Pim Kunis
a7d403eb5b
Some checks failed
/ blog-pim (push) Failing after 1m46s
Allow mounting all volumes in Forgejo actions |
||
---|---|---|
.forgejo/workflows | ||
flake-parts | ||
kubenix-modules | ||
machines | ||
my-lib | ||
nixos-modules | ||
secrets | ||
.gitignore | ||
.sops.yaml | ||
configuration.nix | ||
flake.lock | ||
flake.nix | ||
README.md |
nixos-servers
Nix definitions to configure our servers at home.
Acknowledgements
- deploy-rs: NixOS deploy tool with rollback functionality
- disko: declarative disk partitioning
- agenix: deployment of encrypted secrets to NixOS machines
- dns.nix: A Nix DSL for defining DNS zones
- flake-utils: Handy utilities to develop Nix flakes
- nixos-hardware: Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi.
Installation
Prerequisites
Bootstrapping
We bootstrap our servers using nixos-anywhere. This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets.
⚠️ This will wipe your server completely ⚠️
- Make sure your have a Secret service running (such as Keepassxc) that provides the age identity.
- Ensure you have root SSH access to the server.
- Run nixos-anywhere:
nix run .#bootstrap <servername> <hostname>
Deployment
To deploy all servers at once: nix run nixpkgs#deploy-rs -- .# -k
To deploy only one server: nix run nixpkgs#deploy-rs -- -k --targets .#<host>
Deploying to Kubernetes
To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster.
You can generate this using nix run .#gen-k3s-cert <username> <servername> ~/.kube
, assuming you have SSH access to the master node.
This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory
If the cluster has not been initialized yet, next run nix run .#kubenix-bootstrap.x86_64-linux
.
⚠️ Do not do this if the cluster has been initialized already, as it will prune any deployed resources! ⚠️
Lastly, deploy everything to the cluster using nix run .#kubenix.x86_64-linux
.
Known bugs
Rsync not available during bootstrap
The rsync
command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files.
See this issue.
Solution is to execute nix-env -iA nixos.rsync
on the host.