From 1338fb1b68e2986a5c30ad609cf01f3b9a86d492 Mon Sep 17 00:00:00 2001 From: DannyDannyDanny Date: Sun, 1 Mar 2026 12:44:28 +0100 Subject: [PATCH] Rename nixos-server to sunken-ship - Rename hosts/nixos-server.nix -> sunken-ship.nix, nixos-server-hardware.nix -> sunken-ship-hardware.nix - Flake: nixos-server -> sunken-ship, update module path - Set networking.hostName = sunken-ship in server configs - Update AGENTS.md, nixos/readme.md, docs/ssh-and-secrets.md, TODO.md Made-with: Cursor --- AGENTS.md | 2 +- TODO.md | 12 +++--------- docs/ssh-and-secrets.md | 2 +- nixos/flake.nix | 4 ++-- ...-server-hardware.nix => sunken-ship-hardware.nix} | 2 +- nixos/hosts/{nixos-server.nix => sunken-ship.nix} | 10 +++++----- nixos/readme.md | 6 +++--- nixos/server-configuration-with-flakes.nix | 2 +- nixos/server-install-configuration.nix | 4 ++-- 9 files changed, 19 insertions(+), 25 deletions(-) rename nixos/hosts/{nixos-server-hardware.nix => sunken-ship-hardware.nix} (95%) rename nixos/hosts/{nixos-server.nix => sunken-ship.nix} (90%) diff --git a/AGENTS.md b/AGENTS.md index b850222..7b8c274 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -31,7 +31,7 @@ We use **one key per purpose**, not one per machine: separate keys for server ac - Root password: console only; set danny’s password as root once for sudo. - SSH keys: use actual key names on the machine (e.g. `id_ed25519_github`), not assumed `id_ed25519`. -## Server (nixos-server) +## Server (sunken-ship) - **Commit and push** before testing on the server; it clones/pulls from origin. - Bootstrap: server has no git until first rebuild. Use `nix run --extra-experimental-features "nix-command flakes" nixpkgs#git` to clone. Enable flakes in the daemon via `server-configuration-with-flakes.nix`: scp to server `/tmp/configuration.nix`, on server `sudo cp` to `/etc/nixos/configuration.nix`, then `sudo nixos-rebuild switch`. Then build flake and run `switch-to-configuration switch` (see nixos/readme.md). diff --git a/TODO.md b/TODO.md index 085a9e2..71f0689 100644 --- a/TODO.md +++ b/TODO.md @@ -2,22 +2,16 @@ 1. **Secrets** — Approach A (see [docs/ssh-and-secrets.md](docs/ssh-and-secrets.md)): public repo only, one key per purpose (AGENTS.md), server keys via scp. Optional later: private repo + sops-nix. - **GitHub:** Use `id_ed25519_github`; in `~/.ssh/config`: `Host github.com` with `IdentityFile ~/.ssh/id_ed25519_github` and `IdentitiesOnly yes`. Remove `id_rsa_github` from GitHub and locally once confirmed unused. - - **nixos-server:** Switch to key auth if still on password: on server `mkdir -p ~/.ssh; chmod 700 ~/.ssh`; from Mac `scp ~/.ssh/id_ed25519_github.pub danny@SERVER:/tmp/`; on server `cat /tmp/id_ed25519_github.pub >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys`. Optional: create `id_ed25519_servers` and use only for servers (add Host in config). + - **sunken-ship:** Switch to key auth if still on password: on server `mkdir -p ~/.ssh; chmod 700 ~/.ssh`; from Mac `scp ~/.ssh/id_ed25519_github.pub danny@SERVER:/tmp/`; on server `cat /tmp/id_ed25519_github.pub >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys`. Optional: create `id_ed25519_servers` and use only for servers (add Host in config). - **Forgejo:** When needed: create `id_ed25519_forgejo`, add to forge, add Host in `~/.ssh/config`. 2. **Server** - Only I use the machine. Access: SSH keys only (no password auth). - - Continue configuring (add services in `hosts/nixos-server.nix` as needed). + - Continue configuring (add services in `hosts/sunken-ship.nix` as needed). - SSH: key-only auth; disable password auth. Optionally restrict SSH to LAN. - Passwordless sudo for wheel. -3. Rename nixos-server to - - Shortlist hostnames; then do flake + hostname + docs in one pass. - - **Monte Cristo–themed candidates (two-word, non-human):** - - Ships / sea: sunken-ship, phantom-ship, rusty-anchor, salty-wind, stormy-wave, calm-harbor, distant-shore, foreign-port, wooden-hull, anchor-chain - - Prison / stone: prison-rock, cold-stone, iron-chain, damp-cell, guard-tower, midnight-bell, stony-corridor, broken-chain - - Secrets / treasure: buried-treasure, secret-cave, forgotten-tunnel, hidden-key, rusty-sword, faded-parchment, ancient-map, broken-seal, buried-chest - - Atmosphere: strange-companion, masked-ball, poison-vial +3. ~~Rename nixos-server to sunken-ship~~ Done. 4. Give wifi access instead of ethernet. diff --git a/docs/ssh-and-secrets.md b/docs/ssh-and-secrets.md index 3029fe5..558ff59 100644 --- a/docs/ssh-and-secrets.md +++ b/docs/ssh-and-secrets.md @@ -6,7 +6,7 @@ Strategy for SSH key management and secrets with a public NixOS/dotfiles repo an - **Repo:** Public only. No keys or tokens in the repo ([AGENTS.md](../AGENTS.md)). - **SSH keys:** One key per purpose (e.g. `id_ed25519_github`, `id_ed25519_servers`, `id_ed25519_forgejo`). Configure `~/.ssh/config` with `IdentityFile` and `IdentitiesOnly yes` per host. Keys live outside the repo. -- **Server authorized_keys:** Not managed by Nix. Push public keys via `scp` and append to `~/.ssh/authorized_keys` on each server. See [server-quickstart.md](../server-quickstart.md) and comments in [nixos/hosts/nixos-server.nix](../nixos/hosts/nixos-server.nix). +- **Server authorized_keys:** Not managed by Nix. Push public keys via `scp` and append to `~/.ssh/authorized_keys` on each server. See [server-quickstart.md](../server-quickstart.md) and comments in [nixos/hosts/sunken-ship.nix](../nixos/hosts/sunken-ship.nix). Benefits: no private repo, simple, works with public dotfiles. Trade-off: one-time (or scripted) scp step per server; authorized_keys are not declarative in Nix. diff --git a/nixos/flake.nix b/nixos/flake.nix index de35519..52ffb77 100644 --- a/nixos/flake.nix +++ b/nixos/flake.nix @@ -57,9 +57,9 @@ ]; }; - nixos-server = nixpkgs.lib.nixosSystem { + sunken-ship = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = [ ./hosts/nixos-server.nix ]; + modules = [ ./hosts/sunken-ship.nix ]; }; }; diff --git a/nixos/hosts/nixos-server-hardware.nix b/nixos/hosts/sunken-ship-hardware.nix similarity index 95% rename from nixos/hosts/nixos-server-hardware.nix rename to nixos/hosts/sunken-ship-hardware.nix index 19d208f..73d0204 100644 --- a/nixos/hosts/nixos-server-hardware.nix +++ b/nixos/hosts/sunken-ship-hardware.nix @@ -1,4 +1,4 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ +# Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { config, lib, pkgs, modulesPath, ... }: diff --git a/nixos/hosts/nixos-server.nix b/nixos/hosts/sunken-ship.nix similarity index 90% rename from nixos/hosts/nixos-server.nix rename to nixos/hosts/sunken-ship.nix index 160b122..3f83aa0 100644 --- a/nixos/hosts/nixos-server.nix +++ b/nixos/hosts/sunken-ship.nix @@ -2,19 +2,19 @@ # # One-time on server: clone repo to /etc/dotfiles (root needs git access). # If private repo: use SSH (ssh:// or git@) and add root's key to GitHub, or use HTTPS + token. -# Then: sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#nixos-server +# Then: sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#sunken-ship # If sudo git is not found: sudo nix run nixpkgs#git -- -C /etc/dotfiles pull origin main # Timer runs every 15 min: git fetch, pull if origin/main changed, rebuild. { config, lib, pkgs, ... }: let dotfilesDir = "/etc/dotfiles"; - flakeRef = "${dotfilesDir}/nixos#nixos-server"; + flakeRef = "${dotfilesDir}/nixos#sunken-ship"; in { - imports = [ ./nixos-server-hardware.nix ]; + imports = [ ./sunken-ship-hardware.nix ]; - networking.hostName = "nixos-server"; + networking.hostName = "sunken-ship"; time.timeZone = "Europe/Copenhagen"; boot.kernelParams = [ "consoleblank=60" ]; # blank TTY after 60s to reduce burn-in @@ -41,7 +41,7 @@ in users.users.danny = { isNormalUser = true; extraGroups = [ "wheel" "video" ]; # video: backlight control via light(1) - # SSH keys: push via scp, don't commit. NixOS does not manage authorized_keys so scp’d keys persist. + # SSH keys: push via scp, don't commit. NixOS does not manage authorized_keys so scp'd keys persist. # Example: scp ~/.ssh/id_*_github.pub danny@server:/tmp/ then on server: mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys }; diff --git a/nixos/readme.md b/nixos/readme.md index 3d325cf..e264a5f 100644 --- a/nixos/readme.md +++ b/nixos/readme.md @@ -8,20 +8,20 @@ sudo nixos-rebuild switch --flake ~/dotfiles/nixos#macbookair # macOS: cd ~/dotfiles/nixos && darwin-rebuild switch --flake . ``` -## Server (nixos-server) +## Server (sunken-ship) One-time bootstrap (no git until first rebuild): ```bash nix run --extra-experimental-features "nix-command flakes" nixpkgs#git -- clone https://github.com/DannyDannyDanny/dotfiles.git /tmp/dotfiles sudo mv /tmp/dotfiles /etc/dotfiles -sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#nixos-server --option accept-flake-config true +sudo nixos-rebuild switch --flake /etc/dotfiles/nixos#sunken-ship --option accept-flake-config true ``` If the daemon doesn’t have flakes: copy [server-configuration-with-flakes.nix](server-configuration-with-flakes.nix) to `/etc/nixos/configuration.nix`, run `sudo nixos-rebuild switch`, then build and switch to the flake (see [server-quickstart.md](../server-quickstart.md) for SSH keys). SSH keys (not in repo): `scp ~/.ssh/*.pub danny@server:/tmp/`, then on server `mkdir -p ~/.ssh; cat /tmp/*.pub >> ~/.ssh/authorized_keys`. See [docs/ssh-and-secrets.md](../docs/ssh-and-secrets.md). -Timer: every 15 min the server pulls and rebuilds when `main` changes. Config: `hosts/nixos-server.nix`, `hosts/nixos-server-hardware.nix`. +Timer: every 15 min the server pulls and rebuilds when `main` changes. Config: `hosts/sunken-ship.nix`, `hosts/sunken-ship-hardware.nix`. No git in PATH: `sudo nix run nixpkgs#git -- -C /etc/dotfiles pull origin main`. diff --git a/nixos/server-configuration-with-flakes.nix b/nixos/server-configuration-with-flakes.nix index 9d40e6a..c6fe203 100644 --- a/nixos/server-configuration-with-flakes.nix +++ b/nixos/server-configuration-with-flakes.nix @@ -7,7 +7,7 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "nixos-server"; + networking.hostName = "sunken-ship"; time.timeZone = "Europe/Copenhagen"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/nixos/server-install-configuration.nix b/nixos/server-install-configuration.nix index 9357716..dfebe82 100644 --- a/nixos/server-install-configuration.nix +++ b/nixos/server-install-configuration.nix @@ -7,13 +7,13 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "nixos-server"; + networking.hostName = "sunken-ship"; time.timeZone = "Europe/Copenhagen"; users.users.danny = { isNormalUser = true; extraGroups = [ "wheel" ]; - # After install, add keys via scp (see server-quickstart or nixos-server.nix comment). + # After install, add keys via scp (see server-quickstart or sunken-ship.nix comment). }; services.openssh.enable = true;