TODO

• d better charge remaining
• d systemd-run abbr
• d yaml/json to nix in fish funcs
• d sudo shim
• d wireguard
  • d initial setup
  • d how the hell does resolveconf work
  • d dns
  • d prometheus on elderberry
  • d figure out loki and put it on elderberry (who is pihole)
  • d move services to wireguard
  • u add unmanaged nodes that actually work
• d script for accessing backups
• d s3 backups on elderberry
• d loki don't log info
• d make grafana to actually serve on wg
• d move modules into nixosModules
• u jenkins actually really wants a domain
• d just use nixosModules in alloy
• u https://flake.parts/options/pkgs-by-name-for-flake-parts
• o https://flake.parts/options/agenix-rekey
• d pipe tcpdump -ni wg1 into promtail via labels = "__path__"
• u togglables - sysd services (sing-box, tailscaled) that can be toggled by non-root (using sudo rules) and have a script for doing that.
  • u sudo rules + interface
  • u script
  • u xmonad integration
• u grafana declarative sources
• u terranix for simplified management
• o using flake parts prevents nixosModules from being checked reason: fp wraps modules in m: { imports = [ m ]; }. do we even need to check the modules?
• o move ssh keys to hosts.json
• u vault
  • d vault
  • d nats for rebiuld requests (with ref), etc.
  • d agent: chown
  • d agent: service restarts
  • u PKI engine
• i tf files in config and a simple just script to pull state
  • d store tf files in tree
  • u provision secrets to tf via env on cd
  • u generate .envrc with secrets (rotateable)
  • u store state on s3
• d restucture module imports into a separate flake module it gets modulesPath and imports it into attrsets based on directory structure
• u rofi
• u clipboard manager
• o reapply file by unnixing and copying from nixos-rebuild build
• o dev/undev just commands dev: replace github:head-gardener urls in inputs with zoxide output undev: replace inputs back from comments and lock-commit the input update
• u proxychains
  • d test out
  • u wrap terraform?
• o luks
• u fugitive https://github.com/tpope/vim-fugitive
• o dragon
• o check p10k out

Terminal farm

Simple VM on NixOS outside of VPN, with LDAP auth, allowing undocumented self rebuils.

Config render

Render config in a derivation from a minimal VM (start, launch home-manager for neovim etc), copy to an output and serve with nginx.

Incidents

• d incident: jenkins build failed after slave couldn't pull scm date: Mon Oct 28 02:41:59 AM +03 2024 reason: after a resolver change (remove: tailscale) container didn't restart, and still used the old resolv.conf solution: restart
• d incident: btrbk-local fails to create root snapshot date: Mon Oct 28 00:00:00 AM +03 2024 reason: btrbk-s3 already created it solution: randomize service start times
• d incident: ci melted after 20 minutes while building checks.mkDesktop http://blueberry:8080/job/config/22/console date: Mon Oct 28 00:03:07 AM +03 2024 reason: possible overload from another pipeline for the same config solution: delete the old pipeline
• u incident: dns queries from behind sing-box take absurdly long

Per-host

Ambrosia

• obs 30.0.2 records, obs 30.1.2 doesn't.