The issue was generated NixOS system closure did not depend on the agenix
secrets being present in the NixOS repo. So, whenever garbage got collected, the
secrets dir got removed from the store, and on subsequent boots the secret
decryption failed as encrypted secrets were absent from NixOS store.
This fix means entire agenix secrets get copied over to the store instead of the
selective keys, but given how my current number of machines is fairly small and
I need pretty much all the keys on them, I think it is fine to keep it as is. In
future I can try something like Syncthing module where definition and
use happens in different location.
Since I've been using WSL2 for past few days, I have been using Windows
Terminal.
While it doesn't really hold a candle to Konsole, it is alright and comes with
Cascadia Code font by default. Over few days, I've come to like this font and
decided to try it out for Emacs within WSL.
This is minimal config for Hermes on WSL2.
Emacs is untested yet and needs ~/org/ to be imperatively copied still.
Email, Syncthing and Backup modules are yet to be set up and might need
some imperative actions.
However, the system is working and automatically logs into correct
default user.
- Plasma desktop
- Fonts
- Users
These are top-level modules in anticipation of new machine, but I expect them to
remain same regardless of particular host.
Emacs-lisp is proving to be decent scripting language.
This is a small script I wrote to unlock restic repos in case they get locked
based on few input params.
There is home-manager for more fine-grained plugin management, but I only use
single plugin used by Fish shell, and it is already present in nixpkgs.
Also setup (commented) code to add config.fish via home-manager. Should come in
handy in future.
In sync with my general attempt to move as much as possible into user config
rather than system config.
It also makes Emacs config "slightly" cleaner and better understandable.
In pursuit of trying out NixOS on Rocinante, the device was formatted and in my
basic assumptions, I did not back up userdata.
So, the device is lost and I no longer have the original Syncthing keys for this
device. Being an android phone, it would be unwise to backup and restore the
keys anyway.
So, For now, I am simply removing Rocinante from my backp roster. Oh so much for
extra machine backing up my stuff..
This will download the whole HTML and its linked docs, recursively 5-levels
deep, with random delays inbetween so as to not get throttled and convert links
to point to local files.
In short, this will copy a whole website on local, in a completely useable from
local format.
I tested on the Rust Book and it works fantastically!
I have a hunch I'll be using this multiple times going forward, so adding
abreviation.
Now only the full fat FLAC dir is shared between enterprise, bebop and Childish
Tycoon. I realised that the overhead of maintaining 2 sets was eventually going
to be too much. The two dirs were already out of sync, and as I was cleaning up
unwanted files from one device, the other dir was falling further behind in
sync.
So, now only FLACs will be shared. This means Rocinante has to be left out of
Music sync. This means there is one less backup, but I hope it will be fine.
Roci originally served the purpose of always-on node, but that role has been
taken over by bebopin much better fashion, so at least for now, I can survive
with one less backup of the music.
This way I'll have at least one backup (albeit on-site only) of the flac
collection.
It took me significant time to build it, and I'd rather not have to build all
of that again
It is easier to configure and has a NixOS module, it is well maintained, does
not need docker or non-deterministic container and
generally seems allright.
But, it *appears* to have less bells and whistles compared to PiHole. Generally
PiHole has a lot of mindshare, and as crappy as their development practices are,
it is taking a lead.. Its default list alsu has more than twice the number of
entries, so I'm inclined to return to it.
Still needs to be added to grafana imperatively, but that is something that will
take a lot of time, and need to understand my own pattern.
The board that I have copied over is not very useful, has too much info that I
don't need, and needs to have some more inputs from telegraf configured. So this
is a long term proejct, and can be safely ignored as *done* for now.
This is really good, because all the folders and devices and all their sharing
matrix is now declarative and part of same config as everything else. This
should remove a lot of headache going forward.
Only question is, the secrets management for Syncthing cert and key.
cert is public info encoded into the device ID, so that is mostly taken care of,
kinda.
But, these are still imperatively generated by Syncthing on the first run. I can
generate my own using openssh, but that isn't strictly better because it adds
more imperative overhead.
Lastly, the cert+key+ID combo is unique and every time a new device comes
in/current device needs to be reinstalled (highly unlikely since the dawn on
NixOS, but never say never), then this needs to be adjusted manually. For now,
I'm gonna leave it be, and deal with it when the need arises.
Declaratively deploying key via agenix is currently shelved, because unlike
other uses, this one directly exposes my network and machine to wide internet,
hedging on single SSH key, that cannot be password protected due to limitation
in agenix.
This allows easy config of few applications/services
- git
- htop
- fzf
- neovim
* syncthing is not enabled yet. During previous experimentation it did not work,
so need to look more into it
While setting up Raspberry Pi, I realised there are some packages I consider
bare minimum, even for headless servers (that I own)
- NeoVim
- git
- ripgrep
- fd
- htop
- jq
- wget
- fzf
Force identityPaths value from config instead of merging it with one from agenix
derivation (it uses empty array if openssh is disabled, and openssh key paths if
enabled).
Ultimately this should not be necessary, but there is a chance my config was in
bad state and mkForce fixed it.
Since the whole point of NixOS is to not have such 'bad states', this is a bit
puzzling. After all everything is built by mortals so bugs are understandable.
but it will be better to keep in mind that all abstractions are leaky, even the
fully functional and strongly declarative ones like Nix :)
For some reason agenix failed to decrypt secrets during reboots and only worked
during `nixos-rebuild switch`.
This was @ryantm's suggestion to test things out while he helped out on Matrix
room.
Ultimately the conclusion was that probably openssh daemon was
starting (unlikely, but can be fixed by having system SSH keys and adding them
to agenix config) or that config was in some bad state (in which case it can
be fixed in a different manner).
Fix by simply asserting identityPaths value is included in next commit.
agenix uses age (a utility + standard) that encrypts secrets using ssh key.
This simplifies secrets management quite a bit compared to GPG (my attempts for
which have failed so far).
Changes included:
- Encrypt all current keys (mail, backups) using age, configured via
agenix
- All encrypted keys are committed to git repo and decrypted during boot
- None of the keys are used anywhere just yet. They will replace file
paths in future commit after testing
- Decrypted keys are available after boot under user name with read-only
permissions at default agenix location (as of this commit)
- The Nix variable path is provided by agenix and can be used instead of
having to recreate
- multiple keys can be specified for single key, but for now I am only
using one
For now, the code is dirty and can definitely use improvements. It is just at a
place where it is all working right now.
TODO: Get age + agenix in environment packages available at runtime in NixOS
Links:
- https://github.com/ryantm/agenix
- https://github.com/hlissner/dotfiles