No description
| modules | ||
| secrets | ||
| .envrc | ||
| .gitignore | ||
| agenix.nix | ||
| configuration.nix | ||
| disk-config.nix | ||
| flake.lock | ||
| flake.nix | ||
| README.md | ||
extremist software
nixos config for the hetzner vps.
services:
- forgejo (git.extremist.software)
- stalwart (mail.extremist.software)
- searxng (search.extremist.software)
- synapse (matrix.extremist.software)
- grafana/prometheus/blackbox exporter (status.extremist.software)
- uptime redirect to status.extremist.software (uptime.extremist.software)
- ntfy (ntfy.extremist.software)
- mymx (mymx.extremist.software)
- caddy (reverse proxy + rate limiting)
- fail2ban
Deployment
Secrets are managed with agenix — encrypted in git, decrypted on the server at runtime.
1. Setup Secrets
Key mapping is in agenix.nix. The agenix CLI and RULES env var are provided by the devShell via direnv.
direnv allow
agenix -e secrets/forgejo-db.age
agenix -e secrets/stalwart-admin.age
agenix -e secrets/searx-env.age # SEARXNG_SECRET=<value>
agenix -e secrets/tailscale-key.age
agenix -e secrets/grafana-secret.age
agenix -e secrets/matrix-macaroon.age # macaroon_secret_key: "<value>"
agenix -e secrets/ntfy-admin-hash.age
agenix -e secrets/mymx-webhook.age
To edit an existing secret, run the same command again.
2. Verify Configuration
nix flake check
3. Initial Install (Wipe & Install)
Warning: Wipes the server disk.
nix run github:nix-community/nixos-anywhere -- --store-paths \
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --print-out-paths --no-link) \
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --print-out-paths --no-link) \
root@<TARGET_IP> | tee install.log
4. Update Existing Server
nhs and nh are provided via direnv.
nhs