Dominik Polakovics
53d73142ae
- Introduced a new module for a11ywatch with Podman support, creating a bridge network and defining backend and frontend containers. - Configured Nginx to serve the a11ywatch application with SSL and ACME support. - Added user and group configurations for a11ywatch. - Created a systemd service to ensure the Podman network exists on boot. Implement Firefox Container Controller extension and host - Added a module for the Firefox Container Controller extension, allowing installation via Nix. - Created a native messaging host for the extension to communicate with the container controller. - Included CLI helpers to enqueue commands for showing and hiding containers. Enable fingerprint authentication in PAM - Configured fingerprint authentication for login, sudo, and swaylock services. Setup Raspberry Pi OS image creation script - Developed a script to create a read-only Raspberry Pi OS Lite image with Snapcast client. - Included configuration for Wi-Fi, hostname, and Snapcast server. - Implemented user and group setup for Snapcast client and ensured necessary services are enabled. Document Raspberry Pi Zero W setup instructions - Added detailed instructions for configuring Raspberry Pi OS on Zero W, including disabling unused services and setting up Snapcast client. Create test configuration script for NixOS - Implemented a script to perform dry-builds for NixOS configurations, allowing for easy validation of host configurations.
1. Installation of new servers
- install ubuntu 20.04
- get age key from SSH
curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=hetznercloud NIX_CHANNEL=nixos-24.05 bash 2>&1 | tee /tmp/infect.log
nix-shell -p ssh-to-age --run 'ssh-keyscan install.cloonar.com | ssh-to-age'
- fix secrets files
nix-shell -p sops --run "sops updatekeys -y secrets.yaml"
- run install command
./install.sh example.com
2. Sops command
nix-shell -p sops --run 'sops hosts/cloonar.com/secrets.yaml'
2. Web Server specific
- change the permissions for /var/www
chown nginx:nginx /var/www
chmod 755 /var/www
3. Net data
- Netdata data page: Add a node
- Once you got the token, we will claim it to associate it to a node:
- create /var/lib/netdata/cloud.d/token and write the token in it
- run nix-shell -p netdata --run "netdata-claim.sh -id=$(uuidgen)" as root
- your node should be registered in Netdata cloud
Borg Backup
add ssh key to hetzner cat ~/.ssh/id_rsa.pub | ssh -p23 u149513-subx@u149513-subx.your-backup.de install-ssh-key
4. Add new Host
sftp host.cloonar.com@git.cloonar.com:/config/bootstrap.sh ./
5. Yubikey
ykman fido access change-pin --new-pin 654321
systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes /dev/nvme0n1p2
6. Wireguard
wg genkey | (umask 077 && tee privatekey) | wg pubkey > publickey
umask 0077; wg genpsk > psk
7. Hash for new packages
nix hash to-sri --type sha256 $(nix-prefetch-url https://tar.gz)