72 lines
1.7 KiB
Markdown
72 lines
1.7 KiB
Markdown
This repository contains the completely declarative+reproducible configurations to deploy a server hosting the „beherbergung“ service and basic infrastructure for reliabiliy+maintainability.
|
|
Most of the service definitions should re reusable with minimal adaptions for completely different projects.
|
|
|
|
* CI/CD
|
|
* buildcache
|
|
* [monitoring + alerting](./modules/monitoring/README.md)
|
|
* backup
|
|
* dns
|
|
* reverse proxy + acme
|
|
|
|
Secrets are encrypted with sops.
|
|
|
|
## Deploy
|
|
|
|
Once the servers are installed following [the bootstrap instructions](#bootstrap), the roll out of configuration changes on all servers is trivial.
|
|
As a developer with an [authorized key](./modules/hetzner.nix), call:
|
|
|
|
```shell
|
|
nix run
|
|
```
|
|
|
|
## Update
|
|
|
|
To update all flakes and redeploy, call:
|
|
|
|
```shell
|
|
nix flake update
|
|
nix run
|
|
```
|
|
|
|
## Bootstrap
|
|
|
|
To setup a new server:
|
|
1. boot a nixos image
|
|
2. mount the future / to /mnt
|
|
3. copy this repo to /mnt/etc/nixos
|
|
4. check flake.nix and hosts/$HOSTNAME/\*configuration.nix
|
|
- set a correct static ipv6
|
|
5. nixos-install:
|
|
|
|
```shell
|
|
nix-shell -p nixUnstable --command "nixos-install --no-root-passwd --flake .#${HOSTNAME}"
|
|
```
|
|
|
|
6. setup sops:
|
|
|
|
6.1. add the new hosts key to sops config
|
|
|
|
```shell
|
|
nix shell /etc/nixos#ssh-to-pgp --command ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key
|
|
edit .sops.yaml sops/keys/hosts/$HOSTNAME.asc
|
|
```
|
|
|
|
6.2. add pubkey to the developers keyring
|
|
```shell
|
|
gpg --import sops/keys/hosts/$HOSTNAME.asc
|
|
```
|
|
|
|
6.3. edit secrets + use them
|
|
|
|
```shell
|
|
nix shell .#sops --command sops sops/secrets/*
|
|
edit modules/sops.nix
|
|
```
|
|
|
|
## Ensure, outgoing SMTP is permitted by your hoster:
|
|
|
|
```shell
|
|
openssl s_client -connect smtp.1und1.de:587 -starttls smtp
|
|
openssl s_client -connect smtp.1und1.de:465
|
|
```
|