# extremist software nixos config for the hetzner vps. services: - forgejo (git.extremist.software) - stalwart (mail.extremist.software) - searxng (search.extremist.software) - conduit (matrix.extremist.software) - caddy (reverse proxy) - grafana/prometheus (status.extremist.software) ## Deployment This repository uses **untracked secrets**, so you must build the system locally before deploying. ### 1. Setup Secrets 1. `cp secrets/secrets.nix.example secrets/secrets.nix` 2. Fill in the values (generate random keys, etc). - `openssl rand -base64 32` is a good way to make a new key - `tailscaleKey` must be a **Reusable** key from the Tailscale admin console. ### 2. Verify Configuration Locally Because `secrets/secrets.nix` is untracked by git, standard `nix flake check` will fail. To build the server configuration locally and ensure there are no syntax or evaluation errors before pushing to the server, run: ```bash nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --dry-run ``` ### 3. Initial Install (Wipe & Install) Run this command to build and deploy. **Warning: Wipes the server disk.** ```bash # Replace with your server's IP nix run github:nix-community/nixos-anywhere -- --store-paths \ $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --impure --print-out-paths --no-link) \ $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --print-out-paths --no-link) \ root@ | tee install.log ``` ### 3. Update Existing Server (No Wipe) Once the server is running NixOS, use `nh` to push updates. This repository provides `nh` via `direnv` (loaded from `flake.nix` devShell), so just run `direnv allow` first. ```bash # Update via IP nh os switch --hostname extremist-software --target-host root@ --impure path:. # Update via Tailscale (Once tailored up) nh os switch --hostname extremist-software --target-host root@extremist-software --impure path:. ``` repo uses `impure` build to load `secrets/secrets.nix` directly. no encrypted secrets in git.