Infrastructure as Code for our home servers
Find a file
2023-12-17 17:41:31 +01:00
cluster enable k3s cluster 2023-11-29 10:02:50 +01:00
legacy replace powerdns with BIND 2023-12-17 17:41:31 +01:00
machines update to nixos 23.11 2023-12-17 16:22:22 +01:00
modules create module for disk configuration 2023-12-16 23:47:18 +01:00
secrets manage atlas 2023-11-29 17:21:18 +01:00
.envrc add psql env variables to .envrc 2023-11-25 14:43:37 +01:00
.gitignore WIP: nixos-anywhere for virtual machines 2023-11-25 21:00:21 +01:00
bootstrap.sh WIP: nixos-anywhere for virtual machines 2023-11-25 21:00:21 +01:00
configuration.nix show configuration diffs 2023-12-16 16:02:41 +01:00
flake.lock update to nixos 23.11 2023-12-17 16:22:22 +01:00
flake.nix update to nixos 23.11 2023-12-17 16:22:22 +01:00
nftables.conf change k3s data dir to external disk 2023-12-14 21:42:58 +01:00
postgresql_server.crt working postgresql installation 2023-11-24 10:31:23 +01:00
README.md Merge branch 'kubernetes' 2023-12-16 14:07:45 +01:00

nixos-servers

Nix definitions to configure our physical servers. Currently, only one physical server (named jefke) is implemented but more are planned!

Prerequisites

  1. Install the Nix package manager or NixOS (link)
  2. Enable flake and nix commands (link)
  3. Install Direnv (link)
  4. Allow direnv for this repository: direnv allow

Bootstrapping

We bootstrap our physical server using nixos-anywhere. This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets.

⚠️ This will wipe your server completely ⚠️

  1. Make sure your have a Secret service running (such as Keepassxc) that provides the age identity.
  2. Ensure you have root SSH access to the server.
  3. Run nixos-anywhere: ./bootstrap.sh <servername> <hostname>

Deployment

Deployment can simply be done as follows: deploy

Creating an admin certificate for k3s

Create the admin's private key:

openssl genpkey -algorithm ed25519 -out <username>-key.pem

Create a CSR for the admin:

openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"

Create a Kubernetes CSR object on the cluster:

k3s kubectl create -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: <username>-csr
spec:
  request: $(cat <username>.csr | base64 | tr -d '\n')
  expirationSeconds: 307584000 # 10 years
  signerName: kubernetes.io/kube-apiserver-client
  usages:
    - digital signature
    - key encipherment
    - client auth
EOF

Approve and sign the admin's CSR:

k3s kubectl certificate approve <username>-csr

Extract the resulting signed certificate from the CSR object:

k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt