nixos-config

NixOS configs for various machines.

Note	This document is more of a unstructured notepad for me than an actual readme.

Joining the antibuilding VPN

To join the VPN just add your device to machines.nix. There is a script for that in this repo. cd into the root of this repo and run

Add your config to the repo

nix run .#add-antibuilding-peer -- 'YOUR HOSTNAME' 'YOUR WIREGUARD PUBLIC KEY'

commit the changes and open a PR. One hour after the PR gets merged, you can connect to the network. Just import the nixos module into your config.

Example for using the VPN module

{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    antibuilding = {
      url = "github:zebreus/nixos-config";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, antibuilding }: {
    nixosConfigurations.trolltop = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ./configuration.nix
        antibuilding.nixosModules.vpn
        # Path to the wireguard private key at runtime
        { antibuilding.customWireguardPrivateKeyFile = "/etc/nixos/antibuilding.key"; }
      ];
    };
  };
}

Generate a wireguard keypair

wg genkey | tee wireguard_private.key
cat wireguard_private.key | wg pubkey | tee wireguard_private.key

Usage

The flake exports configurations for all my machines.

Secrets

Secrets are managed with agenix. They are stored in the secrets directory.

Each machine uses its ed25519 SSH host key to decrypt its secrets. That SSH host key is also stored as a secret. Before deploying a machine for the first time the ed25519 SSH host key must be on it. For now I just copied the key over manually, but nixos-anywhere has a option to copy files to a machine, I think.

DNS / DNSSEC readme

1. Add a new zone to knot

2. Deploy the primary DNS server

3. Set the NS records in the domain registrar

4. Get the DS records from the primary DNS server by running keymgr <zone> ds

5. Add the DS records to the domain registrar

TODO

• Manage SSH config

• Manage account passwords

• Write documentation

• Manage vscode config

• Upstream the part that chmods the paths created by agenix

• Unify nginx acme certs to use enableACME on the virtualhosts and set a default email

• connect janek-backup again

• Export a independent vpn module

• Peer with more people

• Write documentation for the VPN module

Protocols

Moving the mailserver

1. Change the mailserver in machines.nix

2. Add the new mailserver to the mailServers in secrets/public-keys.nix

3. Rekey all secrets

4. Add reverse DNS entry for mail.zebre.us

5. Deploy both machines

6. Wonder why certificates fail to renew

7. Deploy DNS primary and wait a few minutes for the entries to propagate

8. Redeploy the new mailserver

9. Run the backup restore script on the new mailserver

10. Make sure the ACME certificate for mail.zebre.us was issued.

11. Reboot the new mailserver