nixos-servers/README.md

68 lines
2.1 KiB
Markdown
Raw Normal View History

2023-11-05 17:43:32 +00:00
# nixos-servers
Nix definitions to configure our physical servers.
2023-11-15 12:24:06 +00:00
Currently, only one physical server (named jefke) is implemented but more are planned!
2023-11-05 17:43:32 +00:00
2023-11-15 12:24:06 +00:00
## Prerequisites
2023-11-05 18:03:44 +00:00
2023-11-15 12:24:06 +00:00
1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))
2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS))
3. Install Direnv ([link](https://direnv.net/))
4. Allow direnv for this repository: `direnv allow`
2023-11-13 21:44:43 +00:00
2023-11-15 12:24:06 +00:00
## Bootstrapping
2023-11-13 21:44:43 +00:00
2023-11-15 12:24:06 +00:00
We bootstrap our physical server using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).
This reformats the hard disk of the server and installs a fresh NixOS.
Additionally, it deploys an age identity, which is later used for decrypting secrets.
2023-11-05 18:03:44 +00:00
2023-11-15 12:24:06 +00:00
⚠️ This will wipe your server completely ⚠️
2023-11-05 18:03:44 +00:00
2023-11-15 12:24:06 +00:00
1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity.
2. Ensure you have root SSH access to the server.
3. Run nixos-anywhere: `./bootstrap.sh <servername> <hostname>`
2023-11-05 18:07:32 +00:00
2023-11-15 12:24:06 +00:00
## Deployment
2023-11-05 18:07:32 +00:00
2023-11-15 12:24:06 +00:00
Deployment can simply be done as follows: `deploy`
## Creating an admin certificate for k3s
Create the admin's private key:
```
openssl genpkey -algorithm ed25519 -out <username>-key.pem
```
Create a CSR for the admin:
```
openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"
```
Create a Kubernetes CSR object on the cluster:
```
k3s kubectl create -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: <username>-csr
spec:
request: $(cat <username>.csr | base64 | tr -d '\n')
expirationSeconds: 307584000 # 10 years
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- client auth
EOF
```
Approve and sign the admin's CSR:
```
k3s kubectl certificate approve <username>-csr
```
Extract the resulting signed certificate from the CSR object:
```
k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt
```