# nixos-servers Nix definitions to configure our physical servers. Currently, only one physical server (named jefke) is implemented but more are planned! ## Prerequisites 1. Install the Nix package manager or NixOS ([link](https://nixos.org/download)) 2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS)) 3. Install Direnv ([link](https://direnv.net/)) 4. Allow direnv for this repository: `direnv allow` ## Bootstrapping We bootstrap our physical server using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere). This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets. ⚠️ This will wipe your server completely ⚠️ 1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity. 2. Ensure you have root SSH access to the server. 3. Run nixos-anywhere: `./bootstrap.sh ` ## Deployment Deployment can simply be done as follows: `deploy` ## Creating an admin certificate for k3s Create the admin's private key: ``` openssl genpkey -algorithm ed25519 -out -key.pem ``` Create a CSR for the admin: ``` openssl req -new -key -key.pem -out .csr -subj "/CN=" ``` Create a Kubernetes CSR object on the cluster: ``` k3s kubectl create -f - <-csr spec: request: $(cat .csr | base64 | tr -d '\n') expirationSeconds: 307584000 # 10 years signerName: kubernetes.io/kube-apiserver-client usages: - digital signature - key encipherment - client auth EOF ``` Approve and sign the admin's CSR: ``` k3s kubectl certificate approve -csr ``` Extract the resulting signed certificate from the CSR object: ``` k3s kubectl get csr -csr -o jsonpath='{.status.certificate}' | base64 --decode > .crt ``` ## TODO 1. Manage the bootstrap k3s clusterrolebinding with kubenix: `k3s kubectl create clusterrolebinding pim-cluster-admin --user=pim --clusterrole=cluster-admin`.