# NixOS Configuration for AppDaemon Development

## Objectives

- SSH remote with VSCode
- Debugger must work
- Multiple dev versions (different branches, forks)
- Multiple config directories - deployment and test
- `devenv`-based workflow
    - Shell
        - Makes `uv` available
        - Syncs `devenv` virtual environment
        - `appdaemon`
    - Build Docker
- Use flakes
- Jupyter through VSCode
    - `autoreload` must work with editable install of the dev version
    - could always work in a dev container
- Observation - telegraf/promtail
- Utility - portainer, watchtower

## Usage

### `nfs`

Used to rebuild the `ad-nix` system with whatever is currently symlinked to `/etc/nixos`

### `ads`

Used to enter the development shell. Be careful, as this will create a `.devenv` directory and venv wherever it's entered.

### venv

Activated with `.devenv/state/venv/bin/activate`. Used in VSCode for type hints, running, and debugging

### Jupyter

- Install devenv kernel - might not be useful?
    - `python -m ipykernel install --user --name devenv --display-name "Python (devenv)"`
- Run jupyter notebook on the side with a `uv run jupyter notebook` command
- Use the link with the token to connect the jupyter notebook kernel to it

## Mechanics

### SSH Connection

SSH keys are pre-authorized from `secrets/authorized_keys` which contains the public keys for desktop, laptop, and phone.

### SOPS

- `secrets/secrets.yaml` contains the encrypted keys.
- There needs to be a `~/.config/sops/age/keys.txt` file with the age secret key. This file has to be manually placed.
- `.sops.yaml` indicates to SOPS that the yaml file is encrypted with that secret key.
- `sops-ad` is a convenience script for editing the secrets.yaml file.

## Setup

### Bootstrapping

SSH in to the host as root and get into a shell with `git`.

```shell
nix-channel --update && nix-shell -p git
```

Then build the system from the flake

```shell
nixos-rebuild switch --flake git+https://gitea.john-stream.com/john/ad-nix#ad-nix
```

### Secrets

During build time `/etc/ssh/ssh_host_ed25519_key` automatically gets imported as an age key. If that fingerprint is included in the `.sops.yaml` file, then `secrets/secrets.yaml` can be decrypted during the build. Otherwise `~/.config/sops/age/keys.txt` needs to already be populated.

`secrets/secrets.yaml` needs to be edited from the terminal. There's a `sops-ad` command for convenience. The following keys are required:

- `telegraf_influx_token`

`~/.config/sops/age/keys.txt` needs to be set for the `sops-ad` command to work.

### Tailscale

Needs this in the `/etc/pve/lxc/<vmid>.conf` file on the proxmox host.

```
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
```