diff --git a/README.md b/README.md index a386736..37da4a3 100644 --- a/README.md +++ b/README.md @@ -10,12 +10,35 @@ services: - caddy (reverse proxy) - grafana/prometheus (status.extremist.software) -deploy: -`nix run github:nix-community/nixos-anywhere -- --flake .#extremist-software --impure root@` +## Deployment -secrets: -1. copy `secrets.nix.example` to `secrets.nix`. -2. fill in values (generate random keys for searx/tailscale). -3. `tailscaleKey` must be a **reusable** key. +This repository uses **untracked secrets**, so you must build the system locally before deploying. -repo uses `impure` build to load `secrets.nix` directly. no encrypted secrets in git. +### 1. Setup Secrets +1. `cp secrets/secrets.nix.example secrets/secrets.nix` +2. Fill in the values (generate random keys, etc). + - `tailscaleKey` must be a **Reusable** key from the Tailscale admin console. + +### 2. Initial Install (Wite & Install) +Run this command to build and deploy. **Warning: Wipes the server disk.** + +```bash +# Replace with your server's IP +nix run github:nix-community/nixos-anywhere -- --store-paths \ + $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --impure --print-out-paths --no-link) \ + $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --print-out-paths --no-link) \ + root@ | tee install.log +``` + +### 3. Update Existing Server (No Wipe) +Once the server is running NixOS, use `nixos-rebuild` to push updates. This is faster and doesn't wipe data. + +```bash +# Update via IP +nixos-rebuild switch --flake path:.#extremist-software --target-host root@ --impure + +# Update via Tailscale (Once tailored up) +nixos-rebuild switch --flake path:.#extremist-software --target-host root@extremist-software --impure +``` + +repo uses `impure` build to load `secrets/secrets.nix` directly. no encrypted secrets in git. diff --git a/configuration.nix b/configuration.nix index cb21b82..2d0850e 100644 --- a/configuration.nix +++ b/configuration.nix @@ -58,4 +58,9 @@ # Secrets handled via ./secrets.nix importing to config.mySecrets environment.etc."secrets/tailscale-auth".text = config.mySecrets.tailscaleKey; services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth"; + + # Allow Tailscale traffic + networking.firewall.trustedInterfaces = [ "tailscale0" ]; + # Required for Tailscale subnet routing and exit nodes, and often helpful for connectivity + networking.firewall.checkReversePath = "loose"; } diff --git a/system b/system deleted file mode 120000 index 5b3054d..0000000 --- a/system +++ /dev/null @@ -1 +0,0 @@ -/nix/store/4yqza1r8m2ds7nr52838iysp0nx742np-nixos-system-extremist-software-26.05.20260217.0182a36 \ No newline at end of file