Always remember that you are absolutely unique. Just like everyone else.
--- Margaret Mead
These dotfiles, as they are laid out here, are the culmination of over three years of work, tinkering and experimentation.
Going back and forth, trying out different strategies, failing and succeeding.
This current state, too, is just a snapshot in time - a snowflake, frozen in time. Stateless and stateful all at once.
if you are rebooted into nixos iso image via web console / ssh and have set up the configuration for a new host, then follow these instructions:
$ nix --extra-experimental-features "nix-command flakes" build github:philtaken/dotfiles#nixosConfigurations.beta.config.system.build.diskoScript
$ sudo ./result
$ sudo mkdir -p /mnt/var/lib/sops-nix/
$ nix shell nixpkgs#age --command "sudo age-keygen -o /mnt/var/lib/sops-nix/key.txt"
update sops secrets with new public key, make sure all secrets are generated, for example
- nebula key
- wireguard key
maybe double-check your hardware config on the vm with a quick
nixos-generate-config --root /mnt --no-disks --directory .
cat hardware-configuration.nix
mistakes have been made before (not speaking from personal experience)...
$ sudo nixos-install --root /mnt --flake github:philtaken/dotfiles#beta
These configuration files describe a number of systems as well as their interaction. There are "servers" which can be thought of in the traditional sense - a highly available platform running a selection of services. And there are "hosts", user-facing machines with graphical environments, meant for interactive use and not always powered on. Both of these will hereafter be referred to as a "setup".
Every setup consists of either two or three parts:
- a hardware-specific machine configuration in ./machines/
- host-specific modules, defined under ./modules/hosts/
- (optional) a home-manager configuration based off of user-specific modules defined under ./modules/users
These three parts are combined using helper methods defined under ./lib/server.nix, ./lib/host.nix and ./lib/user.nix.
./network.nix defines what services are running where for servers specifically. This file also serves as means to generate DNS entries for Unbound, reverse proxy entries for Caddy, a basic ip lookup table for nfs mounts, dns nameserver entries as well as the wireguard and nebula config modules.
Every setup is part of a wireguard and a nebula vpn / network overlay to facilitate communication between setups.
DNS is set up with Unbound and routes requests to serves which then reverse proxy them to the respective services using Caddy.
Deployment is handled by serokell's fantastic deploy-rs. Secrets are provisioned via sops-nix using age-keys.
I have implemented a basic vector.dev Promtail configuration to send the system's syslog to Grafana and pull system stats to Prometheus.