81 lines
3.3 KiB
Markdown
81 lines
3.3 KiB
Markdown
# nixos-servers
|
|
|
|
Nix definitions to configure our servers at home.
|
|
|
|
## Acknowledgements
|
|
|
|
- [deploy-rs](https://github.com/serokell/deploy-rs): NixOS deploy tool with rollback functionality
|
|
- [disko](https://github.com/nix-community/disko): declarative disk partitioning
|
|
- [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones
|
|
- [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes
|
|
- [nixos-hardware](https://github.com/NixOS/nixos-hardware): Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi
|
|
- [kubenix](https://kubenix.org/): declare and deploy Kubernetes resources using Nix
|
|
- [nixhelm](https://github.com/farcaller/nixhelm): Nix-digestible Helm charts
|
|
- [sops-nix](https://github.com/Mic92/sops-nix): Sops secret management for Nix
|
|
|
|
## Installation
|
|
|
|
### Prerequisites
|
|
|
|
1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))
|
|
2. Enable flake and nix commands ([link](https://nixos.wiki/wiki/Flakes#Enable_flakes_permanently_in_NixOS))
|
|
|
|
### Bootstrapping
|
|
|
|
We bootstrap our servers using [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).
|
|
This reformats the hard disk of the server and installs a fresh NixOS.
|
|
Additionally, it deploys an age identity, which is later used for decrypting secrets.
|
|
|
|
⚠️ This will wipe your server completely ⚠️
|
|
|
|
1. Make sure your have a [Secret service](https://www.gnu.org/software/emacs/manual/html_node/auth/Secret-Service-API.html) running (such as Keepassxc) that provides the age identity.
|
|
2. Ensure you have root SSH access to the server.
|
|
3. Run nixos-anywhere: `nix run '.#bootstrap' <servername> <hostname>`
|
|
|
|
### Deployment
|
|
|
|
To deploy all servers at once: `nix run 'nixpkgs#deploy-rs' -- '.#' -k`
|
|
To deploy only one server: `nix run 'nixpkgs#deploy-rs' -- -k --targets '.#<host>'`
|
|
|
|
## Deploying to Kubernetes
|
|
|
|
To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster.
|
|
You can generate this using `nix run '.#gen-k3s-cert' <username> <servername> ~/.kube`, assuming you have SSH access to the master node.
|
|
This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory
|
|
|
|
If the cluster has not been initialized yet, next run `nix run '.#kubenix.x86_64-linux.bootstrap.deploy'`.
|
|
|
|
Applications are currently deployed in two method:
|
|
- A single big deployment of many applications (which I am trying to move away from)
|
|
- A separate deployment for each application using [ApplySets](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/#how-to-delete-objects)
|
|
|
|
The first method: `nix run '.#kubenix.x86_64-linux.all.deploy'`
|
|
The second method: `nix run '.#kubenix.x86_64-linux.<application>.deploy'`
|
|
Currently, the applications being deployed like this are:
|
|
- `cyberchef`
|
|
- `freshrss`
|
|
- `radicale`
|
|
- `kms`
|
|
- `atuin`
|
|
- `blog`
|
|
- `nextcloud`
|
|
- `hedgedoc`
|
|
- `kitchenowl`
|
|
- `forgejo`
|
|
- `paperless-ngx`
|
|
- `syncthing`
|
|
- `pihole`
|
|
- `immich`
|
|
- `attic`
|
|
- `inbucket`
|
|
- `dnsmasq`
|
|
- `bind9`
|
|
- `media`
|
|
|
|
## Known bugs
|
|
|
|
### Rsync not available during bootstrap
|
|
|
|
The `rsync` command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files.
|
|
See [this](https://github.com/nix-community/nixos-anywhere/issues/260) issue.
|
|
Solution is to execute `nix-env -iA nixos.rsync` on the host.
|