Infrastructure as Code for our home servers
Find a file
2024-07-28 14:32:28 +02:00
docs Add documentation about Media stack 2024-07-12 15:20:39 +02:00
flake-parts feat: Deploy ntfy 2024-07-27 22:32:23 +02:00
kubenix-modules refactor: Set image pull policy to IfNotPresent everywhere 2024-07-28 14:32:28 +02:00
machines feat: Use Attic as binary cache 2024-07-27 21:12:24 +02:00
my-lib feat: Put nextcloud and immich behind tailscale 2024-07-25 20:30:21 +02:00
nixos-modules feat(tailscale): Enable warwick as exit node and subnet router 2024-07-23 22:50:11 +02:00
secrets feat: Enable tailscale on physical servers 2024-07-22 22:54:08 +02:00
.gitignore add persistent storage to minecraft 2024-04-13 22:21:26 +02:00
.sops.yaml Replace agenix with sops-nix 2024-06-15 22:27:07 +02:00
configuration.nix Use nix-snapshotter as k3s' snapshotter and image service 2024-06-24 23:31:06 +02:00
container-images.nix Add script to prefetch Docker images 2024-06-30 14:35:47 +02:00
flake.lock feat(blog): Move to static-websites k8s namespace 2024-07-14 15:31:58 +02:00
flake.nix feat: Use Attic as binary cache 2024-07-27 21:12:24 +02:00
README.md feat: Expose Radicale, Paperless and FreshRSS only on Tailscale 2024-07-24 21:25:51 +02:00

nixos-servers

Nix definitions to configure our servers at home.

Acknowledgements

  • deploy-rs: NixOS deploy tool with rollback functionality
  • disko: declarative disk partitioning
  • dns.nix: A Nix DSL for defining DNS zones
  • flake-utils: Handy utilities to develop Nix flakes
  • nixos-hardware: Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi
  • kubenix: declare and deploy Kubernetes resources using Nix
  • nixhelm: Nix-digestible Helm charts
  • sops-nix: Sops secret management for Nix

Installation

Prerequisites

  1. Install the Nix package manager or NixOS (link)
  2. Enable flake and nix commands (link)

Bootstrapping

We bootstrap our servers using nixos-anywhere. This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets.

⚠️ This will wipe your server completely ⚠️

  1. Make sure your have a Secret service running (such as Keepassxc) that provides the age identity.
  2. Ensure you have root SSH access to the server.
  3. Run nixos-anywhere: nix run '.#bootstrap' <servername> <hostname>

Deployment

To deploy all servers at once: nix run 'nixpkgs#deploy-rs' -- '.#' -k To deploy only one server: nix run 'nixpkgs#deploy-rs' -- -k --targets '.#<host>'

Deploying to Kubernetes

To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster. You can generate this using nix run '.#gen-k3s-cert' <username> <servername> ~/.kube, assuming you have SSH access to the master node. This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory

We are now ready to deploy to the Kubernetes cluster. Deployments are done through an experimental Kubernetes feature called ApplySets. Each applyset is responsible for a set number of resources within a namespace.

If the cluster has not been initialized yet, we must bootstrap it first. Run these deployments:

  • nix run '.#bootstrap-default'
  • nix run '.#bootstrap-kube-system'

Now the cluster has been initialized and we can deploy applications. To explore which applications we can deploy, run nix flake show. Then, for each application, run nix run '.#<application>'.

Known bugs

Rsync not available during bootstrap

The rsync command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files. See this issue. Solution is to execute nix-env -iA nixos.rsync on the host.