- Enable acme
- Enable certbot with bare settings
- add and force SSL for bebop subdomain
- enable acme for subdomain
- move music to root for now (to make sure it works)
titan and lapetus are first of two new Raspberry Pi Zero Ws.
While quite anemic and decidedly incapable of running modern NixOS, they
still run Debian well enough, and are still full computers in their own
right.
So they get hostnames, the first of two moons in solar system, starting
from Saturn (should last a while :p), by ascending order of their year
of discovery. After Saturn, it'll be Jupyter, Uranus, Neptune, and then
back inwards starting from Mars. Luna will be last (if we ever manage to
get that far :p)
Ideally this should be split into separate packages, but we'll see. This
commit enables two services for bebop:
- outline (getoutline.com)
A personal notion.so - like note-taking and knowledge base.
I do like and prefer org-mode, but this is nicer looking and useful
for gen-pop.
- paperless
To store all documents in PDF format plus automatically OCR them and
query the OCR'ed text.
shell history backed by sqlite database and spruced up with colorful
interface.
It is a direct replacement for fzf in that regard, and seems to work
quite well, albeit does not interact with fzf satisfactorily. So this is
an experiment to see how it goes.
It also provides syncing of shell history, with end-to-end encryption,
so that's something I'm looking forward to. Let's see how it goes.
I'm not sure whether the passwordless sudo is required, but I'm too
tired to test right now. Anyway, this works.
Also unsure on the statelessness of deploy-rs, but again, its simple
enough, didn't require changing anything else much and it works.
Perhaps some day, I'll see about trying out colmena for deploying
secrets, but until then, agenix is good enough for my needs.
Right now this fails, because what I assume is a failure with emulation
in WSL, but otherwise I'm linking the overall approach of reusing the
preconfigured nixOSConfigurations in the same flake, as well as
lightweight burden of configuration. Doesn't hurt that it is written in
Rust rather than Python.
Although aliases are enabled, I could not figure out a way to get them
to work with my current shell. I think this is because while
home-manager is trying to set aliases, they are set and controlled by
NixOS config, which doesn't have such option for fzf. I'll need to find
a way to set Fish as default shell via home-manager, but right now that
way does not work because home-manager cannot set fish plugins by using
nixpkgs derivation for it directly. :(
On NixOS the full path of binaries is long, obscures the flags/options given,
and is not very useful, since the nix store and hash are quite meaningless.
As such, it makes sense on NixOS to hide the full path of the program.
As for how to find the actual variable names for htop config, this file is
useful:
40104588f3/Settings.c
Its support is very experimental upstream and things break. For e.g. user-level
services just don't work, and have no way to know/fix it. NixOS-WSL maintainer
is not very keen on working around that because of complexity and because
upstream is better place to fix it. As such, and on his advice, its better to
stick to the original state of affairs.
By removing minimal.nix config.noXlib is not set, and includes some other
packages per matrix answer.
But it will allow gtk to build and the rest of the system can now be updated.
After bit of investigation across doom and package wiki and source code, bit
more googling to see why the flags were missing, turns out the font package was
missing from NixOS.
all-the-icons package in emacs closure is not strictly necessary, as doom is
expected to download it automatically, but I'll probably always have it, so its
a safe bet to keep both in sync.
The LSP setup was bit more involved than expected, but it works.
- Create environment variable with ls package path.
- Do this globally because Fish is not yet managed by home-manager
- Use the variable to get package path in Emacs (configured in Doom Emacs
config)
Currently the Elixir stuff is installed globally but this can work as far as I
can see. I might have to synchronise between project and system flake
occasionally, but I think it will be manageable for a while.
I have not used these in a while. I also switched back to Fira Code today, and
it looks a lot better on HiDPI display with larger size compared to 1080p
display.
Julia Mono also wasn't being very helpful with the emojis, so its intended
purpose was not being served anyway.
While I can setup dhcp with bridged networking on WSL, it won't be as friction
free. I'll have to setup a bridged adapter with same name in Hyper-V and then
the imperative state starts accumulating again.
Not fun.
I might have hardcoded hotsts file, which would have had been alright with my
threat model, but I realised only reason I want my DNS is privacy and
ad-blocking. But since neither browser nor any nefarious applications (at least
I hope not) run from within the VM, oit doesn't make sense.
Now the only thing remaining about this is that broken scrobbling in navidrome.
In that case, oh well.. not like all the client applications are fun, so might
as well live with it.
By default WSL generates the hosts file, but since NixOS can do its job, its
better to let it. Previous hosts file must be deleted first for this to take
effect.
resolv.conf generation via NixOS is currently disabled, but I might just do it.
DHCP is disabled so I'm not sure what else needs to be applied, but we'll see.
THe systemd Unit for navidrome in nixpkgs is too overzealous in permission
denials.
It blocks homedir access by default (which I believe is dumb), so if MusicFolder
and DataFolder are anywhere inside homedir, they are not available to service at
runtime.
MusicFolder can be read-only, but DataFolder must be write-able.
This change also force sets user and group. I'm not sure that is necessary, but
since DynamicUser is true, I might just get it over with.
Not that it is working.. I suspect it is another victim of overzealous systemd
unit configuration in Nixpkgs. Anyway I opened a bug report for it on navidrome
repo, probably have some response in next few weeks.
Because WSL is ridden with bugs, I'm going to try running my Music over a
server.
This also provides opportunity to finally unify and start making proper
playlists that will stick.
git fixed a CVE that makes directories not owned by the user to appear as not
git repo. Since my /etc/nixos is owned by my user, but nixos-rebuild is
performed by root, this is an issue. Simplest and best workaround is to add this
repo as safe directory.
This commit fixes this by way of setting default config for root user.
I also decided to go all in and setup full home-manager config identical to my
user here. I'll probably remove the FIsh config, but will see how it goes.
The issue was generated NixOS system closure did not depend on the agenix
secrets being present in the NixOS repo. So, whenever garbage got collected, the
secrets dir got removed from the store, and on subsequent boots the secret
decryption failed as encrypted secrets were absent from NixOS store.
This fix means entire agenix secrets get copied over to the store instead of the
selective keys, but given how my current number of machines is fairly small and
I need pretty much all the keys on them, I think it is fine to keep it as is. In
future I can try something like Syncthing module where definition and
use happens in different location.
Since I've been using WSL2 for past few days, I have been using Windows
Terminal.
While it doesn't really hold a candle to Konsole, it is alright and comes with
Cascadia Code font by default. Over few days, I've come to like this font and
decided to try it out for Emacs within WSL.
This is minimal config for Hermes on WSL2.
Emacs is untested yet and needs ~/org/ to be imperatively copied still.
Email, Syncthing and Backup modules are yet to be set up and might need
some imperative actions.
However, the system is working and automatically logs into correct
default user.
- Plasma desktop
- Fonts
- Users
These are top-level modules in anticipation of new machine, but I expect them to
remain same regardless of particular host.
Emacs-lisp is proving to be decent scripting language.
This is a small script I wrote to unlock restic repos in case they get locked
based on few input params.
There is home-manager for more fine-grained plugin management, but I only use
single plugin used by Fish shell, and it is already present in nixpkgs.
Also setup (commented) code to add config.fish via home-manager. Should come in
handy in future.
In sync with my general attempt to move as much as possible into user config
rather than system config.
It also makes Emacs config "slightly" cleaner and better understandable.
In pursuit of trying out NixOS on Rocinante, the device was formatted and in my
basic assumptions, I did not back up userdata.
So, the device is lost and I no longer have the original Syncthing keys for this
device. Being an android phone, it would be unwise to backup and restore the
keys anyway.
So, For now, I am simply removing Rocinante from my backp roster. Oh so much for
extra machine backing up my stuff..
This will download the whole HTML and its linked docs, recursively 5-levels
deep, with random delays inbetween so as to not get throttled and convert links
to point to local files.
In short, this will copy a whole website on local, in a completely useable from
local format.
I tested on the Rust Book and it works fantastically!
I have a hunch I'll be using this multiple times going forward, so adding
abreviation.
Now only the full fat FLAC dir is shared between enterprise, bebop and Childish
Tycoon. I realised that the overhead of maintaining 2 sets was eventually going
to be too much. The two dirs were already out of sync, and as I was cleaning up
unwanted files from one device, the other dir was falling further behind in
sync.
So, now only FLACs will be shared. This means Rocinante has to be left out of
Music sync. This means there is one less backup, but I hope it will be fine.
Roci originally served the purpose of always-on node, but that role has been
taken over by bebopin much better fashion, so at least for now, I can survive
with one less backup of the music.
This way I'll have at least one backup (albeit on-site only) of the flac
collection.
It took me significant time to build it, and I'd rather not have to build all
of that again
It is easier to configure and has a NixOS module, it is well maintained, does
not need docker or non-deterministic container and
generally seems allright.
But, it *appears* to have less bells and whistles compared to PiHole. Generally
PiHole has a lot of mindshare, and as crappy as their development practices are,
it is taking a lead.. Its default list alsu has more than twice the number of
entries, so I'm inclined to return to it.
Still needs to be added to grafana imperatively, but that is something that will
take a lot of time, and need to understand my own pattern.
The board that I have copied over is not very useful, has too much info that I
don't need, and needs to have some more inputs from telegraf configured. So this
is a long term proejct, and can be safely ignored as *done* for now.
This is really good, because all the folders and devices and all their sharing
matrix is now declarative and part of same config as everything else. This
should remove a lot of headache going forward.
Only question is, the secrets management for Syncthing cert and key.
cert is public info encoded into the device ID, so that is mostly taken care of,
kinda.
But, these are still imperatively generated by Syncthing on the first run. I can
generate my own using openssh, but that isn't strictly better because it adds
more imperative overhead.
Lastly, the cert+key+ID combo is unique and every time a new device comes
in/current device needs to be reinstalled (highly unlikely since the dawn on
NixOS, but never say never), then this needs to be adjusted manually. For now,
I'm gonna leave it be, and deal with it when the need arises.
Declaratively deploying key via agenix is currently shelved, because unlike
other uses, this one directly exposes my network and machine to wide internet,
hedging on single SSH key, that cannot be password protected due to limitation
in agenix.
This allows easy config of few applications/services
- git
- htop
- fzf
- neovim
* syncthing is not enabled yet. During previous experimentation it did not work,
so need to look more into it
While setting up Raspberry Pi, I realised there are some packages I consider
bare minimum, even for headless servers (that I own)
- NeoVim
- git
- ripgrep
- fd
- htop
- jq
- wget
- fzf
Force identityPaths value from config instead of merging it with one from agenix
derivation (it uses empty array if openssh is disabled, and openssh key paths if
enabled).
Ultimately this should not be necessary, but there is a chance my config was in
bad state and mkForce fixed it.
Since the whole point of NixOS is to not have such 'bad states', this is a bit
puzzling. After all everything is built by mortals so bugs are understandable.
but it will be better to keep in mind that all abstractions are leaky, even the
fully functional and strongly declarative ones like Nix :)
For some reason agenix failed to decrypt secrets during reboots and only worked
during `nixos-rebuild switch`.
This was @ryantm's suggestion to test things out while he helped out on Matrix
room.
Ultimately the conclusion was that probably openssh daemon was
starting (unlikely, but can be fixed by having system SSH keys and adding them
to agenix config) or that config was in some bad state (in which case it can
be fixed in a different manner).
Fix by simply asserting identityPaths value is included in next commit.
agenix uses age (a utility + standard) that encrypts secrets using ssh key.
This simplifies secrets management quite a bit compared to GPG (my attempts for
which have failed so far).
Changes included:
- Encrypt all current keys (mail, backups) using age, configured via
agenix
- All encrypted keys are committed to git repo and decrypted during boot
- None of the keys are used anywhere just yet. They will replace file
paths in future commit after testing
- Decrypted keys are available after boot under user name with read-only
permissions at default agenix location (as of this commit)
- The Nix variable path is provided by agenix and can be used instead of
having to recreate
- multiple keys can be specified for single key, but for now I am only
using one
For now, the code is dirty and can definitely use improvements. It is just at a
place where it is all working right now.
TODO: Get age + agenix in environment packages available at runtime in NixOS
Links:
- https://github.com/ryantm/agenix
- https://github.com/hlissner/dotfiles
