It is never recommended to enable password authentication for ssh.
Although bebop is intended to always be accessed from local network, it is
indeed exposed to wider internet, and I don't want surprises here.
Also NixOS made declarative SSH addition and deployment so much easier and
friction-free that I don't even want this anymore.
For rare occasions where system breaks or something, I can just login the hard
way, via physical keyboard and disaply. Builds better habits too.
This allows easy config of few applications/services
- git
- htop
- fzf
- neovim
* syncthing is not enabled yet. During previous experimentation it did not work,
so need to look more into it
Hailing from days of yore, when imperative channels and non-flakes reigned, this
file was there, the first created in 2019.
Now that hosts and their individual hardware-configuration are seggregated in
their own little sub-directories, this file can finally be removed
- Generate binary cache signing keys on Enterprise
- Add private key to enterprise config for signing
- Add public key to Bebop for accepting packages signed by Enterprise
- Setup hosts files on both systems to include other host name at local reserved
ip address
- Bebop: Enable OpenSSH access for root user
- Via SSH only, NO password
- Use same ssh public key as normal user
- Enterprise: Enable Qemu for compiling aarch64 pacakges
Deploy NixOS from enterprise to bebop with below:
```
nixos-rebuild boot --flake .#bebop -v --target-host root@bebop --build-host
localhost
```
Notice lack of sudo. Remote server does not ask for password for root (usually),
because it is supposed to use SSH key.
TODO: Add payas as trusted user in nix config for bebop so deploying via root is
not necessary. It is generally not best idea to expose root over network.
iwd is supposed to be lightweight and only depend on kernel+glibc
It sounds nice, and so far it is working well enough. with one caveat:
it cannot connect to Hidden networks.
Even with enabling the setting to connect to Hidden networks, which should have
worked, it just craps out on connecting my Hidden wifi.
For now, I'm inclied to try this thing out, so I just let my network brodcast
its SSID. We'll see how the experiment goes.
For some reason, bebop requiers starting ssh-agent manually and add key after
every reboot. Apparently this is the fix to it.
It is expected to remember keys added once.
While setting up Raspberry Pi, I realised there are some packages I consider
bare minimum, even for headless servers (that I own)
- NeoVim
- git
- ripgrep
- fd
- htop
- jq
- wget
- fzf
bebop is a raspberry Pi and intended to be a headless server for my home.
As such, it makes no sense for it to burn cycles or space for XServer or desktop environment.
I have not found a better way to make the user password setup declarative while
making it be included in config/store in encryoted format.
Perhaps agenix/sops-nix will be a fix, but I'll keep it for later
As before, modifying Emacs config has weird issues with doom+daemon.
Usually I have to restart emacs for any config changes to stick, and if there is
any issue or bug in my config, the daemon just craps out instead of giving any
good feedback. SO long, emacs the service, I'll probably never use you again.
Althoug I sure will miss lightning fast emacsclient opennigs
I could in theory just import all flake files from particular host, but so far
there aren't a lot of files in there, and I like the explicitness, and central
point of entry in flake.nix
Not sure what went wrong the last time I tried it. This seems to be working, so
I'll keep it and keep an eye for a while
Not that I ever interact with bare git conflicts, I always have magit or IDEA
gloves on while doing so, it is nonetheless a good habig to have this in the
config quiver.