john/ad-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
75baa6744c3b0f8e8068cbbe0443af2752ac266e
ad-nix/README.md
John Lancaster 75baa6744c secrets updates
2024-12-29 14:50:35 -06:00

90 lines
2.7 KiB
Markdown
Raw Blame History

# NixOS Configuration for AppDaemon Development
## Objectives
- SSH remote with VSCode
- Debugger must work
- Multiple dev versions (different branches, forks)
- Multiple config directories - deployment and test
- `devenv`-based workflow
- Shell
- Makes `uv` available
- Syncs `devenv` virtual environment
- `appdaemon`
- Build Docker
- Use flakes
- Jupyter through VSCode
- `autoreload` must work with editable install of the dev version
- could always work in a dev container
- Observation - telegraf/promtail
- Utility - portainer, watchtower
## Usage
### `nfs`
Used to rebuild the `ad-nix` system with whatever is currently symlinked to `/etc/nixos`
### `ads`
Used to enter the development shell. Be careful, as this will create a `.devenv` directory and venv wherever it's entered.
### venv
Activated with `.devenv/state/venv/bin/activate`. Used in VSCode for type hints, running, and debugging
### Jupyter
- Install devenv kernel - might not be useful?
- `python -m ipykernel install --user --name devenv --display-name "Python (devenv)"`
- Run jupyter notebook on the side with a `uv run jupyter notebook` command
- Use the link with the token to connect the jupyter notebook kernel to it
## Mechanics
### SSH Connection
SSH keys are pre-authorized from `secrets/authorized_keys` which contains the public keys for desktop, laptop, and phone.
### SOPS
- `secrets/secrets.yaml` contains the encrypted keys.
- There needs to be a `~/.config/sops/age/keys.txt` file with the age secret key. This file has to be manually placed.
- `.sops.yaml` indicates to SOPS that the yaml file is encrypted with that secret key.
- `sops-ad` is a convenience script for editing the secrets.yaml file.
## Setup
### Bootstrapping
SSH in to the host as root and get into a shell with `git`.
```shell
nix-channel --update && nix-shell -p git
```
Then build the system from the flake
```shell
nixos-rebuild switch --flake git+https://gitea.john-stream.com/john/ad-nix#ad-nix
```
### Secrets
During build time `/etc/ssh/ssh_host_ed25519_key` automatically gets imported as an age key. If that fingerprint is included in the `.sops.yaml` file, then `secrets/secrets.yaml` can be decrypted during the build. Otherwise `~/.config/sops/age/keys.txt` needs to already be populated.
`secrets/secrets.yaml` needs to be edited from the terminal. There's a `sops-ad` command for convenience. The following keys are required:
- `telegraf_influx_token`
`~/.config/sops/age/keys.txt` needs to be set for the `sops-ad` command to work.
### Tailscale
Needs this in the `/etc/pve/lxc/<vmid>.conf` file on the proxmox host.
```
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
```
Reference in New Issue View Git Blame Copy Permalink