| .git-crypt | ||
| .vscode | ||
| _archive/environments | ||
| flake-sandbox | ||
| nix | ||
| scripts | ||
| secrets | ||
| services/home-ch | ||
| .envrc | ||
| .gitattributes | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .sops.yaml | ||
| default.nix | ||
| flake.lock | ||
| flake.nix | ||
| Justfile | ||
| README.md | ||
steveej's infra
This repository helps me to manage all computer infrastructure. This is mostly achieved with the help of Nix.
In the unlikely case that you actually read this and have any questions please don't hesitate to reach out.
Initial Roadmap
-
All graphical systems (incl. install media) must have
- Full-disk encryption by default
- Yubikey support with SSH auth
-
Migrate all devices to new structure
- Encrypted Install media
- steveej-laptop
- steveej-laptop-work
-
Migrate home environment to new structure
- home-manager
- pkgs-configuration
- development environments
-
(Semi-) automatic synchronization of important repositories
- Modification strategy The approach is to use vcsh for the dotfiles
- dotfiles
-
Toplevel Justfile for simple actions
- mount/umount disks
- install to mounted disk
- rebuild running system
- update running system
- annotate recipes with some documentation
- declare shell.nix with runtime deps
- partition/encrypt/format disks
-
Maybe make this a nix-overlay
-
refactor as a nix flake and adopt an existing framework
- devShell version
version templatingobsolete due to the usage of flakes- elias-e525
- steveej-t14
- contabo vps
- sj-pve0
-
use an existing secret management framework
-
adapt (or abandon?) just recipes
rebuild-this-deviceupdate-this-devicerebuild-remote-deviceupdate-remote-device
evaluate, and understand a path to using these tools in a pull-based fashion:
- colmena
- bootstrapping: https://github.com/zhaofengli/colmena/issues/68
- deploy-rs
-
🚧 find a better alternative for the qtile-desktop current issues:
- floating windows often get lost in the background
- plugging in-/out- screen crashes the desktop
evaluate:
🚧 gnome3 + pop-shellleftwm + eww (+ wayland?)
-
(Re-)document bootstrap process
apt install sudo cryptsetupas a requirements on a deb admin machine- a new machine
- an install media
-
Design disaster recovery
-
Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
-
Recycle _archived
-
container migrations
- ensure DDNS is updated before the containers are started
Bugs
- home-manager leaves ~/.gnupg at 0755
Usage
(These are reminders for my future self)
just --list
Bootstrap
A new machine
-
ensure the dotfiles repo has a branch with the new machine's hostname
-
boot with an install media and go through setup
Post-Install Setup
chmod --recursive g-rwx,o-rwx ~/.gnupggpg2 --edit-card; fetch- clone password-manager and infra repositories
- gpg2: ultimately trust my own key
Swapping out a disk
- offline-bitwise copy of drive
- disconnect remove the previous drive
- replace the driveId in the device's hw.nix
- run the
just disk-relabel nix/os/devices/<deviceName> <prevDiskId>command to rename the filesystem and volume group
Rebuilding an offline system
(
sudo cryptsetup open /dev/sdb3 steveej-t14s-cryptroot
sleep 5
sudo mkdir -p /mnt/root
sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root -o subvol=nixos
sudo mount /dev/sdb2 /mnt/root/boot
sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root/home -o subvol=home
sudo nixos-install -v --flake .#steveej-t14 --root /mnt/root/ --no-root-password
)