2.1 KiB
2.1 KiB
extremist software
nixos config for the hetzner vps.
services:
- forgejo (git.extremist.software)
- stalwart (mail.extremist.software)
- searxng (search.extremist.software)
- conduit (matrix.extremist.software)
- caddy (reverse proxy)
- grafana/prometheus (status.extremist.software)
Deployment
This repository uses untracked secrets, so you must build the system locally before deploying.
1. Setup Secrets
cp secrets/secrets.nix.example secrets/secrets.nix- Fill in the values (generate random keys, etc).
openssl rand -base64 32is a good way to make a new keytailscaleKeymust be a Reusable key from the Tailscale admin console.
2. Verify Configuration Locally
Because secrets/secrets.nix is untracked by git, standard nix flake check will fail.
To build the server configuration locally and ensure there are no syntax or evaluation errors before pushing to the server, run:
nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --dry-run
3. Initial Install (Wipe & Install)
Run this command to build and deploy. Warning: Wipes the server disk.
# Replace <TARGET_IP> with your server's IP
nix run github:nix-community/nixos-anywhere -- --store-paths \
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --impure --print-out-paths --no-link) \
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --print-out-paths --no-link) \
root@<TARGET_IP> | tee install.log
3. Update Existing Server (No Wipe)
Once the server is running NixOS, use nixos-rebuild to push updates. This is faster and doesn't wipe data.
# Update via IP
nixos-rebuild switch --flake path:.#extremist-software --target-host root@<TARGET_IP> --impure
# Update via Tailscale (Once tailored up)
nixos-rebuild switch --flake path:.#extremist-software --target-host root@extremist-software --impure
repo uses impure build to load secrets/secrets.nix directly. no encrypted secrets in git.