diff --git a/README.md b/README.md index 2f4a973..44c5f15 100755 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # NixOS Configuration Repository ## Session Start Protocol -Always begin by reading agents.md for workflow instructions and development standards. +Always begin by reading agents.md for workflow instructions. ## System Installation @@ -37,18 +37,3 @@ nixos-install --flake .# --no-root-password --impure nixos-enter --root '/mnt' passwd jsutter ``` - -## Infrastructure Roadmap - -### Planned Work - -#### Borg Backup Server -- Set up a dedicated Borg backup server for automated backups -- Configure backup schedules for critical systems -- Implement retention policies and pruning rules - -#### Secrets Management with sops-nix -- Implement sops-nix for secrets management -- Move all hardcoded secrets from server configs into sops-nix -- Set up encryption keys and key rotation policies -- Document the secrets management workflow diff --git a/agents.md b/agents.md index 2f7181f..190b507 100644 --- a/agents.md +++ b/agents.md @@ -23,109 +23,11 @@ 4. Check success message: `"Done. The new configuration is /nix/store/..."` ## Important -- Server configs may contain hardcoded credentials -- Always carefully inspect the NixOS wiki for instructions before adding new applications to the repo -- Do not editorialize or pass judgement. Be a robot. +- Server configs may contain hardcoded credentials - use agenix or systemd credentials for production +- **Always carefully inspect the NixOS wiki for instructions before adding new applications to the repo** +- Both warp and skip build successfully - Repository root: `/home/jsutter/src/nixos` -## Development Standards - -### curl Usage -When using curl commands, always set a timeout to 5 seconds: -curl -m 5 - -## Procedures - -### Adding a New Application to the Repository - -1. **Gather Requirements** - - Ask the user what server to deploy to - - Ask the user what domain name the app will be available on - -2. **Research and Planning** - - Build a brief plan to construct the app - - Review the NixOS wiki (https://nixos.org/nixos/manual/) to see if packages are available - - Check for existing NixOS modules or services that can be used - - Identify dependencies and configuration requirements - -3. **Implementation** - - Follow the plan constructed in step 2 - - Add the necessary configuration to the appropriate server file in `servers/` - - Include nginx reverse proxy configuration if the app needs to be accessible via HTTP/HTTPS - - Add any required firewall rules, services, or users - - Create A record at Cloudflare if needed - -4. **Local Testing** - - Test the build locally: `nixos-rebuild build --flake .#` - - Refine the configuration until the build succeeds - - Review the generated configuration for correctness - -5. **Remote Deployment** - - Push the repo to the remote machine: `git push origin master` - - SSH to the target server - - Pull the changes: `cd ~/src/nixos && git pull origin master` - - Build and switch to the new config: `sudo nixos-rebuild switch --flake .#` - -6. **Verification** - - Ensure the service is available on the chosen domain - - Ensure the certificate is issued by Let's Encrypt (check with: `openssl s_client -connect :443 | openssl x509 -noout -issuer`) - - Test basic functionality of the application - -7. **Troubleshooting** - - If the app isn't available on the chosen domain: - - Check service status: `systemctl status ` - - Check nginx logs: `journalctl -u nginx -f` - - Check application logs: `journalctl -u -f` - - Verify DNS resolution - - Check firewall rules - - Verify nginx configuration syntax: `nginx -t` - - If the certificate isn't issued by Let's Encrypt: - - Check ACME challenge configuration - - Verify domain ownership record - - Check Let's Encrypt logs: `journalctl -u certbot -f` - - Manually trigger certificate renewal if needed - - ### DNS Management - - #### Create DNS Record via Cloudflare API - ```bash - # Get zone ID for domain - ZONE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=symbiotrip.com" \ - -H "Authorization: Bearer " \ - -H "Content-Type: application/json" | jq -r '.result[0].id') - - # Create A record - curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \ - -H "Authorization: Bearer " \ - -H "Content-Type: application/json" \ - --data '{"type":"A","name":"","content":"","ttl":1,"proxied":true}' - ``` - **Common DNS Issues:** - - Local DNS caching: Add entry to `/etc/hosts` temporarily for testing - - Use Cloudflare's proxy IPs directly if DNS propagation is slow - -8. **Process Improvement** - - After successful deployment, propose 3 new tools to add to agents.md. - -### Useful Commands - -```bash -# Check generated configuration before deployment -nix eval '.#nixosConfigurations..config.services..enable' - -# List systemd services from new config -ls /nix/store/-nixos-system-/etc/systemd/system/*.service - -# Test nginx configuration -ssh 'nginx -t' - -# Check ACME certificate status -ssh 'ls -la /var/lib/acme//' - -# Verify certificate issuer -openssl s_client -connect :443 | openssl x509 -noout -issuer -``` - ## Remote System Management ### Access Systems @@ -167,13 +69,6 @@ ssh 'journalctl -u -f' # Rebuild if build fails ssh 'cd ~/src/nixos && git pull && sudo nixos-rebuild switch --flake .#' - -# Test site availability via IP -ssh 'curl -k -I https://localhost:' -curl -I https:// -H "Host: " - -# Get public IP -curl -s https://api.ipify.org ``` ### Repository