_________________________________________
/ THIS IS MY PILE OF NIXOS AND HOME       \
| MANAGER MODULES AND SHIT                 |
|                                         |
| THERE ARE MANY LIKE IT BUT THIS ONE     |
| IS MINE                                 |
|                                         |
| MY NIX CODE IS MY BEST FRIEND           |
|                                         |
\ IT IS  MY LIFE                          /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

nix run .#add-user -- <username>

How I installed pizza:

• Check out 813e8d1ec22e

• nix build .#nixosConfigurations.pizza.config.system.build.isoImage. This builds an installer image.

• Boot the installer on the machine, plug it into the network.

• Can now SSH to the machine on the LAN.

• Modify the configuration like in 18ab3a3, that is at least:

  • Remove the installer module and enable a bootloader
  • Add a Disko configuration

• Run nixos-anywhere e.g.:

  nix run github:nix-community/nixos-anywhere -- \
            --flake .#pizza --generate-hardware-config nixos-generate-config \
          ./nixos_modules/pizza/hardware-configuration.nix \
          --target-host pizza.fritz.box

Note this process won't work if secrets are needed for the machine to work (e.g. if there is a login password that is managed by this repo). You need to bootstrap the configuration so that the system can generate host keys and you can rekey secrets to allow it to access them.

• Fix borked machines
• Unbrick deadlocked Norte
• Unbrick remote pizza access
• Figure out where ZFS media went on norte
• Get watchdogs working (test with ls /mnt/nas/.zfs/snapshots/*/media)
• Investigate if sops-nix is better than agenix. Main goal is we need to be able to generate stuff like configs containing secrets, on the host.
• Get Authelia running
• Get FileBrowser running
• Get FileBrowser accepting auth from Athelia
• Make creating Authelia users more practical
• Make creating FileBrowser users more practical
• Make FileBrowser able to access NAS data (read/write)
• Set up some monitoring. In particular it would be nice to know about watchdog resets.

NixOS options are under .#nixosConfigurations.<config>.config. So for example:

# Show security.pam.loginLimits option
nix eval .#nixosConfigurations.chungito.config.security.pam.loginLimits

For NixOS hosts, Home Manager options are under .#nixosConfigurations.<config>.config.home-manager.users.<user> So for example:

# Show programs.waybar.enable option
nix eval .#nixosConfigurations.chungito.config.home-manager.users.brendan.programs.waybar.enable

For hosts using Home Manager standalone, they are under .#homeConfigurations.<config>. So for example:

nix eval '.#homeConfigurations.jackmanb@jackmanb01.config.wayland.windowManager.sway.xwayland'

Secrets are stored using agenix. At runtime they get decrypted and dumped into a tmpfs as plaintext (lol).

To add a secret, run nix develop to get the agenix CLI, then go into secrets/ and add it to secrets.nix following the existing pattern in there. That's where you configure which keys can decrypt it. Then run agenix -e <name>.age. Then to make it get decrypted at runtime, add it to age.secrets in the home-manager/NixOS config.

To add a recipient key for a secret, update secrets.nix to include it in that secret's publicKeyssetting, then run agenix -r from the secrets/ dir. Note that this requires decrypting the keys, which your current user might not have the ability to do if the only recipients are host keys. In that case, use the -i flag to point agenix at a private key that can decrypt it, e.g. sudo agenix -r -i /etc/ssh/ssh_host_ed25519_key.

You can use nix-diff (with NIX_REMOTE unset to work around a bug) to compare the result:

home-manager build
mv result result.old

# ... Make changes

home-manager build
NIX_REMOTE= nix-diff result result.old

There is a system for working with LKML in here. It's defined in modules/lkml.nix but it's unfortunately coupled with the accounts.email.accounts definition in an awkward way (see TODOs in the code).

It works like this:

• A command called get-lkml takes care of fetching mail. It's also run via a systemd service.

  • Email is fetched from Lore using lei. There is no IMAP or anything, this system works exclusively from mailing list archives. If someone emails you without CCing the list, you just have to reply via webmail or something.

  • It's then indexed using notmuch

• There is a script packaged notmuch-propagate-mute which provides a muting mechanism (which AFAICT exists in no mail clients for some reason) for keeping LKML volume manageable. This works based on notmuch tags.

• aerc is used as the actual mail client. A configuration is provided that is coupled with the tagging mechanism used by notmuch-propagate-mute:

  • There's a key binding for applying the tag that controls the muting

  • The view of "mailboxes" i.e. the "query map" takes into account the tag that is output by the muting script.

The page you open on is called the "message list". The navbar to the left shows you "folders" in Aerc terminology. Under this config, "folders" are actually defined as notmuch queries in the query-map.

All the operations below are defined in the binds.conf as commands, check in there to see the name of the command corresponding to the keys. You can also use ? to see the current bindings.

• j/k scrolls in the message list itself
• J/K scrolls between folders
• v "marks" the highlighted message. ctrl-v marks the whole thread. V unmarks the whole thread.
• a archives the selected (marked, or currently highlighted) messages. This just hides those specific messages using a notmuch tag.
• m mutes the selected messages, this applies the notmuch-propagate-mute magic.

Press enter on a message to open it in the "message viewer". You'll note this opens a new "tab" within Aerc.

• ctrl-p/ctrl-n changes between tabs.

In the message viewer:

• The main view is a pager, running in Aerc's internal terminal emulator. The headers are at the top, I'm not sure how to navigate into those.
• J/K flips between messages
• rq is reply-all.
• H toggles view of the headers in the pager. This is useful because I don't know how to navigate the header view at the top.

When you start composing a message you are in the "compose" view. You're in an $EDITOR inside Aerc's terminal emulator. So most of your keypresses go to the editor, but:

• ctrl-PageUp/PageDown switches to other Aerc tabs
• ctrl-j/k switches focus to the headers at the top of the window. The editor is like another field, you can scroll down to it to get back to editing.
• ctrl-x gives you an Aerc command prompt, this is writen in the bindings config with $ex - I don't understand this.