nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions
No description
81 commits 1 branch 0 tags 16 MiB
Find a file
Kaare Hoff Skovgaard cd8a0db1b6
Some checks failed
/ dev-shell (push) Successful in 1m8s
Details
/ check (push) Failing after 1m29s
Details
/ systems (push) Failing after 33s
Details
/ rust-packages (push) Successful in 3m40s
Details
/ terraform-providers (push) Successful in 5m13s
Details
Begin reverting back to simple-nixos-mailserver 
It appears I can get app passwords with kanidm and ldap
so just going to a more stable, probably supported setup,
should be good.
2025-07-28 12:02:24 +02:00
.forgejo/workflows Add to list of systems built 2025-07-15 08:33:57 +02:00
assets Convert some older nixos-system code 2025-07-08 23:43:17 +02:00
nix Begin reverting back to simple-nixos-mailserver 2025-07-28 12:02:24 +02:00
rust Move monitoring.kaareskovgaard.net to new openbao setup 2025-07-18 00:18:26 +02:00
.envrc Lots more updates 2025-07-06 22:37:16 +02:00
.gitignore Prepare some post provisioning stuff 2025-07-15 17:24:04 +02:00
flake.lock Begin preparing kas.codes domain 2025-07-18 22:58:35 +02:00
flake.nix Begin preparing kas.codes domain 2025-07-18 22:58:35 +02:00
README.md Make some notes on how to bring up servers 2025-07-19 23:03:40 +02:00

README.md

Nix Machines

This is my repository for all my various machines running NixOS (or Using Nix Darwin).

It has been created as an attempt at unifying all the various provisioning of software/cloud resources that must happen, such that for every instance there's a unified set of commands to run.

When running on a desktop machine, simply running nixos-install as per usual should suffice.

Servers

To provision the cloud resources needed, and install NixOS, the following can be run:

nix run '.#create-instance' -- <hostname>

This will run the provision.pre terraform code to ensure the cloud resources are created as needed, on either hetzner or openstack. It should also select the appropriate secrets backend to fetch secrets from. In general every server should use vault (OpenBAO) as the backend, except for the server hosting OpenBAO. Then it will install NixOS.

When making changes to eg. the approle needed, and needing to provision the instance again (but not installing NixOS again, as that won't work), run:

nix run '.#provision-instance' -- <hostname>

To update the NixOS config on an instance:

nix run '.#update-instance` -- <hostname>

To delete the resources again run:

nix run '.#destroy-instance' -- <hostname>

Secrets

To transfer the secrets needed for OpenTofu from Bitwarden to OpenBAO/Vault run:

nix run '.#bitwarden-to-vault'

Bootstrapping

security.kaareskovgaard.net

The first instance to create is security.kaareskovgaard.net as that hosts OpenBAO which is used to deploy all the other instances.

First read the README for that instance, regarding the bootstrapping process (flip a boolean switch in the configuration). Then:

nix run '.#create-instance' -- security.kaareskovgaard.net
nix run '.#configure-instance' -- security.kaareskovgaard.net

Then unbootstrap the instance and:

nix run '.#update-instance' -- security.kaareskovgaard.net
nix run '.#configure-instance' -- security.kaareskovgaard.net

monitoring.kaareskovgaard.net

Every instance attempts to send logs and metrics to the monitoring instance, as such this should be created next. This should be a simple:

nix run '.#create-instance' -- monitoring.kaareskovgaard.net

The rest

At this point every other instance should be able to be brought up. The create-instance command should be all that is needed.