Infrastructure as Code for our home servers
Find a file
Pim Kunis df01977bba
All checks were successful
/ blog-pim (push) Successful in 1m57s
Use CA of k8s in Forgejo action
2024-05-01 23:03:37 +02:00
.forgejo/workflows Use CA of k8s in Forgejo action 2024-05-01 23:03:37 +02:00
flake-parts Version Pim's blog using git revision from Nix input 2024-04-30 23:22:01 +02:00
kubenix-modules Debug Forgejo action 2024-05-01 22:34:59 +02:00
machines Version Pim's blog using git revision from Nix input 2024-04-30 23:22:01 +02:00
my-lib use dns.nix for kun.is zone again 2024-04-13 23:25:48 +02:00
nixos-modules persist attic data 2024-04-27 20:53:32 +02:00
secrets persist attic data 2024-04-27 20:53:32 +02:00
.gitignore add persistent storage to minecraft 2024-04-13 22:21:26 +02:00
.sops.yaml use sops to encrypt vals secrets 2024-04-14 14:48:27 +02:00
configuration.nix create own library for globals and net.nix 2024-04-13 17:28:31 +02:00
flake.lock Bump blog-pim Nix flake input 2024-04-30 21:29:46 +00:00
flake.nix Version Pim's blog using git revision from Nix input 2024-04-30 23:22:01 +02:00
README.md create own library for globals and net.nix 2024-04-13 17:28:31 +02:00

nixos-servers

Nix definitions to configure our servers at home.

Acknowledgements

  • deploy-rs: NixOS deploy tool with rollback functionality
  • disko: declarative disk partitioning
  • agenix: deployment of encrypted secrets to NixOS machines
  • dns.nix: A Nix DSL for defining DNS zones
  • flake-utils: Handy utilities to develop Nix flakes
  • nixos-hardware: Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi.

Installation

Prerequisites

  1. Install the Nix package manager or NixOS (link)
  2. Enable flake and nix commands (link)

Bootstrapping

We bootstrap our servers using nixos-anywhere. This reformats the hard disk of the server and installs a fresh NixOS. Additionally, it deploys an age identity, which is later used for decrypting secrets.

⚠️ This will wipe your server completely ⚠️

  1. Make sure your have a Secret service running (such as Keepassxc) that provides the age identity.
  2. Ensure you have root SSH access to the server.
  3. Run nixos-anywhere: nix run .#bootstrap <servername> <hostname>

Deployment

To deploy all servers at once: nix run nixpkgs#deploy-rs -- .# -k To deploy only one server: nix run nixpkgs#deploy-rs -- -k --targets .#<host>

Deploying to Kubernetes

To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster. You can generate this using nix run .#gen-k3s-cert <username> <servername> ~/.kube, assuming you have SSH access to the master node. This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory

If the cluster has not been initialized yet, next run nix run .#kubenix-bootstrap.x86_64-linux.

⚠️ Do not do this if the cluster has been initialized already, as it will prune any deployed resources! ⚠️

Lastly, deploy everything to the cluster using nix run .#kubenix.x86_64-linux.

Known bugs

Rsync not available during bootstrap

The rsync command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files. See this issue. Solution is to execute nix-env -iA nixos.rsync on the host.