infra/README.md

# steveej's infra

This repository helps me to manage all computer infrastructure.
This is mostly achieved with the help of [Nix](https://nixos.org).

In the unlikely case that you actually read this and have any questions please don't hesitate to reach out.

## Initial Roadmap

- All graphical systems (incl. install media) must have
  - [x] Full-disk encryption by default
  - [x] Yubikey support with SSH auth
- [x] Migrate all devices to new structure
  - [x] Encrypted Install media
  - [x] steveej-laptop
  - [x] steveej-laptop-work
- [ ] Migrate home environment to new structure
  - [x] home-manager
  - [x] pkgs-configuration
  - [ ] development environments
- [x] (Semi-) automatic synchronization of important repositories
  - [x] Modification strategy
        The approach is to use vcsh for the dotfiles
  - [x] dotfiles
- [x] Toplevel Justfile for simple actions
  - [x] mount/umount disks
  - [x] install to mounted disk
  - [x] rebuild running system
  - [x] update running system
  - [x] annotate recipes with some documentation
  - [x] declare shell.nix with runtime deps
  - [x] partition/encrypt/format disks
- [x] Maybe make this a nix-overlay
- [x] refactor as a nix flake and adopt an existing framework
  - [x] devShell version
  - [x] ~~version templating~~ obsolete due to the usage of flakes
  - [x] elias-e525
  - [x] steveej-t14
  - [x] contabo vps
  - [x] sj-pve0
- [x] use an existing secret management framework
- [x] adapt (or abandon?) _just_ recipes

  - [x] `rebuild-this-device`
  - [x] `update-this-device`
  - [x] `rebuild-remote-device`
  - [x] `update-remote-device`

  evaluate, and understand a path to using these tools in a pull-based fashion:

  - [x] [colmena](https://github.com/zhaofengli/colmena)
    - bootstrapping: https://github.com/zhaofengli/colmena/issues/68
  - [ ] deploy-rs

- [x] 🚧 find a better alternative for the qtile-desktop
      current issues:

  - floating windows often get lost in the background
  - plugging in-/out- screen crashes the desktop

  evaluate:

  - [x] ~~🚧 gnome3 + pop-shell~~
  - [x] ~~leftwm + eww (+ wayland?)~~

- [ ] (Re-)document bootstrap process
  - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
  - [ ] a new machine
  - [ ] an install media
- [ ] Design disaster recovery
- [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
- [ ] Recycle _\_archived_
- [ ] container migrations
  - [ ] ensure DDNS is updated _before_ the containers are started

## Bugs

- [ ] home-manager leaves ~/.gnupg at 0755

## Usage

_(These are reminders for my future self)_

```
just --list
```

## Bootstrap

### A new machine

- ensure the dotfiles repo has a branch with the new machine's hostname

- boot with an install media and go through setup

#### Post-Install Setup

- `chmod --recursive g-rwx,o-rwx ~/.gnupg`
- `gpg2 --edit-card; fetch`
- clone password-manager and infra repositories
- gpg2: ultimately trust my own key

## Swapping out a disk

1. offline-bitwise copy of drive
2. disconnect remove the previous drive
3. replace the driveId in the device's hw.nix
4. run the `just disk-relabel nix/os/devices/<deviceName> <prevDiskId>` command to rename the filesystem and volume group

## Rebuilding an offline system

```
(
sudo cryptsetup open /dev/sdb3 steveej-t14s-cryptroot
sleep 5

sudo mkdir -p /mnt/root
sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root -o subvol=nixos
sudo mount /dev/sdb2 /mnt/root/boot
sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root/home -o subvol=home

sudo nixos-install -v --flake .#steveej-t14 --root /mnt/root/ --no-root-password
)
```