62 lines
1.7 KiB
Markdown
62 lines
1.7 KiB
Markdown
# extremist software
|
|
|
|
nixos config for the hetzner vps.
|
|
|
|
services:
|
|
- forgejo (git.extremist.software)
|
|
- stalwart (mail.extremist.software)
|
|
- searxng (search.extremist.software)
|
|
- synapse (matrix.extremist.software)
|
|
- grafana/prometheus (status.extremist.software)
|
|
- uptime-kuma (uptime.extremist.software)
|
|
- ntfy (ntfy.extremist.software)
|
|
- mymx (mymx.extremist.software)
|
|
- caddy (reverse proxy + rate limiting)
|
|
- fail2ban
|
|
|
|
## Deployment
|
|
|
|
Secrets are managed with [agenix](https://github.com/ryantm/agenix) — encrypted in git, decrypted on the server at runtime.
|
|
|
|
### 1. Setup Secrets
|
|
|
|
Key mapping is in `agenix.nix`. The `agenix` CLI and `RULES` env var are provided by the devShell via direnv.
|
|
|
|
```bash
|
|
direnv allow
|
|
agenix -e secrets/forgejo-db.age
|
|
agenix -e secrets/stalwart-admin.age
|
|
agenix -e secrets/searx-env.age # SEARXNG_SECRET=<value>
|
|
agenix -e secrets/tailscale-key.age
|
|
agenix -e secrets/grafana-secret.age
|
|
agenix -e secrets/matrix-macaroon.age # macaroon_secret_key: "<value>"
|
|
agenix -e secrets/ntfy-admin-hash.age
|
|
agenix -e secrets/mymx-webhook.age
|
|
```
|
|
|
|
To edit an existing secret, run the same command again.
|
|
|
|
### 2. Verify Configuration
|
|
|
|
```bash
|
|
nix flake check
|
|
```
|
|
|
|
### 3. Initial Install (Wipe & Install)
|
|
|
|
**Warning: Wipes the server disk.**
|
|
|
|
```bash
|
|
nix run github:nix-community/nixos-anywhere -- --store-paths \
|
|
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --print-out-paths --no-link) \
|
|
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --print-out-paths --no-link) \
|
|
root@<TARGET_IP> | tee install.log
|
|
```
|
|
|
|
### 4. Update Existing Server
|
|
|
|
`nhs` and `nh` are provided via direnv.
|
|
|
|
```bash
|
|
nhs
|
|
```
|