home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions
Infrastructure as Code for our home servers
454 commits 3 branches 0 tags 2.2 MiB
Nix 98.7%
Shell 1.3%
Find a file
Pim Kunis 5a6b9f203a refactor: Extract all image names
2024-07-30 21:28:35 +02:00
docs Add documentation about Media stack 2024-07-12 15:20:39 +02:00
flake-parts feat: Deploy ntfy 2024-07-27 22:32:23 +02:00
kubenix-modules refactor: Extract all image names 2024-07-30 21:28:35 +02:00
machines feat: Use Attic as binary cache 2024-07-27 21:12:24 +02:00
my-lib refactor: Extract all image names 2024-07-30 21:28:35 +02:00
nixos-modules refactor: Extract all image names 2024-07-30 21:28:35 +02:00
secrets feat: Enable tailscale on physical servers 2024-07-22 22:54:08 +02:00
.gitignore add persistent storage to minecraft 2024-04-13 22:21:26 +02:00
.sops.yaml Replace agenix with sops-nix 2024-06-15 22:27:07 +02:00
configuration.nix Use nix-snapshotter as k3s' snapshotter and image service 2024-06-24 23:31:06 +02:00
container-images.nix Add script to prefetch Docker images 2024-06-30 14:35:47 +02:00
flake.lock fix: Don't use tailscale DNS for physical servers 2024-07-30 20:33:07 +02:00
flake.nix feat: Use Attic as binary cache 2024-07-27 21:12:24 +02:00
README.md docs: Add more deployment instructions 2024-07-30 20:34:37 +02:00

README.md

nixos-servers

Nix definitions to configure our servers at home.

Acknowledgements

  • deploy-rs: NixOS deploy tool with rollback functionality
  • disko: declarative disk partitioning
  • dns.nix: A Nix DSL for defining DNS zones
  • flake-utils: Handy utilities to develop Nix flakes
  • nixos-hardware: Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi
  • kubenix: declare and deploy Kubernetes resources using Nix
  • nixhelm: Nix-digestible Helm charts
  • sops-nix: Sops secret management for Nix

NixOS

Prerequisites

  1. Install the Nix package manager or NixOS (link)
  2. Enable flake and nix commands (link)

Bootstrapping

We bootstrap our servers using nixos-anywhere. This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets.

⚠️ This will wipe your server completely ⚠️

  1. Make sure you can decrypt the Sops-encrypted secrets in secrets/. You can test this by running sops -d secrets/serverKeys.yaml.
  2. Ensure you have root SSH access to the server.
  3. Run nixos-anywhere: nix run '.#bootstrap' <servername> <hostname>

Deployment

To deploy all servers at once: nix run 'nixpkgs#deploy-rs' -- '.#' -k To deploy only one server: nix run 'nixpkgs#deploy-rs' -- -k --targets '.#<host>'

Kubernetes

Prerequisites

To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster. You can generate this using nix run '.#gen-k3s-cert' <username> <servername> ~/.kube, assuming you have SSH access to the master node. This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory

Bootstrapping

We are now ready to deploy to the Kubernetes cluster. Deployments are done through an experimental Kubernetes feature called ApplySets. Each applyset is responsible for a set number of resources within a namespace.

If the cluster has not been initialized yet, we must bootstrap it first. Run these deployments:

  • nix run '.#bootstrap-default'
  • nix run '.#bootstrap-kube-system'

Deployment

Now the cluster has been initialized and we can deploy applications. To explore which applications we can deploy, run nix flake show. Then, for each application, run nix run '.#<application>'. Or, if you're lazy: nix flake show --json | jq -r '.packages."x86_64-linux"|keys[]' | grep -- -deploy | xargs -I{} nix run ".#{}".

Known bugs

Rsync not available during bootstrap

The rsync command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files. See this issue. Solution is to execute nix-env -iA nixos.rsync on the host.