Infrastructure as Code for our home servers
| cluster | ||
| machines | ||
| modules | ||
| secrets | ||
| terraform | ||
| .envrc | ||
| .gitignore | ||
| bootstrap.sh | ||
| configuration.nix | ||
| flake.lock | ||
| flake.nix | ||
| nftables.conf | ||
| postgresql_server.crt | ||
| README.md | ||
nixos-servers
Nix definitions to configure our physical servers. Currently, only one physical server (named jefke) is implemented but more are planned!
Prerequisites
- Install the Nix package manager or NixOS (link)
- Enable flake and nix commands (link)
- Install Direnv (link)
- Allow direnv for this repository:
direnv allow
Bootstrapping
We bootstrap our physical server using nixos-anywhere. This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets.
⚠️ This will wipe your server completely ⚠️
- Make sure your have a Secret service running (such as Keepassxc) that provides the age identity.
- Ensure you have root SSH access to the server.
- Run nixos-anywhere:
./bootstrap.sh <servername> <hostname>
Deployment
Deployment can simply be done as follows: deploy
Creating an admin certificate for k3s
Create the admin's private key:
openssl genpkey -algorithm ed25519 -out <username>-key.pem
Create a CSR for the admin:
openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"
Create a Kubernetes CSR object on the cluster:
k3s kubectl create -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: <username>-csr
spec:
request: $(cat <username>.csr | base64 | tr -d '\n')
expirationSeconds: 307584000 # 10 years
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- client auth
EOF
Approve and sign the admin's CSR:
k3s kubectl certificate approve <username>-csr
Extract the resulting signed certificate from the CSR object:
k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt