Infrastructure as Code for our home servers
| ansible | ||
| machines | ||
| modules | ||
| scripts | ||
| secrets | ||
| utils | ||
| .gitignore | ||
| .sops.yaml | ||
| checks.nix | ||
| container-images.nix | ||
| deploy.nix | ||
| flake.lock | ||
| flake.nix | ||
| nixos.nix | ||
| README.md | ||
| shell.nix | ||
nixos-servers
Nix definitions to configure our servers at home.
Acknowledgements
- deploy-rs: NixOS deploy tool with rollback functionality
- disko: declarative disk partitioning
- dns.nix: A Nix DSL for defining DNS zones
- flake-utils: Handy utilities to develop Nix flakes
- nixos-hardware: Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi
- sops-nix: Sops secret management for Nix
Prerequisites
Bootstrapping
We bootstrap our servers using nixos-anywhere. This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets.
⚠️ This will wipe your server completely ⚠️
- Make sure you can decrypt the Sops-encrypted secrets in
secrets/. You can test this by runningsops -d secrets/serverKeys.yaml. - Ensure you have root SSH access to the server.
- Run nixos-anywhere:
nix run '.#bootstrap' <servername> <hostname>
Deployment
To deploy all servers at once: nix run 'nixpkgs#deploy-rs' -- '.#' -k
To deploy only one server: nix run 'nixpkgs#deploy-rs' -- -k --targets '.#<host>'
Known bugs
Rsync not available during bootstrap
The rsync command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files.
See this issue.
Solution is to execute nix-env -iA nixos.rsync on the host.