostgreSQL To connect from my local machine remotely: #+begin_src shell ssh framebox -L 35432:/var/run/postgresql/.s.PGSQL.5432 #+end_src Then: #+begin_src shell psql -U postgres -h localhost -p 35432 #+end_src