2022-03-17 12:57:54 +01:00
hosts deployment: configure firewall for nginx ingress 2022-03-17 11:24:06 +01:00
modules deployment: serve 2022-03-17 12:57:54 +01:00
sops deployment: sops + basicAuth 2022-03-10 22:27:18 +01:00
.sops.yaml deployment: age key of mic 2022-03-16 21:57:33 +01:00 deployment: added server config 2022-03-10 01:31:06 +01:00 deployment: added server config 2022-03-10 01:31:06 +01:00

This repository contains the completely declarative+reproducible configurations to deploy a server hosting the „beherbergung“ service and basic infrastructure for reliabiliy+maintainability. Most of the service definitions should re reusable with minimal adaptions for completely different projects.

Secrets are encrypted with sops.


Once the servers are installed following the bootstrap instructions, the roll out of configuration changes on all servers is trivial. As a developer with an authorized key, call:

nix run


To update all flakes and redeploy, call:

nix flake update
nix run


To setup a new server:

  1. boot a nixos image
  2. mount the future / to /mnt
  3. copy this repo to /mnt/etc/nixos
  4. check flake.nix and hosts/$HOSTNAME/*configuration.nix
  • set a correct static ipv6
  1. nixos-install:
nix-shell -p nixUnstable --command "nixos-install --no-root-passwd --flake .#${HOSTNAME}"
  1. setup sops:

6.1. add the new hosts key to sops config

nix shell /etc/nixos#ssh-to-pgp --command ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key
edit .sops.yaml sops/keys/hosts/$HOSTNAME.asc

6.2. add pubkey to the developers keyring

gpg --import sops/keys/hosts/$HOSTNAME.asc

6.3. edit secrets + use them

nix shell .#sops --command sops sops/secrets/*
edit modules/sops.nix

Ensure, outgoing SMTP is permitted by your hoster:

openssl s_client -connect -starttls smtp
openssl s_client -connect