README.md at main · jaspermayone.com/dots

jaspermayone.com / dots
fork atom
@jaspermayone.com's dotfiles
fork atom
dots / README.md
at main 265 lines 6.8 kB view raw view rendered
wrap content
jaspermayone.com Consolidate status endpoints on alastor 2mo ago
e205074f
  1# Jasper's Dotfiles
  2
  3NixOS and nix-darwin configurations for the Hogwarts network.
  4
  5## Status
  6
  7<img src="https://img.shields.io/website?label=alastor&up_color=green&up_message=online&down_message=offline&url=https%3A%2F%2Falastor.hogwarts.channel%2Fstatus%2Falastor">
  8<img src="https://img.shields.io/website?label=remus&up_color=green&up_message=online&down_message=offline&url=https%3A%2F%2Falastor.hogwarts.channel%2Fstatus%2Fremus">
  9<img src="https://img.shields.io/website?label=dippet&up_color=green&up_message=online&down_message=offline&url=https%3A%2F%2Falastor.hogwarts.channel%2Fstatus%2Fdippet">
 10
 11
 12
 13*Status badges run through alastor — if all badges are red, alastor is probably down.*
 14
 15## Hosts
 16
 17| Host | Domain | Type | Description |
 18|------|--------|------|-------------|
 19| **alastor** | `alastor.hogwarts.channel` | NixOS (x86_64) | VPS hub - tunnels, status, reverse proxy (Mad-Eye Moody) |
 20| **remus** | `remus.hogwarts.channel` | Darwin (aarch64) | MacBook Pro M4 - My daily driver |
 21| **dippet** | `dippet.hogwarts.channel` | Darwin (aarch64) | Mac Mini - assorted services |
 22
 23### Domain Structure
 24
 25- `tun.hogwarts.channel` — bore/frp tunnels only
 26- `*.tun.hogwarts.channel` — dynamic tunnel subdomains
 27- `alastor.hogwarts.channel` — alastor services (status API, etc.)
 28- `remus.hogwarts.channel` — reverse proxy to remus via Tailscale
 29- `dippet.hogwarts.channel` — reverse proxy to dippet via Tailscale
 30- `knot.jaspermayone.com` — Tangled Knot git server
 31- `atuin.hogwarts.dev` - Atuin server
 32
 33
 34## Secrets Management (agenix)
 35
 36This repo uses [agenix](https://github.com/ryantm/agenix) for secrets. Secrets are encrypted with age using SSH keys and stored in git.
 37
 38### Initial Setup
 39
 401. Get your SSH public key:
 41```bash
 42cat ~/.ssh/id_ed25519.pub
 43```
 44
 452. Edit `secrets/secrets.nix` and add your public key:
 46```nix
 47let
 48  jsp = "ssh-ed25519 AAAA... jasper@remus";
 49  # ...
 50```
 51
 523. After provisioning alastor, get its host key:
 53```bash
 54ssh-keyscan -t ed25519 tun.hogwarts.channel
 55```
 56
 574. Add the host key to `secrets/secrets.nix`
 58
 59### Creating Secrets
 60
 61```bash
 62# From the repo root
 63cd secrets
 64
 65# Create/edit a secret (opens $EDITOR)
 66agenix -e frps-token.age
 67
 68# For frps-token, just paste a random token:
 69# openssl rand -hex 32
 70
 71# For cloudflare-credentials.age:
 72# CF_DNS_API_TOKEN=your-token-here
 73
 74# For bore-token.age, use the same value as frps-token
 75```
 76
 77### Re-keying Secrets
 78
 79If you add new keys to `secrets.nix`:
 80```bash
 81cd secrets
 82agenix -r  # Re-encrypt all secrets with new keys
 83```
 84
 85## Quick Start
 86
 87### Setting up Remus (Mac)
 88
 891. Install Nix (using Determinate Systems installer):
 90```bash
 91curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
 92```
 93
 942. Clone this repo:
 95```bash
 96git clone https://github.com/jaspermayone/dots.git ~/dots
 97cd ~/dots
 98```
 99
1003. Create the secrets (see Secrets Management above):
101```bash
102cd secrets
103agenix -e bore-token.age
104cd ..
105```
106
1074. Build and switch:
108```bash
109nix run nix-darwin -- switch --flake .#remus
110```
111
112After the first build, use:
113```bash
114darwin-rebuild switch --flake ~/dots#remus
115```
116
117### Setting up Alastor (Server)
118
1191. Provision a VPS with NixOS (Hetzner has this in marketplace)
120
1212. SSH in and clone:
122```bash
123git clone https://github.com/jaspermayone/dots.git /etc/nixos
124cd /etc/nixos
125```
126
1273. Generate hardware config:
128```bash
129nixos-generate-config --show-hardware-config > hosts/alastor/hardware-configuration.nix
130```
131
1324. Get the host's SSH public key and add to `secrets/secrets.nix`:
133```bash
134cat /etc/ssh/ssh_host_ed25519_key.pub
135```
136
1375. On your local machine, re-key secrets with the new host key:
138```bash
139cd secrets && agenix -r && cd ..
140git add . && git commit -m "Add alastor host key"
141git push
142```
143
1446. Back on the server, pull and build:
145```bash
146git pull
147nixos-rebuild switch --flake .#alastor
148```
149
150### Remote Deployment
151
152From your Mac:
153```bash
154nixos-rebuild switch --flake .#alastor --target-host root@tun.hogwarts.channel
155```
156
157## DNS Setup (Cloudflare)
158
159| Type | Name | Content | Proxy |
160|------|------|---------|-------|
161| A | tun | server-ip | Off (gray) |
162| A | *.tun | server-ip | Off (gray) |
163| A | alastor | server-ip | Off (gray) |
164| A | remus | server-ip | Off (gray) |
165
166**Create Cloudflare API Token:**
1671. https://dash.cloudflare.com/profile/api-tokens
1682. Create Token → Custom Token
1693. Permissions: `Zone - DNS - Edit`
1704. Zone Resources: `Include - Specific zone - hogwarts.channel`
171
172## Usage
173
174### Creating a tunnel
175
176```bash
177# Interactive
178bore
179
180# Quick tunnel
181bore myapp 3000
182
183# With options
184bore api 8080 --protocol http --label dev --save
185```
186
187### Listing tunnels
188
189```bash
190bore --list     # Active tunnels on server
191bore --saved    # Saved tunnels in bore.toml
192```
193
194## Structure
195
196```
197dots/
198├── flake.nix                 # Entry point
199├── secrets/
200│   ├── secrets.nix           # Declares keys and secrets
201│   ├── frps-token.age        # Encrypted frp auth token
202│   ├── cloudflare-credentials.age
203│   └── bore-token.age        # Client token (same as frps-token)
204├── common/
205│   ├── bore.nix              # Bore client config
206│   ├── git.nix               # Git configuration
207│   └── shell.nix             # Shell configuration
208├── darwin/
209│   └── default.nix           # macOS-specific settings
210├── home/
211│   └── default.nix           # Home Manager config
212├── hosts/
213│   ├── alastor/              # NixOS server (Mad-Eye Moody)
214│   │   ├── configuration.nix
215│   │   └── hardware-configuration.nix
216│   └── remus/                # Mac laptop
217│       └── default.nix
218└── modules/
219    ├── bore/                 # Bore client module
220    │   ├── default.nix
221    │   ├── bore.1.md
222    │   └── completions/
223    ├── frps/                 # Frp server module
224    │   └── default.nix
225    └── status/               # Status monitoring module
226        └── default.nix
227```
228
229## Adding New Hosts
230
231### NixOS
2321. Create `hosts/hostname/configuration.nix`
2332. Create `hosts/hostname/hardware-configuration.nix`
2343. Add host key to `secrets/secrets.nix` and re-key
2354. Add to `flake.nix`:
236```nix
237nixosConfigurations.hostname = mkNixos "hostname" "x86_64-linux";
238```
239
240### Darwin (Mac)
2411. Create `hosts/hostname/default.nix`
2422. Add user key to `secrets/secrets.nix` and re-key
2433. Add to `flake.nix`:
244```nix
245darwinConfigurations.hostname = mkDarwin "hostname" "aarch64-darwin";
246```
247
248## Useful Commands
249
250```bash
251# Edit a secret
252agenix -e secrets/frps-token.age
253
254# Re-key all secrets (after adding new keys)
255cd secrets && agenix -r
256
257# Check flake
258nix flake check
259
260# Update flake inputs
261nix flake update
262
263# Garbage collect old generations
264nix-collect-garbage -d
265```