2023-11-05 17:43:32 +00:00
# nixos-servers
Nix definitions to configure our physical servers.
2023-11-15 12:24:06 +00:00
Currently, only one physical server (named jefke) is implemented but more are planned!
2023-11-05 17:43:32 +00:00
2023-11-15 12:24:06 +00:00
## Prerequisites
2023-11-05 18:03:44 +00:00
2023-11-15 12:24:06 +00:00
1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))
2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS))
3. Install Direnv ([link](https://direnv.net/))
4. Allow direnv for this repository: `direnv allow`
2023-11-13 21:44:43 +00:00
2023-11-15 12:24:06 +00:00
## Bootstrapping
2023-11-13 21:44:43 +00:00
2023-11-15 12:24:06 +00:00
We bootstrap our physical server using [nixos-anywhere ](https://github.com/nix-community/nixos-anywhere ).
This reformats the hard disk of the server and installs a fresh NixOS.
Additionally, it deploys an age identity, which is later used for decrypting secrets.
2023-11-05 18:03:44 +00:00
2023-11-15 12:24:06 +00:00
⚠️ This will wipe your server completely ⚠️
2023-11-05 18:03:44 +00:00
2023-11-15 12:24:06 +00:00
1. Make sure your have a [Secret service ](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html ) running (such as Keepassxc) that provides the age identity.
2. Ensure you have root SSH access to the server.
2023-11-15 12:37:13 +00:00
3. Run nixos-anywhere: `./bootstrap.sh <servername>`
2023-11-05 18:07:32 +00:00
2023-11-15 12:24:06 +00:00
## Deployment
2023-11-05 18:07:32 +00:00
2023-11-15 12:24:06 +00:00
Deployment can simply be done as follows: `deploy`
2023-12-14 20:42:58 +00:00
## Creating an admin certificate for k3s
Create the admin's private key:
```
openssl genpkey -algorithm ed25519 -out < username > -key.pem
```
Create a CSR for the admin:
```
openssl req -new -key < username > -key.pem -out < username > .csr -subj "/CN=< username > "
```
Create a Kubernetes CSR object on the cluster:
```
k3s kubectl create -f - < < EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: < username > -csr
spec:
request: $(cat < username > .csr | base64 | tr -d '\n')
expirationSeconds: 307584000 # 10 years
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- client auth
EOF
```
Approve and sign the admin's CSR:
```
k3s kubectl certificate approve < username > -csr
```
Extract the resulting signed certificate from the CSR object:
```
k3s kubectl get csr < username > -csr -o jsonpath='{.status.certificate}' | base64 --decode > < username > .crt
```