nixos-servers/README.md

# nixos-servers

Nix definitions to configure our physical servers.
Currently, only one physical server (named jefke) is implemented but more are planned!

## Prerequisites

1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))
2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS))
3. Install Direnv ([link](https://direnv.net/))
4. Allow direnv for this repository: `direnv allow`

## Bootstrapping

We bootstrap our physical server using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).
This reformats the hard disk of the server and installs a fresh NixOS.
Additionally, it deploys an age identity, which is later used for decrypting secrets.

⚠️  This will wipe your server completely ⚠️

1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity.
2. Ensure you have root SSH access to the server.
3. Run nixos-anywhere: `./bootstrap.sh <servername> <hostname>`

## Deployment

Deployment can simply be done as follows: `deploy`

## Creating an admin certificate for k3s

Create the admin's private key:
```
openssl genpkey -algorithm ed25519 -out <username>-key.pem
```

Create a CSR for the admin:
```
openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"
```

Create a Kubernetes CSR object on the cluster:
```
k3s kubectl create -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: <username>-csr
spec:
  request: $(cat <username>.csr | base64 | tr -d '\n')
  expirationSeconds: 307584000 # 10 years
  signerName: kubernetes.io/kube-apiserver-client
  usages:
    - digital signature
    - key encipherment
    - client auth
EOF
```

Approve and sign the admin's CSR:
```
k3s kubectl certificate approve <username>-csr
```

Extract the resulting signed certificate from the CSR object:
```
k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt
```
init 2023-11-05 17:43:32 +00:00			`# nixos-servers`

			`Nix definitions to configure our physical servers.`
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`Currently, only one physical server (named jefke) is implemented but more are planned!`
init 2023-11-05 17:43:32 +00:00
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`## Prerequisites`
update README change directory naming 2023-11-05 18:03:44 +00:00
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))`
			`2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS))`
			`3. Install Direnv ([link](https://direnv.net/))`
			4. Allow direnv for this repository: `direnv allow`
initial nixos-anywhere 2023-11-13 21:44:43 +00:00
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`## Bootstrapping`
initial nixos-anywhere 2023-11-13 21:44:43 +00:00
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`We bootstrap our physical server using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).`
			`This reformats the hard disk of the server and installs a fresh NixOS.`
			`Additionally, it deploys an age identity, which is later used for decrypting secrets.`
update README change directory naming 2023-11-05 18:03:44 +00:00
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`⚠️ This will wipe your server completely ⚠️`
update README change directory naming 2023-11-05 18:03:44 +00:00
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity.`
			`2. Ensure you have root SSH access to the server.`
WIP: nixos-anywhere for virtual machines 2023-11-25 20:00:21 +00:00			3. Run nixos-anywhere: `./bootstrap.sh <servername> <hostname>`
Update README.md 2023-11-05 18:07:32 +00:00
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`## Deployment`
Update README.md 2023-11-05 18:07:32 +00:00
update readme update boostrap script 2023-11-15 12:24:06 +00:00			Deployment can simply be done as follows: `deploy`
change k3s data dir to external disk add additional SAN to k3s certificates update README with k8s certificate instructions open port for kubectl 2023-12-14 20:42:58 +00:00
			`## Creating an admin certificate for k3s`

			`Create the admin's private key:`
			```
			`openssl genpkey -algorithm ed25519 -out <username>-key.pem`
			```

			`Create a CSR for the admin:`
			```
			`openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"`
			```

			`Create a Kubernetes CSR object on the cluster:`
			```
			`k3s kubectl create -f - <<EOF`
			`apiVersion: certificates.k8s.io/v1`
			`kind: CertificateSigningRequest`
			`metadata:`
			`name: <username>-csr`
			`spec:`
			`request: $(cat <username>.csr \| base64 \| tr -d '\n')`
			`expirationSeconds: 307584000 # 10 years`
			`signerName: kubernetes.io/kube-apiserver-client`
			`usages:`
			`- digital signature`
			`- key encipherment`
			`- client auth`
			`EOF`
			```

			`Approve and sign the admin's CSR:`
			```
			`k3s kubectl certificate approve <username>-csr`
			```

			`Extract the resulting signed certificate from the CSR object:`
			```
			`k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' \| base64 --decode > <username>.crt`
			```