nixos-servers/README.md

# nixos-servers

Nix definitions to configure our servers at home.

## Acknowledgements

- [deploy-rs](https://github.com/serokell/deploy-rs): NixOS deploy tool with rollback functionality
- [disko](https://github.com/nix-community/disko): declarative disk partitioning
- [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones
- [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes
- [nixos-hardware](https://github.com/NixOS/nixos-hardware): Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi
- [kubenix](https://kubenix.org/): declare and deploy Kubernetes resources using Nix
- [nixhelm](https://github.com/farcaller/nixhelm): Nix-digestible Helm charts
- [sops-nix](https://github.com/Mic92/sops-nix): Sops secret management for Nix

## NixOS

### Prerequisites

1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))
2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS))

### Bootstrapping

We bootstrap our servers using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).
This reformats the hard disk of the server and installs a fresh NixOS.
Additionally, it deploys an age identity, which is later used for decrypting secrets.

⚠️  This will wipe your server completely ⚠️

1. Make sure you can decrypt the Sops-encrypted secrets in `secrets/`. You can test this by running `sops -d secrets/serverKeys.yaml`.
2. Ensure you have root SSH access to the server.
3. Run nixos-anywhere: `nix run '.#bootstrap' <servername> <hostname>`

### Deployment

To deploy all servers at once: `nix run 'nixpkgs#deploy-rs' -- '.#' -k`
To deploy only one server: `nix run 'nixpkgs#deploy-rs' -- -k --targets '.#<host>'`

## Kubernetes 

### Prerequisites

To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster.
You can generate this using `nix run '.#gen-k3s-cert' <username> <servername> ~/.kube`, assuming you have SSH access to the master node.
This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory

### Bootstrapping

We are now ready to deploy to the Kubernetes cluster.
Deployments are done through an experimental Kubernetes feature called [ApplySets](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#how-to-delete-objects).
Each applyset is responsible for a set number of resources within a namespace.

If the cluster has not been initialized yet, we must bootstrap it first.
Run these deployments:
- `nix run '.#bootstrap-default'`
- `nix run '.#bootstrap-kube-system'`

### Deployment

Now the cluster has been initialized and we can deploy applications.
To explore which applications we can deploy, run `nix flake show`.
Then, for each application, run `nix run '.#<application>'`.
Or, if you're lazy: `nix flake show --json | jq -r '.packages."x86_64-linux"|keys[]' | grep -- -deploy | xargs -I{} nix run ".#{}"`.

## Known bugs

### Rsync not available during bootstrap

The `rsync` command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files.
See [this](https://github.com/nix-community/nixos-anywhere/issues/260) issue.
Solution is to execute `nix-env -iA nixos.rsync` on the host.
init 2023-11-05 17:43:32 +00:00			`# nixos-servers`

update readme 2024-03-09 10:44:29 +00:00			`Nix definitions to configure our servers at home.`
init 2023-11-05 17:43:32 +00:00
Update README.md 2024-02-10 22:14:10 +00:00			`## Acknowledgements`

			`- [deploy-rs](https://github.com/serokell/deploy-rs): NixOS deploy tool with rollback functionality`
			`- [disko](https://github.com/nix-community/disko): declarative disk partitioning`
			`- [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones`
update documentation 2024-03-02 13:10:36 +00:00			`- [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes`
Improve createScript function 2024-05-19 12:05:20 +00:00			`- [nixos-hardware](https://github.com/NixOS/nixos-hardware): Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi`
			`- [kubenix](https://kubenix.org/): declare and deploy Kubernetes resources using Nix`
			`- [nixhelm](https://github.com/farcaller/nixhelm): Nix-digestible Helm charts`
Replace agenix with sops-nix 2024-06-15 20:27:07 +00:00			`- [sops-nix](https://github.com/Mic92/sops-nix): Sops secret management for Nix`
restructure documentation 2023-12-29 11:51:42 +00:00
docs: Update readme 2024-07-28 12:48:09 +00:00			`## NixOS`
restructure documentation 2023-12-29 11:51:42 +00:00
Update README.md 2024-02-10 22:14:10 +00:00			`### Prerequisites`
update README change directory naming 2023-11-05 18:03:44 +00:00
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))`
			`2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS))`
initial nixos-anywhere 2023-11-13 21:44:43 +00:00
Update README.md 2024-02-10 22:14:10 +00:00			`### Bootstrapping`
initial nixos-anywhere 2023-11-13 21:44:43 +00:00
cleanup 2024-04-13 13:43:01 +00:00			`We bootstrap our servers using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).`
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`This reformats the hard disk of the server and installs a fresh NixOS.`
			`Additionally, it deploys an age identity, which is later used for decrypting secrets.`
update README change directory naming 2023-11-05 18:03:44 +00:00
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`⚠️ This will wipe your server completely ⚠️`
update README change directory naming 2023-11-05 18:03:44 +00:00
docs: Update readme 2024-07-28 12:48:09 +00:00			1. Make sure you can decrypt the Sops-encrypted secrets in `secrets/`. You can test this by running `sops -d secrets/serverKeys.yaml`.
update readme update boostrap script 2023-11-15 12:24:06 +00:00			`2. Ensure you have root SSH access to the server.`
docs(readme): Update deployment instructions docs(readme): Fix commands for ZSH 2024-07-14 11:31:18 +00:00			3. Run nixos-anywhere: `nix run '.#bootstrap' <servername> <hostname>`
Update README.md 2023-11-05 18:07:32 +00:00
Update README.md 2024-02-10 22:14:10 +00:00			`### Deployment`
Update README.md 2023-11-05 18:07:32 +00:00
docs(readme): Update deployment instructions docs(readme): Fix commands for ZSH 2024-07-14 11:31:18 +00:00			To deploy all servers at once: `nix run 'nixpkgs#deploy-rs' -- '.#' -k`
			To deploy only one server: `nix run 'nixpkgs#deploy-rs' -- -k --targets '.#<host>'`
update readme about microvm bug 2024-02-05 21:50:57 +00:00
docs: Update readme 2024-07-28 12:48:09 +00:00			`## Kubernetes`

			`### Prerequisites`
update documentation on k8s 2024-04-13 11:35:18 +00:00
			`To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster.`
docs(readme): Update deployment instructions docs(readme): Fix commands for ZSH 2024-07-14 11:31:18 +00:00			You can generate this using `nix run '.#gen-k3s-cert' <username> <servername> ~/.kube`, assuming you have SSH access to the master node.
update documentation on k8s 2024-04-13 11:35:18 +00:00			`This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory`
update readme about microvm bug 2024-02-05 21:50:57 +00:00
docs: Update readme 2024-07-28 12:48:09 +00:00			`### Bootstrapping`

refactor(flake): Improve flake outputs for k8s scripts and manifests docs(readme): Update k8s deployment instructions 2024-07-17 16:20:49 +00:00			`We are now ready to deploy to the Kubernetes cluster.`
			`Deployments are done through an experimental Kubernetes feature called [ApplySets](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#how-to-delete-objects).`
			`Each applyset is responsible for a set number of resources within a namespace.`

			`If the cluster has not been initialized yet, we must bootstrap it first.`
			`Run these deployments:`
feat: Expose Radicale, Paperless and FreshRSS only on Tailscale fix: Fix flake output names 2024-07-24 19:25:51 +00:00			- `nix run '.#bootstrap-default'`
			- `nix run '.#bootstrap-kube-system'`
refactor(flake): Improve flake outputs for k8s scripts and manifests docs(readme): Update k8s deployment instructions 2024-07-17 16:20:49 +00:00
docs: Update readme 2024-07-28 12:48:09 +00:00			`### Deployment`

refactor(flake): Improve flake outputs for k8s scripts and manifests docs(readme): Update k8s deployment instructions 2024-07-17 16:20:49 +00:00			`Now the cluster has been initialized and we can deploy applications.`
			To explore which applications we can deploy, run `nix flake show`.
feat: Expose Radicale, Paperless and FreshRSS only on Tailscale fix: Fix flake output names 2024-07-24 19:25:51 +00:00			Then, for each application, run `nix run '.#<application>'`.
docs: Add more deployment instructions 2024-07-30 18:34:37 +00:00			Or, if you're lazy: `nix flake show --json \| jq -r '.packages."x86_64-linux"\|keys[]' \| grep -- -deploy \| xargs -I{} nix run ".#{}"`.
docs(readme): Update deployment instructions docs(readme): Fix commands for ZSH 2024-07-14 11:31:18 +00:00
update documentation on k8s 2024-04-13 11:35:18 +00:00			`## Known bugs`
add script to generate k3s certificate 2024-03-27 19:10:14 +00:00
			`### Rsync not available during bootstrap`

			The `rsync` command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files.
			`See [this](https://github.com/nix-community/nixos-anywhere/issues/260) issue.`
			Solution is to execute `nix-env -iA nixos.rsync` on the host.