nixos-servers/README.md

3.3 KiB

nixos-servers

Nix definitions to configure our servers at home.

Acknowledgements

  • deploy-rs: NixOS deploy tool with rollback functionality
  • disko: declarative disk partitioning
  • dns.nix: A Nix DSL for defining DNS zones
  • flake-utils: Handy utilities to develop Nix flakes
  • nixos-hardware: Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi
  • kubenix: declare and deploy Kubernetes resources using Nix
  • nixhelm: Nix-digestible Helm charts
  • sops-nix: Sops secret management for Nix

Installation

Prerequisites

  1. Install the Nix package manager or NixOS (link)
  2. Enable flake and nix commands (link)

Bootstrapping

We bootstrap our servers using nixos-anywhere. This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets.

⚠️ This will wipe your server completely ⚠️

  1. Make sure your have a Secret service running (such as Keepassxc) that provides the age identity.
  2. Ensure you have root SSH access to the server.
  3. Run nixos-anywhere: nix run '.#bootstrap' <servername> <hostname>

Deployment

To deploy all servers at once: nix run 'nixpkgs#deploy-rs' -- '.#' -k To deploy only one server: nix run 'nixpkgs#deploy-rs' -- -k --targets '.#<host>'

Deploying to Kubernetes

To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster. You can generate this using nix run '.#gen-k3s-cert' <username> <servername> ~/.kube, assuming you have SSH access to the master node. This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory

If the cluster has not been initialized yet, next run nix run '.#kubenix.x86_64-linux.bootstrap.deploy'.

Applications are currently deployed in two method:

  • A single big deployment of many applications (which I am trying to move away from)
  • A separate deployment for each application using ApplySets

The first method: nix run '.#kubenix.x86_64-linux.all.deploy' The second method: nix run '.#kubenix.x86_64-linux.<application>.deploy' Currently, the applications being deployed like this are:

  • cyberchef
  • freshrss
  • radicale
  • kms
  • atuin
  • blog
  • nextcloud
  • hedgedoc
  • kitchenowl
  • forgejo
  • paperless-ngx
  • syncthing
  • pihole
  • immich
  • attic
  • inbucket
  • dnsmasq
  • bind9
  • media
  • traefik
  • minecraft

Known bugs

Rsync not available during bootstrap

The rsync command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files. See this issue. Solution is to execute nix-env -iA nixos.rsync on the host.