Infrastructure as Code for our home servers
Find a file
Pim Kunis 36b2b48692 disable automatic updates
attempt to fix kitchenowl hosts again
2023-12-29 11:03:13 +01:00
legacy disable automatic updates 2023-12-29 11:03:13 +01:00
machines create NixOS module to periodically backup data using borgmatic 2023-12-27 19:14:49 +01:00
modules disable automatic updates 2023-12-29 11:03:13 +01:00
secrets manage lewis with nix 2023-12-25 19:22:22 +01:00
.envrc add psql env variables to .envrc 2023-11-25 14:43:37 +01:00
.gitignore WIP: nixos-anywhere for virtual machines 2023-11-25 21:00:21 +01:00
bootstrap.sh WIP: nixos-anywhere for virtual machines 2023-11-25 21:00:21 +01:00
configuration.nix remove uptimed 2023-12-26 17:43:13 +01:00
flake.lock update to nixos 23.11 2023-12-17 16:22:22 +01:00
flake.nix update to nixos 23.11 2023-12-17 16:22:22 +01:00
postgresql_server.crt working postgresql installation 2023-11-24 10:31:23 +01:00
README.md Merge branch 'kubernetes' 2023-12-16 14:07:45 +01:00

nixos-servers

Nix definitions to configure our physical servers. Currently, only one physical server (named jefke) is implemented but more are planned!

Prerequisites

  1. Install the Nix package manager or NixOS (link)
  2. Enable flake and nix commands (link)
  3. Install Direnv (link)
  4. Allow direnv for this repository: direnv allow

Bootstrapping

We bootstrap our physical server using nixos-anywhere. This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets.

⚠️ This will wipe your server completely ⚠️

  1. Make sure your have a Secret service running (such as Keepassxc) that provides the age identity.
  2. Ensure you have root SSH access to the server.
  3. Run nixos-anywhere: ./bootstrap.sh <servername> <hostname>

Deployment

Deployment can simply be done as follows: deploy

Creating an admin certificate for k3s

Create the admin's private key:

openssl genpkey -algorithm ed25519 -out <username>-key.pem

Create a CSR for the admin:

openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"

Create a Kubernetes CSR object on the cluster:

k3s kubectl create -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: <username>-csr
spec:
  request: $(cat <username>.csr | base64 | tr -d '\n')
  expirationSeconds: 307584000 # 10 years
  signerName: kubernetes.io/kube-apiserver-client
  usages:
    - digital signature
    - key encipherment
    - client auth
EOF

Approve and sign the admin's CSR:

k3s kubectl certificate approve <username>-csr

Extract the resulting signed certificate from the CSR object:

k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt