You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Johannes Lötzsch 857120f799 deployment: serve 5 months ago
hosts deployment: configure firewall for nginx ingress 5 months ago
modules deployment: serve 5 months ago
sops deployment: sops + basicAuth 5 months ago
.sops.yaml deployment: age key of mic 5 months ago deployment: added server config 5 months ago deployment: added server config 5 months ago

This repository contains the completely declarative+reproducible configurations to deploy a server hosting the „beherbergung“ service and basic infrastructure for reliabiliy+maintainability. Most of the service definitions should re reusable with minimal adaptions for completely different projects.

Secrets are encrypted with sops.


Once the servers are installed following the bootstrap instructions, the roll out of configuration changes on all servers is trivial. As a developer with an authorized key, call:

nix run


To update all flakes and redeploy, call:

nix flake update
nix run


To setup a new server:

  1. boot a nixos image
  2. mount the future / to /mnt
  3. copy this repo to /mnt/etc/nixos
  4. check flake.nix and hosts/$HOSTNAME/*configuration.nix
  • set a correct static ipv6
  1. nixos-install:
nix-shell -p nixUnstable --command "nixos-install --no-root-passwd --flake .#${HOSTNAME}"
  1. setup sops:

6.1. add the new hosts key to sops config

nix shell /etc/nixos#ssh-to-pgp --command ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key
edit .sops.yaml sops/keys/hosts/$HOSTNAME.asc

6.2. add pubkey to the developers keyring

gpg --import sops/keys/hosts/$HOSTNAME.asc

6.3. edit secrets + use them

nix shell .#sops --command sops sops/secrets/*
edit modules/sops.nix

Ensure, outgoing SMTP is permitted by your hoster:

openssl s_client -connect -starttls smtp
openssl s_client -connect