Infrastructure as Code for our home servers
Find a file
2024-09-07 13:06:37 +02:00
ansible Add Ansible playbook to configure PiKVM 2024-08-30 17:53:04 +02:00
docs Improve documentation of recovering Longhorn volumes 2024-09-01 16:11:20 +02:00
flake-parts Cleanup after kubernetes deployment migration 2024-09-07 13:06:37 +02:00
my-lib radicale: 3.2.2.0 -> 3.2.3.0 2024-09-06 19:36:31 +02:00
nixos-modules Cleanup after kubernetes deployment migration 2024-09-07 13:06:37 +02:00
secrets Cleanup after kubernetes deployment migration 2024-09-07 13:06:37 +02:00
.gitignore add persistent storage to minecraft 2024-04-13 22:21:26 +02:00
.sops.yaml Cleanup after kubernetes deployment migration 2024-09-07 13:06:37 +02:00
configuration.nix Enable nix garbage collection service 2024-09-01 11:39:53 +02:00
container-images.nix Build tooling around nix-snapshotter 2024-08-29 06:53:05 +02:00
flake.lock Cleanup after kubernetes deployment migration 2024-09-07 13:06:37 +02:00
flake.nix Cleanup after kubernetes deployment migration 2024-09-07 13:06:37 +02:00
README.md docs: Add more deployment instructions 2024-07-30 20:34:37 +02:00

nixos-servers

Nix definitions to configure our servers at home.

Acknowledgements

  • deploy-rs: NixOS deploy tool with rollback functionality
  • disko: declarative disk partitioning
  • dns.nix: A Nix DSL for defining DNS zones
  • flake-utils: Handy utilities to develop Nix flakes
  • nixos-hardware: Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi
  • kubenix: declare and deploy Kubernetes resources using Nix
  • nixhelm: Nix-digestible Helm charts
  • sops-nix: Sops secret management for Nix

NixOS

Prerequisites

  1. Install the Nix package manager or NixOS (link)
  2. Enable flake and nix commands (link)

Bootstrapping

We bootstrap our servers using nixos-anywhere. This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets.

⚠️ This will wipe your server completely ⚠️

  1. Make sure you can decrypt the Sops-encrypted secrets in secrets/. You can test this by running sops -d secrets/serverKeys.yaml.
  2. Ensure you have root SSH access to the server.
  3. Run nixos-anywhere: nix run '.#bootstrap' <servername> <hostname>

Deployment

To deploy all servers at once: nix run 'nixpkgs#deploy-rs' -- '.#' -k To deploy only one server: nix run 'nixpkgs#deploy-rs' -- -k --targets '.#<host>'

Kubernetes

Prerequisites

To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster. You can generate this using nix run '.#gen-k3s-cert' <username> <servername> ~/.kube, assuming you have SSH access to the master node. This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory

Bootstrapping

We are now ready to deploy to the Kubernetes cluster. Deployments are done through an experimental Kubernetes feature called ApplySets. Each applyset is responsible for a set number of resources within a namespace.

If the cluster has not been initialized yet, we must bootstrap it first. Run these deployments:

  • nix run '.#bootstrap-default'
  • nix run '.#bootstrap-kube-system'

Deployment

Now the cluster has been initialized and we can deploy applications. To explore which applications we can deploy, run nix flake show. Then, for each application, run nix run '.#<application>'. Or, if you're lazy: nix flake show --json | jq -r '.packages."x86_64-linux"|keys[]' | grep -- -deploy | xargs -I{} nix run ".#{}".

Known bugs

Rsync not available during bootstrap

The rsync command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files. See this issue. Solution is to execute nix-env -iA nixos.rsync on the host.