1.7 KiB
1.7 KiB
This repository contains the completely declarative+reproducible configurations to deploy a server hosting the „beherbergung“ service and basic infrastructure for reliabiliy+maintainability. Most of the service definitions should re reusable with minimal adaptions for completely different projects.
- CI/CD
- buildcache
- monitoring + alerting
- backup
- dns
- reverse proxy + acme
Secrets are encrypted with sops.
Deploy
Once the servers are installed following the bootstrap instructions, the roll out of configuration changes on all servers is trivial. As a developer with an authorized key, call:
nix run
Update
To update all flakes and redeploy, call:
nix flake update
nix run
Bootstrap
To setup a new server:
- boot a nixos image
- mount the future / to /mnt
- copy this repo to /mnt/etc/nixos
- check flake.nix and hosts/$HOSTNAME/*configuration.nix
- set a correct static ipv6
- nixos-install:
nix-shell -p nixUnstable --command "nixos-install --no-root-passwd --flake .#${HOSTNAME}"
- setup sops:
6.1. add the new hosts key to sops config
nix shell /etc/nixos#ssh-to-pgp --command ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key
edit .sops.yaml sops/keys/hosts/$HOSTNAME.asc
6.2. add pubkey to the developers keyring
gpg --import sops/keys/hosts/$HOSTNAME.asc
6.3. edit secrets + use them
nix shell .#sops --command sops sops/secrets/*
edit modules/sops.nix
Ensure, outgoing SMTP is permitted by your hoster:
openssl s_client -connect smtp.1und1.de:587 -starttls smtp
openssl s_client -connect smtp.1und1.de:465