# nixos-servers

Nix definitions to configure our servers at home.

## Acknowledgements

- [deploy-rs](https://github.com/serokell/deploy-rs): NixOS deploy tool with rollback functionality
- [disko](https://github.com/nix-community/disko): declarative disk partitioning
- [agenix](https://github.com/ryantm/agenix): deployment of encrypted secrets to NixOS machines
- [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones
- [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes
- [nixos-hardware](https://github.com/NixOS/nixos-hardware): Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi
- [kubenix](https://kubenix.org/): declare and deploy Kubernetes resources using Nix
- [nixhelm](https://github.com/farcaller/nixhelm): Nix-digestible Helm charts

## Installation

### Prerequisites

1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))
2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS))

### Bootstrapping

We bootstrap our servers using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).
This reformats the hard disk of the server and installs a fresh NixOS.
Additionally, it deploys an age identity, which is later used for decrypting secrets.

⚠️  This will wipe your server completely ⚠️

1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity.
2. Ensure you have root SSH access to the server.
3. Run nixos-anywhere: `nix run .#bootstrap <servername> <hostname>`

### Deployment

To deploy all servers at once: `nix run nixpkgs#deploy-rs -- .# -k`
To deploy only one server: `nix run nixpkgs#deploy-rs -- -k --targets .#<host>`

## Deploying to Kubernetes

To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster.
You can generate this using `nix run .#gen-k3s-cert <username> <servername> ~/.kube`, assuming you have SSH access to the master node.
This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory

If the cluster has not been initialized yet, next run `nix run .#kubenix-bootstrap.x86_64-linux`.

Lastly, deploy everything to the cluster using `nix run .#kubenix.x86_64-linux`.

## Known bugs

### Rsync not available during bootstrap

The `rsync` command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files.
See [this](https://github.com/nix-community/nixos-anywhere/issues/260) issue.
Solution is to execute `nix-env -iA nixos.rsync` on the host.