# nixos-servers Nix definitions to configure our server. Currently, our three main machines and all virtual machines run NixOS! ## Acknowledgements - [deploy-rs](https://github.com/serokell/deploy-rs): NixOS deploy tool with rollback functionality - [disko](https://github.com/nix-community/disko): declarative disk partitioning - [agenix](https://github.com/ryantm/agenix): deployment of encrypted secrets to NixOS machines - [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones - [microvm.nix](https://github.com/astro/microvm.nix): Declarative virtual machine management in NixOS ## Installation ### Prerequisites 1. Install the Nix package manager or NixOS ([link](https://nixos.org/download)) 2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS)) 3. Install Direnv ([link](https://direnv.net/)) 4. Allow direnv for this repository: `direnv allow` ### Bootstrapping We bootstrap our physical server using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere). This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets. ⚠️ This will wipe your server completely ⚠️ 1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity. 2. Ensure you have root SSH access to the server. 3. Run nixos-anywhere: `./bootstrap.sh ` ### Deployment To deploy all servers at once: `deploy` To deploy only one server: `deploy --targets .#` ## Known bugs When deploying a new virtiofs share, the error `Failed to connect to '.sock': No such file or directory` can occur. This seems to be a bug in `microvm.nix` and I opened a bug report [here](https://github.com/astro/microvm.nix/issues/200). A workaround is to deploy the share without `deploy-rs`'s rollback feature enabled: ``` deploy --targets .#lewis --auto-rollback false --magic-rollback false ``` Currently the flake checks fail on Raspberry Pi because it tries to compile the deploy-rs binary in aarch64 format on the controller. This can be temporarily circumvented by using `--skip-checks`.