min
/
infra
1
0
Fork 0
Code Issues 6 Pull Requests Packages Projects Releases Wiki Activity
infra/nixos/hosts
History
minish 186c4c8440
Update NixOS hosts docs 		2024-12-22 02:33:10 -05:00
..
eidola Deploy Vaultwarden 2024-12-22 02:11:19 -05:00
silver Deploy Vaultwarden 2024-12-22 02:11:19 -05:00
README.md Update NixOS hosts docs 2024-12-22 02:33:10 -05:00
default.nix Prepare for refactors 2024-10-17 18:32:14 -04:00

README.md

NixOS Hosts

This directory contains configs for all NixOS hosts.

Installing a new machine

✩ = on target machine, everything else is on your own device

  1. ✩ If SB is desired, set a UEFI password and set Secure Boot to "Setup Mode". (This may be done by clearing Secure Boot keys on some boards)
  2. ✩ Boot the NixOS remote deploy image
  3. Copy an appropriate config as a base
  4. ./scripts/make_base_keys.sh NAME_OF_HOST-v1
  5. Create a secrets/NAME_OF_HOST.yaml file.
  6. Add the age key from make_base_keys.sh into .sops.yaml. Add necessary keys to secrets/NAME_OF_HOST.yaml. Make sure that the host's secrets.nix uses the proper YAML secrets file.
  7. Ensure disk partitioning is correct. Make sure to change the target disk in disk-config.nix.
  8. Generate secure passwords, get their hashes with mkpasswd -m sha-512, and put them into the root-pw and user-pw properties, again ensuring there's no EOLs
  9. Generate a nebula cert and key. Put the cert in nixos/keys/ folder, and the key in the secrets/NAME_OF_HOST.yaml file.
  10. Configure internal IP in prometheus.nix, and then add the host into silver's scrapeConfig
  11. Customize the config however you want
  12. ./scripts/install.sh -c NAME_OF_HOST -k NAME_OF_HOST-v1/ root@IP_OF_HOST
  13. Delete the NAME_OF_HOST-v1 folder if you're done with it
  14. That is about it

Deploying changes remotely

  1. Make your changes
  2. nix flake check
  3. deploy, or if you're making breaking network changes where it's necessary, deploy --magic-rollback false
  4. Commit to Git if everything works