nixos-anywhere #4
2 changed files with 22 additions and 18 deletions
38
README.md
38
README.md
|
|
@ -1,23 +1,27 @@
|
||||||
# nixos-servers
|
# nixos-servers
|
||||||
|
|
||||||
Nix definitions to configure our physical servers.
|
Nix definitions to configure our physical servers.
|
||||||
Currently, only one physical server (named jefke) is implemented.
|
Currently, only one physical server (named jefke) is implemented but more are planned!
|
||||||
|
|
||||||
|
## Prerequisites
|
||||||
|
|
||||||
|
1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))
|
||||||
|
2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS))
|
||||||
|
3. Install Direnv ([link](https://direnv.net/))
|
||||||
|
4. Allow direnv for this repository: `direnv allow`
|
||||||
|
|
||||||
|
## Bootstrapping
|
||||||
|
|
||||||
|
We bootstrap our physical server using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).
|
||||||
|
This reformats the hard disk of the server and installs a fresh NixOS.
|
||||||
|
Additionally, it deploys an age identity, which is later used for decrypting secrets.
|
||||||
|
|
||||||
|
⚠️ This will wipe your server completely ⚠️
|
||||||
|
|
||||||
|
1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity.
|
||||||
|
2. Ensure you have root SSH access to the server.
|
||||||
|
3. Run nixos-anywhere: `./bootstrap <servername>`
|
||||||
|
|
||||||
## Deployment
|
## Deployment
|
||||||
|
|
||||||
### NEW
|
Deployment can simply be done as follows: `deploy`
|
||||||
|
|
||||||
`nix run github:numtide/nixos-anywhere -- --flake .#hypervisor root@jefke.hyp`
|
|
||||||
|
|
||||||
### Prerequisites
|
|
||||||
|
|
||||||
Before a NixOS definition can be deployed, some prerequite preparational steps must be performed.
|
|
||||||
|
|
||||||
1. Manually install NixOS on the physical machine. This could potentially be automated in the future with [nixos-anywhere](https://github.com/nix-community/nixos-anywhere), but for now this is a manual process.
|
|
||||||
2. Enable SSH and install authorized keys.
|
|
||||||
3. Ensure Python3 is installed for Ansible.
|
|
||||||
4. Run Ansible playbook which deploys secrets `ansible-playbook deploy_secrets.yml`.
|
|
||||||
|
|
||||||
### NixOS deployment
|
|
||||||
|
|
||||||
Finally, the NixOS definition can be deployed as follows: `nix run github:serokell/deploy-rs`.
|
|
||||||
|
|
|
||||||
|
|
@ -40,4 +40,4 @@ secret-tool lookup age-identity "$servername" > "$temp/root/age_ed25519"
|
||||||
chmod 600 "$temp/root/age_ed25519"
|
chmod 600 "$temp/root/age_ed25519"
|
||||||
|
|
||||||
# Install NixOS to the host system with our age identity
|
# Install NixOS to the host system with our age identity
|
||||||
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake '.#hypervisor' "root@$servername.hyp"
|
nixos-anywhere --extra-files "$temp" --flake ".#${servername}" "root@${servername}.hyp"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue