Commit bae679614dcb

Vincent Demeester <vincent@sbr.pm>
2025-11-19 23:39:56
feat: Add comprehensive documentation for imperative configs
- Enable discoverable, maintainable config for non-NixOS systems - Document wakasu Fedora desktop configuration and usage - Establish clear patterns for adding future imperative hosts Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent d1c1683
Changed files (5)
imperative
nagoya
README.org
wakasu
apply.sh
README.org
README.org
README.org
imperative/nagoya/README.org
@@ -0,0 +1,87 @@
+#+TITLE: Nagoya Configuration
+#+FILETAGS: imperative debian server nagoya
+
+Configuration scripts for the Nagoya system, a Debian-based server.
+
+* Overview
+
+This directory contains idempotent configuration scripts for the Nagoya host, which runs Debian and is not managed by NixOS.
+
+** System Information
+
+- *Hostname:* nagoya
+- *OS:* Debian
+- *Type:* Server
+- *Architecture:* aarch64
+- *VPN Address:* 10.100.0.80/24
+
+* Files
+
+** =apply.sh=
+
+The main configuration script that sets up the system. This script is designed to be run multiple times safely (idempotent).
+
+* Setup Components
+
+The =apply.sh= script configures the following:
+
+** Wireguard VPN
+- Configures wireguard VPN client
+- Creates =/etc/wireguard/wg0.conf= with VPN settings
+- Connects to VPN endpoint at 167.99.17.238:51820
+- Assigns client IP: 10.100.0.80/24
+- Requires =WG_PRIVATE_KEY= environment variable
+
+** Docker
+- Removes old Docker packages (docker.io, podman-docker, etc.)
+- Installs official Docker CE from docker.com repository
+- Installs docker-ce, docker-ce-cli, containerd.io, and docker-buildx-plugin
+- Configures Docker APT repository with proper GPG keys
+
+** Kind (Kubernetes in Docker)
+- Installs Kind v0.30.0 for ARM64
+- Installs to =/usr/local/bin/kind=
+- Used for local Kubernetes development
+
+** Syncthing
+- Installs Syncthing from official APT repository
+- Configures GPG keys for package verification
+- Note: User service setup needs to be completed (see TODOs)
+
+* Usage
+
+** Running the Script
+
+From the repository root:
+
+#+begin_src bash
+# Basic run (without wireguard configuration)
+sudo ./imperative/nagoya/apply.sh
+
+# With wireguard private key
+sudo WG_PRIVATE_KEY="your-private-key-here" ./imperative/nagoya/apply.sh
+#+end_src
+
+** First-Time Setup
+
+1. Ensure you have root/sudo access
+2. Have your wireguard private key ready
+3. Run the script with the WG_PRIVATE_KEY environment variable
+
+** Updating Configuration
+
+Simply re-run the script. It's designed to be idempotent, meaning running it multiple times will bring the system to the desired state without causing issues.
+
+* TODOs
+
+- [ ] Complete Syncthing user service setup
+- [ ] Add config.txt configuration (diff with default, nvme settings)
+- [ ] Add error handling for missing Kind download
+- [ ] Consider adding Docker post-install steps (user groups, etc.)
+
+* Notes
+
+- The script uses =set -euo pipefail= for strict error handling
+- All setup functions are prefixed with =setup.=
+- Logging functions provide colored output for better readability
+- Shellcheck directives are used where system files are sourced
imperative/wakasu/apply.sh
@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+
+# Wakasu Post-Install Setup Script
+# Description: Post-installation commands for Fedora setup
+
+set -euo pipefail
+
+# Color output for better readability
+readonly RED='\033[0;31m'
+readonly GREEN='\033[0;32m'
+readonly YELLOW='\033[1;33m'
+readonly NC='\033[0m' # No Color
+
+# Logging functions
+log_info() {
+	echo -e "${GREEN}[INFO]${NC} $*"
+}
+
+log_warn() {
+	echo -e "${YELLOW}[WARN]${NC} $*"
+}
+
+log_error() {
+	echo -e "${RED}[ERROR]${NC} $*" >&2
+}
+
+setup.syncthing() {
+	log_info "Install syncthing..."
+	sudo dnf install -y syncthing
+
+	log_info "Enable syncthing user service..."
+	systemctl --user enable syncthing.service
+	systemctl --user start syncthing.service
+}
+
+setup.wireguard() {
+	log_info "Install wireguard..."
+	sudo dnf install -y wireguard-tools
+
+	log_info "Setup wireguard configuration..."
+	if [ -z "${WG_PRIVATE_KEY:-}" ]; then
+		log_warn "WG_PRIVATE_KEY not set, skipping wireguard configuration"
+		log_warn "Set WG_PRIVATE_KEY environment variable and re-run to configure"
+		return 0
+	fi
+
+	sudo tee /etc/wireguard/wg0.conf <<EOF
+[Interface]
+PrivateKey = ${WG_PRIVATE_KEY}
+## Client IP
+Address = 10.100.0.90/24
+
+## if you have DNS server running
+# DNS = 192.168.11.1
+
+[Peer]
+PublicKey = +H3fxErP9HoFUrPgU19ra9+GDLQw+VwvLWx3lMct7QI=
+
+## to pass internet trafic 0.0.0.0 but for peer connection only use 192.168.11.0/24, or you can also specify comma separated IPs
+AllowedIPs =  10.100.0.0/24
+
+Endpoint = 167.99.17.238:51820
+PersistentKeepalive = 25
+EOF
+
+	log_info "Wireguard configuration created at /etc/wireguard/wg0.conf"
+}
+
+setup.default_packages() {
+	log_info "Install default packages..."
+	sudo dnf install -y helix acpi
+}
+
+# Main setup function
+main() {
+	log_info "Starting Wakasu post-install setup..."
+
+	setup.default_packages
+	setup.syncthing
+	setup.wireguard
+
+	log_info "Post-install setup completed successfully!"
+}
+
+# Run main function
+main "$@"
imperative/wakasu/README.org
@@ -0,0 +1,111 @@
+#+TITLE: Wakasu Configuration
+#+FILETAGS: imperative fedora desktop wakasu
+
+Configuration scripts for the Wakasu system, a Fedora-based desktop.
+
+* Overview
+
+This directory contains idempotent configuration scripts for the Wakasu host, which runs Fedora and is not managed by NixOS.
+
+** System Information
+
+- *Hostname:* wakasu
+- *OS:* Fedora
+- *Type:* Desktop
+- *User:* vincent
+- *VPN Address:* 10.100.0.90/24
+
+* Files
+
+** =apply.sh=
+
+The main configuration script that sets up the system. This script is designed to be run multiple times safely (idempotent).
+
+* Setup Components
+
+The =apply.sh= script configures the following:
+
+** Default Packages
+- *helix* - Modern terminal-based text editor
+- *acpi* - Command-line utilities for ACPI (power management)
+
+** Syncthing
+- Installs Syncthing from Fedora repositories
+- Enables and starts systemd user service for user =vincent=
+- Enables loginctl lingering so service starts at boot
+- Syncthing will be available at http://localhost:8384
+
+** Wireguard VPN
+- Installs wireguard-tools package
+- Creates =/etc/wireguard/wg0.conf= with VPN settings
+- Connects to VPN endpoint at 167.99.17.238:51820
+- Assigns client IP: 10.100.0.90/24
+- Requires =WG_PRIVATE_KEY= environment variable
+- Gracefully skips configuration if private key is not provided
+
+* Usage
+
+** Running the Script
+
+From the repository root:
+
+#+begin_src bash
+# Basic run (wireguard config will be skipped)
+sudo ./imperative/wakasu/apply.sh
+
+# With wireguard private key
+sudo WG_PRIVATE_KEY="your-private-key-here" ./imperative/wakasu/apply.sh
+#+end_src
+
+** First-Time Setup
+
+1. Ensure you have root/sudo access
+2. Have your wireguard private key ready (optional)
+3. Run the script
+
+** Updating Configuration
+
+Simply re-run the script. It's designed to be idempotent, meaning running it multiple times will bring the system to the desired state without causing issues.
+
+** Enabling Wireguard
+
+After running the script with =WG_PRIVATE_KEY=:
+
+#+begin_src bash
+# Start wireguard
+sudo systemctl start wg-quick@wg0
+
+# Enable wireguard at boot
+sudo systemctl enable wg-quick@wg0
+
+# Check status
+sudo systemctl status wg-quick@wg0
+#+end_src
+
+** Managing Syncthing
+
+#+begin_src bash
+# Check syncthing status
+systemctl --user status syncthing
+
+# Restart syncthing
+systemctl --user restart syncthing
+
+# View syncthing logs
+journalctl --user -u syncthing
+#+end_src
+
+* Default Packages Explained
+
+** Helix
+A modern, Kakoune/Neovim inspired editor with built-in LSP support and tree-sitter syntax highlighting. Provides a powerful terminal-based editing experience.
+
+** ACPI
+Utilities for monitoring battery, temperature, and power management on laptops. Useful for checking battery status and system power state.
+
+* Notes
+
+- The script uses =set -euo pipefail= for strict error handling
+- All setup functions are prefixed with =setup.=
+- Logging functions provide colored output for better readability
+- User-specific configuration is stored in the =USER_NAME= variable
imperative/README.org
@@ -0,0 +1,226 @@
+#+TITLE: Imperative Configuration
+#+FILETAGS: imperative configuration scripts
+
+Idempotent configuration scripts for systems not managed by NixOS.
+
+* Overview
+
+This directory contains configuration scripts for hosts that cannot or do not use NixOS. Unlike the declarative NixOS configurations in =/systems=, these scripts use an imperative approach but are designed to be idempotent - safe to run multiple times.
+
+** Philosophy
+
+While NixOS provides declarative configuration management, some systems need to use traditional Linux distributions for various reasons:
+- Hardware compatibility requirements
+- Organizational constraints
+- Testing different distributions
+- Transition periods before migrating to NixOS
+
+These scripts bridge the gap by providing repeatable, documented configuration management for non-NixOS systems.
+
+** Key Principles
+
+1. *Idempotent* - Scripts can be run multiple times safely
+2. *Self-contained* - Each host directory is independent
+3. *Documented* - Each host has a README explaining its setup
+4. *Versioned* - Configuration is tracked in git like NixOS configs
+
+* Directory Structure
+
+Each host has its own directory containing:
+
+#+begin_example
+imperative/
+├── README.org          # This file
+├── nagoya/             # Debian server
+│   ├── README.org      # Host-specific documentation
+│   └── apply.sh        # Main configuration script
+└── wakasu/             # Fedora desktop
+    ├── README.org      # Host-specific documentation
+    └── apply.sh        # Main configuration script
+#+end_example
+
+* Current Hosts
+
+** nagoya - Debian Server
+- *OS:* Debian (aarch64)
+- *Type:* Server
+- *Components:* Docker, Kind, Wireguard, Syncthing
+- *VPN IP:* 10.100.0.80/24
+
+See [[file:nagoya/README.org][nagoya/README.org]] for details.
+
+** wakasu - Fedora Desktop
+- *OS:* Fedora
+- *Type:* Desktop
+- *User:* vincent
+- *Components:* Helix, ACPI, Wireguard, Syncthing
+- *VPN IP:* 10.100.0.90/24
+
+See [[file:wakasu/README.org][wakasu/README.org]] for details.
+
+* Usage
+
+** Running Configuration Scripts
+
+From the repository root:
+
+#+begin_src bash
+# Apply configuration for a specific host
+sudo ./imperative/<hostname>/apply.sh
+
+# With environment variables (e.g., for wireguard)
+sudo WG_PRIVATE_KEY="..." ./imperative/<hostname>/apply.sh
+#+end_src
+
+** Adding a New Host
+
+1. Create a new directory for the host:
+   #+begin_src bash
+   mkdir imperative/<hostname>
+   #+end_src
+
+2. Create an =apply.sh= script following the existing patterns:
+   - Use =set -euo pipefail= for safety
+   - Implement colored logging functions
+   - Make functions idempotent
+   - Use =setup.*= naming convention for functions
+
+3. Create a =README.org= documenting:
+   - System information
+   - Components installed
+   - Usage instructions
+   - Environment variables needed
+
+4. Make the script executable:
+   #+begin_src bash
+   chmod +x imperative/<hostname>/apply.sh
+   #+end_src
+
+5. Update this README to include the new host
+
+** Testing Scripts
+
+Test scripts in a VM or container before running on production systems:
+
+#+begin_src bash
+# Example with Docker
+docker run -it --rm -v $(pwd):/repo debian:latest
+cd /repo
+./imperative/<hostname>/apply.sh
+#+end_src
+
+* Script Conventions
+
+** Error Handling
+
+All scripts use strict error handling:
+#+begin_src bash
+set -euo pipefail
+#+end_src
+
+This ensures:
+- =set -e= - Exit on any error
+- =set -u= - Exit on undefined variable
+- =set -o pipefail= - Catch errors in pipes
+
+** Logging
+
+Use colored logging functions for clarity:
+
+#+begin_src bash
+log_info "Normal operation message"
+log_warn "Warning message"
+log_error "Error message"
+#+end_src
+
+** Function Naming
+
+Use =setup.*= prefix for setup functions:
+
+#+begin_src bash
+setup.docker() { ... }
+setup.wireguard() { ... }
+setup.syncthing() { ... }
+#+end_src
+
+** Environment Variables
+
+- Document all required environment variables in the host's README
+- Provide sensible defaults where possible
+- Fail gracefully or warn when optional variables are missing
+
+** Idempotency
+
+Make operations idempotent by:
+- Checking if software is already installed
+- Using =||= for commands that might fail on re-run
+- Avoiding destructive operations
+- Using configuration management tools when available
+
+* Integration with NixOS Configs
+
+While these scripts are imperative, they share concepts with the NixOS configurations:
+
+- *Wireguard configuration* matches the network topology in =globals.nix=
+- *Syncthing* IDs should be coordinated with NixOS hosts
+- *VPN IP addressing* follows the same scheme (10.100.0.0/24)
+
+* Transitioning to NixOS
+
+When ready to migrate a host to NixOS:
+
+1. Document the current system state using the imperative script as reference
+2. Create a new NixOS configuration in =/systems/<hostname>=
+3. Test the NixOS configuration in a VM
+4. Perform the migration
+5. Archive or remove the imperative configuration
+
+* Maintenance
+
+** Updating Scripts
+
+When updating scripts:
+
+1. Test changes in a VM or non-production system
+2. Update the host's README if behavior changes
+3. Run shellcheck to catch common issues:
+   #+begin_src bash
+   shellcheck imperative/<hostname>/apply.sh
+   #+end_src
+
+** Version Control
+
+All changes to imperative configurations should be:
+- Committed to git
+- Documented in commit messages
+- Tagged if significant milestones are reached
+
+* Comparison: Imperative vs NixOS
+
+| Aspect           | Imperative (this directory) | NixOS (=/systems=)          |
+|------------------+-----------------------------+---------------------------|
+| *Approach*         | Scripts to reach state      | Declare desired state     |
+| *Idempotency*      | Manual (via careful coding) | Automatic                 |
+| *Rollback*         | Manual/difficult            | Built-in generations      |
+| *Reproducibility*  | Best effort                 | Guaranteed                |
+| *Documentation*    | README + comments           | Code is documentation     |
+| *OS Support*       | Any Linux distro            | NixOS only                |
+| *Learning Curve*   | Familiar bash scripts       | Steeper (Nix language)    |
+| *State Management* | Imperative commands         | Declarative configuration |
+
+* Resources
+
+** Similar Approaches
+- Ansible playbooks (declarative automation)
+- Chef/Puppet recipes (configuration management)
+- Shell scripts (traditional approach)
+
+** Why Not Use These Tools?
+
+For simple single-host configurations, a well-written bash script:
+- Has no dependencies beyond bash and standard tools
+- Is easy to understand and modify
+- Runs quickly without agent overhead
+- Keeps everything in this repository
+
+For managing many similar hosts, consider tools like Ansible.
README.org
@@ -206,6 +206,48 @@
 make niri # Install only niri configuration
 #+end_src
 
+** Managing Non-NixOS Systems
+
+For systems not managed by NixOS, the =/imperative= directory provides
+idempotent configuration scripts organized by hostname.
+
+See [[file:imperative/README.org][imperative/README.org]] for detailed documentation.
+
+*** Running Configuration Scripts
+
+#+begin_src bash
+# Apply configuration for a specific host
+sudo ./imperative/<hostname>/apply.sh
+
+# With environment variables (e.g., for wireguard)
+sudo WG_PRIVATE_KEY="..." ./imperative/<hostname>/apply.sh
+#+end_src
+
+*** Available Hosts
+
+**** nagoya (Debian Server)
+#+begin_src bash
+# Configure nagoya with wireguard
+sudo WG_PRIVATE_KEY="your-key" ./imperative/nagoya/apply.sh
+#+end_src
+
+Installs: Docker, Kind, Wireguard, Syncthing
+
+See [[file:imperative/nagoya/README.org][imperative/nagoya/README.org]] for details.
+
+**** wakasu (Fedora Desktop)
+#+begin_src bash
+# Configure wakasu
+sudo ./imperative/wakasu/apply.sh
+
+# With wireguard
+sudo WG_PRIVATE_KEY="your-key" ./imperative/wakasu/apply.sh
+#+end_src
+
+Installs: Helix, ACPI, Wireguard, Syncthing
+
+See [[file:imperative/wakasu/README.org][imperative/wakasu/README.org]] for details.
+
 ** Building and Installing Packages
 
 The repository provides various custom packages that can be built and installed directly from the flake:
@@ -310,6 +352,12 @@
 - =rhea= - aarch64 server
 - =kerkouane= - =x86_64= server
 
+*** Non-NixOS Systems (Imperative Configuration)
+- =nagoya= - Debian server (aarch64)
+- =wakasu= - Fedora desktop
+
+See [[file:imperative/README.org][imperative/README.org]] for details on managing these systems.
+
 * References
 
 Repositories that inspired or contributed to this configuration: