1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
Tools, scripts, and configurations for my machines.
* Installation
** Steps for a new Darwin machine
Start by installing nix, using [[https://github.com/DeterminateSystems/nix-installer][nix-installer]] from [[https://determinate.systems][DeterminateSystems]].
#+begin_src sh
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
#+end_src
Now you can build the configuration (remember, the host name is in lower case):
#+begin_src sh
nix run nix-darwin -- switch --flake .
#+end_src
Finally, switch the default shell via =chsh=, and set it to =/run/current-system/sw/bin/fish=.
Best to reboot to complete the installation.
** Steps for a new droplet on DigitalOcean
Start by creating a droplet using Debian. Create a new host configuration.
Once the droplet is provisioned, we can use =nixos-anywhere= to convert the droplet to a NixOS installation.
#+begin_src sh
just deploy-nixos flake ip
#+end_src
Once the host reboots, check that it's converted to NixOS by running =uname -a=.
** Steps for a new VM on the Synology NAS
- chose VGA for the display (otherwise ~systemd-udevd~ gets stuck)
- use UEFI for boot
- use the ISO generated with =nix build .#nixosConfigurations.iso.config.system.build.isoImage=
- boot to the installer
- run =just deploy-nixos name ip=
** Create the nixos installer
Run
#+begin_src sh
nix build .#nixosConfigurations.iso.config.system.build.isoImage
#+end_src
If you need to install this on a USB drive, use the Samsung disk for this. Follow these steps:
- =diskutil list= to identify the disk (e.g. =/dev/disk5=)
- =diskutil unmountDisk /dev/disk5= to un-mount the drive
Then copy to a USB stick with:
#+begin_src sh
sudo dd if=result/iso/nixos-minimal-25.05git.25e53aa156d-x86_64-linux.iso of=/dev/rdisk5 bs=1M conv=sync status=progress
#+end_src
** Bare metal machine
We can install remotely a machine with =nixos-anywhere=, including full disk encryption.
First, create a password in =passage= for the machine (using the convention =hosts/<hostname>/disk-encryption/passphrase=), and the ssh private key (=ed25519=). Next run the following snippet to create the SSH host key for init boot (this is needed so we can ssh to the host to unlock it).
#+begin_src sh
just deploy-nixos name ip
#+end_src
* DNS
Update records through the [[https://dash.cloudflare.com/2c659eeaf2ae9a0206c589c706b3748e/fcuny.net][console]].
* Secrets
Get the identity under =secrets/identity.txt= with:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
age-plugin-yubikey --list --slot 1 > identity.txt
#+end_src
To create or edit a secret:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
age -R $PASSAGE_RECIPIENTS_FILE -o users/fcuny/llm.age
#+end_src
And to rekey the secrets:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
agenix -i identity.txt -r
#+end_src
You can validate that the file is correct with:
#+begin_src sh
cd (git rev-parse --show-toplevel)/secrets
nix eval --json --pretty --file secrets.nix
age-inspect --json users/fcuny/llm.age
#+end_src
The output of =age-inspect= should list in the =stanza_types= key at least one =ssh-ed25519= (it indicates one of the recipient is using a SSH key).
* Network
** Wireguard
*** New host
On a host, run the following:
#+begin_src sh
wg genkey > wireguard
wg pubkey < wireguard > wireguard.pub
#+end_src
Then create the secret in ../secrets/secrets.nix with
#+begin_src sh
agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age
#+end_src
Then add the following to the host's configuration:
#+begin_src nix
age.secrets.wireguard.file = ../../../../secrets/framebox/wireguard.age;
networking.wireguard = {
enable = true;
interfaces.wg0 = {
ips = [ "10.100.0.60/32" ];
listenPort = 51871;
privateKeyFile = config.age.secrets.wireguard.path;
peers = [
{
# digital ocean droplet
publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
allowedIPs = [ "10.100.0.0/24" ];
endpoint = "165.232.158.110:51871";
persistentKeepalive = 25;
}
];
};
};
networking.firewall.allowedUDPPorts = [ 51871 ];
#+end_src
* Backups
Backups are done with =restic= and are stored on the local machine, and they are then synchronized to the NAS.
* Runbooks
** Remote builders
*** Clients
On the clients, you can run =nix config show builders= to see the list of the remote builders.
If a client is failing to run builds remotely due to some ssh errors, you can run the following command: =sudo ssh -o 'IdentityAgent none' -i /run/agenix/ssh-remote-builder builder@builder true=. We need to use =sudo= since the nix daemon runs as root.
*** Builders
On the builders, you can run =nix config show allowed-users= to see the list of users who can trigger nix builds.
** PostgreSQL
To connect from my local machine remotely:
#+begin_src shell
ssh framebox -L 35432:/var/run/postgresql/.s.PGSQL.5432
#+end_src
Then:
#+begin_src shell
psql -U postgres -h localhost -p 35432
#+end_src
|
