README.md at main · jaspermayone.com/dots

jaspermayone.com / dots
@jaspermayone's dotfiles
dots / README.md
at main 6.5 kB view raw view rendered
  1# Jasper's Dotfiles
  2
  3NixOS and nix-darwin configurations for the Hogwarts network.
  4
  5## Status
  6
  7<img src="https://img.shields.io/website?label=alastor&up_color=green&up_message=online&down_message=offline&url=https%3A%2F%2Falastor.hogwarts.channel%2Fstatus%2Falastor">
  8
  9*Status badges run through alastor — if all badges are red, alastor is probably down.*
 10
 11## Hosts
 12
 13| Host | Domain | Type | Description |
 14|------|--------|------|-------------|
 15| **alastor** | `alastor.hogwarts.channel` | NixOS (x86_64) | VPS hub - tunnels, status, reverse proxy (Mad-Eye Moody) |
 16| **remus** | `remus.hogwarts.channel` | Darwin (aarch64) | MacBook Pro M4 - My daily driver |
 17| **dippet** | `dippet.hogwarts.channel` | Darwin (aarch64) | Mac Mini - assorted services |
 18
 19### Domain Structure
 20
 21- `tun.hogwarts.channel` — bore/frp tunnels only
 22- `*.tun.hogwarts.channel` — dynamic tunnel subdomains
 23- `alastor.hogwarts.channel` — alastor services (status API, etc.)
 24- `remus.hogwarts.channel` — reverse proxy to remus via Tailscale
 25- `dippet.hogwarts.channel` — reverse proxy to dippet via Tailscale
 26- `knot.jaspermayone.com` — Tangled Knot git server
 27- `atuin.hogwarts.dev` - Atuin server
 28
 29
 30## Secrets Management (agenix)
 31
 32This repo uses [agenix](https://github.com/ryantm/agenix) for secrets. Secrets are encrypted with age using SSH keys and stored in git.
 33
 34### Initial Setup
 35
 361. Get your SSH public key:
 37```bash
 38cat ~/.ssh/id_ed25519.pub
 39```
 40
 412. Edit `secrets/secrets.nix` and add your public key:
 42```nix
 43let
 44  jsp = "ssh-ed25519 AAAA... jasper@remus";
 45  # ...
 46```
 47
 483. After provisioning alastor, get its host key:
 49```bash
 50ssh-keyscan -t ed25519 tun.hogwarts.channel
 51```
 52
 534. Add the host key to `secrets/secrets.nix`
 54
 55### Creating Secrets
 56
 57```bash
 58# From the repo root
 59cd secrets
 60
 61# Create/edit a secret (opens $EDITOR)
 62agenix -e frps-token.age
 63
 64# For frps-token, just paste a random token:
 65# openssl rand -hex 32
 66
 67# For cloudflare-credentials.age:
 68# CF_DNS_API_TOKEN=your-token-here
 69
 70# For bore-token.age, use the same value as frps-token
 71```
 72
 73### Re-keying Secrets
 74
 75If you add new keys to `secrets.nix`:
 76```bash
 77cd secrets
 78agenix -r  # Re-encrypt all secrets with new keys
 79```
 80
 81## Quick Start
 82
 83### Setting up Remus (Mac)
 84
 851. Install Nix (using Determinate Systems installer):
 86```bash
 87curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
 88```
 89
 902. Clone this repo:
 91```bash
 92git clone https://github.com/jaspermayone/dots.git ~/dots
 93cd ~/dots
 94```
 95
 963. Create the secrets (see Secrets Management above):
 97```bash
 98cd secrets
 99agenix -e bore-token.age
100cd ..
101```
102
1034. Build and switch:
104```bash
105nix run nix-darwin -- switch --flake .#remus
106```
107
108After the first build, use:
109```bash
110darwin-rebuild switch --flake ~/dots#remus
111```
112
113### Setting up Alastor (Server)
114
1151. Provision a VPS with NixOS (Hetzner has this in marketplace)
116
1172. SSH in and clone:
118```bash
119git clone https://github.com/jaspermayone/dots.git /etc/nixos
120cd /etc/nixos
121```
122
1233. Generate hardware config:
124```bash
125nixos-generate-config --show-hardware-config > hosts/alastor/hardware-configuration.nix
126```
127
1284. Get the host's SSH public key and add to `secrets/secrets.nix`:
129```bash
130cat /etc/ssh/ssh_host_ed25519_key.pub
131```
132
1335. On your local machine, re-key secrets with the new host key:
134```bash
135cd secrets && agenix -r && cd ..
136git add . && git commit -m "Add alastor host key"
137git push
138```
139
1406. Back on the server, pull and build:
141```bash
142git pull
143nixos-rebuild switch --flake .#alastor
144```
145
146### Remote Deployment
147
148From your Mac:
149```bash
150nixos-rebuild switch --flake .#alastor --target-host root@tun.hogwarts.channel
151```
152
153## DNS Setup (Cloudflare)
154
155| Type | Name | Content | Proxy |
156|------|------|---------|-------|
157| A | tun | server-ip | Off (gray) |
158| A | *.tun | server-ip | Off (gray) |
159| A | alastor | server-ip | Off (gray) |
160| A | remus | server-ip | Off (gray) |
161
162**Create Cloudflare API Token:**
1631. https://dash.cloudflare.com/profile/api-tokens
1642. Create Token → Custom Token
1653. Permissions: `Zone - DNS - Edit`
1664. Zone Resources: `Include - Specific zone - hogwarts.channel`
167
168## Usage
169
170### Creating a tunnel
171
172```bash
173# Interactive
174bore
175
176# Quick tunnel
177bore myapp 3000
178
179# With options
180bore api 8080 --protocol http --label dev --save
181```
182
183### Listing tunnels
184
185```bash
186bore --list     # Active tunnels on server
187bore --saved    # Saved tunnels in bore.toml
188```
189
190## Structure
191
192```
193dots/
194├── flake.nix                 # Entry point
195├── secrets/
196│   ├── secrets.nix           # Declares keys and secrets
197│   ├── frps-token.age        # Encrypted frp auth token
198│   ├── cloudflare-credentials.age
199│   └── bore-token.age        # Client token (same as frps-token)
200├── common/
201│   ├── bore.nix              # Bore client config
202│   ├── git.nix               # Git configuration
203│   └── shell.nix             # Shell configuration
204├── darwin/
205│   └── default.nix           # macOS-specific settings
206├── home/
207│   └── default.nix           # Home Manager config
208├── hosts/
209│   ├── alastor/              # NixOS server (Mad-Eye Moody)
210│   │   ├── configuration.nix
211│   │   └── hardware-configuration.nix
212│   └── remus/                # Mac laptop
213│       └── default.nix
214└── modules/
215    ├── bore/                 # Bore client module
216    │   ├── default.nix
217    │   ├── bore.1.md
218    │   └── completions/
219    ├── frps/                 # Frp server module
220    │   └── default.nix
221    └── status/               # Status monitoring module
222        └── default.nix
223```
224
225## Adding New Hosts
226
227### NixOS
2281. Create `hosts/hostname/configuration.nix`
2292. Create `hosts/hostname/hardware-configuration.nix`
2303. Add host key to `secrets/secrets.nix` and re-key
2314. Add to `flake.nix`:
232```nix
233nixosConfigurations.hostname = mkNixos "hostname" "x86_64-linux";
234```
235
236### Darwin (Mac)
2371. Create `hosts/hostname/default.nix`
2382. Add user key to `secrets/secrets.nix` and re-key
2393. Add to `flake.nix`:
240```nix
241darwinConfigurations.hostname = mkDarwin "hostname" "aarch64-darwin";
242```
243
244## Useful Commands
245
246```bash
247# Edit a secret
248agenix -e secrets/frps-token.age
249
250# Re-key all secrets (after adding new keys)
251cd secrets && agenix -r
252
253# Check flake
254nix flake check
255
256# Update flake inputs
257nix flake update
258
259# Garbage collect old generations
260nix-collect-garbage -d
261```