is declarative infrastructure for genseng's hosts.
roles (the jobs that hosts perform) are defined in modules/roles/:
hub.nix— wg, grafana, prometheus, lokitor-exit.nix— tor exit relaytor-relay.nix— tor middle relayxmr-public.nix— monero public nodei2p-node.nix— i2pd routerworkstation.nix— roaming wireguard peer for local dev
each host imports a role to assume it, overlaying its own config where necessary.
genseng's hosts:
- agenskalns (hub) — 10.0.0.1
- bazarov (tor-exit) — 10.0.0.2
- mangosteen (tor-relay) — 10.0.0.3
- nowimjkrolling (xmr-public) — 10.0.0.4
- impi (i2p-node) — 10.0.0.5
- gyomei (tor-exit) — 10.0.0.6
- cubby (workstation) — 10.0.0.254
using colmena:
nix develop
colmena apply # deploy to all hosts
colmena apply --on bazarov # deploy to specific host
colmena build # build without deployingusing nixos-rebuild:
# after wireguard is set up, deploy via wireguard ip
nixos-rebuild switch --flake .#<host> --target-host admin@10.0.0.X --sudo
# bootstrap (before wireguard, using public ip)
nixos-rebuild switch --flake .#<host>-bootstrap --target-host root@<ip># 1. generate admin age key
mkdir -p ~/.config/sops/age
ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
age-keygen -y ~/.config/sops/age/keys.txt
# manually add this to .sops.yaml
# 2. add your ssh pubkey
cat ~/.ssh/id_ed25519.pub
# manually add this to modules/common.nixthis setup is only tested on 64bit deb11
# 1. generate wireguard keys
wg genkey | tee <host>-privatekey | wg pubkey > <host>-publickey
# manually add to configuration.nix
# 2. add your SSH key to deb before infect
ssh root@<ip> "mkdir -p ~/.ssh && echo 'ssh-ed25519 AAAA....' >> ~/.ssh/authorized_keys"
# 3. run nixos-infect to install nixos
ssh root@<ip> "curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NIX_CHANNEL=nixos-25.11 bash -x"
# 4. bootstrap deploy
nixos-rebuild switch --flake .#<host>-bootstrap --target-host root@<ip>
# 5. get host age key
ssh root@<ip> "cat /etc/ssh/ssh_host_ed25519_key.pub" | ssh-to-age
# manually add this to .sops.yaml
# 6. create and encrypt secrets
sops secrets/<host>.yaml
# 7. full deploy with sops + wireguard
nixos-rebuild switch --flake .#<host> --target-host root@<ip> --sudoa hub manages telemetry:
- grafana:
http://<hub-ip>:3000 - prometheus:
http://<wireguard-ip>:9090
locked out after nixos-infect:
- you broke the ssh keys. use vnc to log in as root to your vps
- check
/root/.ssh/authorized_keys- if empty, add your SSH key manually: - restart sshd:
systemctl restart sshd
infect hangs or fails:
- try deb11
- try to get 1GB of ram, or pre-configure some swap yourself
- check nixos-infect logs:
journalctl -u nixos-infect - re-run with verbose output
out of memory during build:
- pre-configure some swap. but if you can figure that out, you can also spend more than 30 cents on a vps. so just get a better vps.
- spend a few hours researching what you're getting into.
- contact vps provider before deploying anything.
- update contact info in modules/roles/tor-exit.nix. use a real email, but not one associated with your identity.
- review https://community.torproject.org/relay/setup/exit/
- find a vps provider at https://community.torproject.org/relay/community-resources/good-bad-isps/