infra/README.md

# steveej's infra
This repository helps me to manage all computer infrastructure.
This is mostly achieved with the help of [Nix](https://nixos.org).

In the unlikely case that you actually read this and have any questions please don't hesitate to reach out.

## Initial Roadmap

- All graphical systems (incl. install media) must have
  - [x] Full-disk encryption by default
  - [x] Yubikey support with SSH auth
- [x] Migrate all devices to new structure
  - [x] Encrypted Install media
  - [x] steveej-laptop
  - [x] steveej-laptop-work
- [ ] Migrate home environment to new structure
  - [x] home-manager
  - [x] pkgs-configuration
  - [ ] development environments
- [x] (Semi-) automatic synchronization of important repositories
  - [x] Modification strategy
      The approach is to use vcsh for the dotfiles
  - [x] dotfiles
- [x] Toplevel Justfile for simple actions
  - [x] mount/umount disks
  - [x] install to mounted disk
  - [x] rebuild running system
  - [x] update running system
  - [x] annotate recipes with some documentation
  - [x] declare shell.nix with runtime deps
  - [x] partition/encrypt/format disks
- [x] Maybe make this a nix-overlay
- [x] refactor as a nix flake and adopt an existing framework
  - [x] devShell version
  - [x] ~~version templating~~ obsolete due to the usage of flakes
  - [x] elias-e525
  - [x] steveej-t14
  - [x] contabo vps
  - [x] sj-pve0
- [ ] use an existing secret management framework
- [ ] adapt (or abandon?) _just_ recipes
    - [ ] `rebuild-this-device`
    - [ ] `update-this-device`
    - [ ] `rebuild-remote-device`
    - [ ] `update-remote-device`

    evaluate, and understand a path to using these tools in a pull-based fashion:
  - [x] [colmena](https://github.com/zhaofengli/colmena)
      * bootstrapping: https://github.com/zhaofengli/colmena/issues/68
  - [ ] deploy-rs
- [ ] 🚧 find a better alternative for the qtile-desktop

    current issues:
    - floating windows often get lost in the background 
    - plugging in-/out- screen crashes the desktop

    evaluate: 
    - [ ] 🚧 gnome3 + pop-shell
    - [ ] leftwm + eww (+ wayland?)
- [ ] (Re-)document bootstrap process
  - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
  - [ ] a new machine
  - [ ] an install media
- [ ] Design disaster recovery
- [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
- [ ] Recycle *\_archived*
- [ ] container migrations
  - [ ] ensure DDNS is updated _before_ the containers are started


## Bugs
- [ ] home-manager leaves ~/.gnupg at 0755

## Usage
*(These are reminders for my future self)*

```
just --list
```

## Bootstrap

### A new machine
* ensure the dotfiles repo has a branch with the new machine's hostname

* boot with an install media and go through setup

#### Post-Install Setup
* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
* `gpg2 --edit-card; fetch`
* clone password-manager and infra repositories
* gpg2: ultimately trust my own key

## Swapping out a disk

1. offline-bitwise copy of drive
2. disconnect remove the previous drive
3. replace the driveId in the device's hw.nix
4. run the `just disk-relabel nix/os/devices/<deviceName> <prevDiskId>` command to rename the filesystem and volume group

## Backup

### Copy existing subvolumes to new backup target

```
`systemctl cat bkp-run | grep ExecStart | awk -F '=' '{print $2}'` --verbose --progress archive /var/lib/container-volumes ssh://[IP]:[PORT]/mnt/backup/container-volumes/
```