jet/extremist-software
jet/extremist-software
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
24 commits 1 branch 0 tags 393 KiB
Find a file
Jet Pham bb20443241
fix: rate limits, fail2ban, readme, secret scheme
2026-03-04 16:50:43 -08:00
modules fix: rate limits, fail2ban, readme, secret scheme 2026-03-04 16:50:43 -08:00
secrets fix: rate limits, fail2ban, readme, secret scheme 2026-03-04 16:50:43 -08:00
services/mymx feat: create mymx service 2026-03-04 15:08:44 -08:00
.envrc feat: use nh to keep 2 gens and to deploy builds 2026-02-27 16:38:15 -08:00
.gitignore feat: create mymx service 2026-03-04 15:08:44 -08:00
configuration.nix fix: rate limits, fail2ban, readme, secret scheme 2026-03-04 16:50:43 -08:00
disk-config.nix initial commit 2026-02-16 21:29:21 -08:00
flake.lock feat: create mymx service 2026-03-04 15:08:44 -08:00
flake.nix feat: create mymx service 2026-03-04 15:08:44 -08:00
README.md fix: rate limits, fail2ban, readme, secret scheme 2026-03-04 16:50:43 -08:00

README.md

extremist software

nixos config for the hetzner vps.

services:

  • forgejo (git.extremist.software)
  • stalwart (mail.extremist.software)
  • searxng (search.extremist.software)
  • synapse (matrix.extremist.software)
  • grafana/prometheus (status.extremist.software)
  • uptime-kuma (uptime.extremist.software)
  • ntfy (ntfy.extremist.software)
  • mymx (mymx.extremist.software)
  • caddy (reverse proxy + rate limiting)
  • fail2ban

Deployment

This repository uses untracked secrets, so you must build the system locally before deploying.

1. Setup Secrets

  1. cp secrets/secrets.nix.example secrets/secrets.nix
  2. Fill in the values (generate random keys, etc).
    • openssl rand -base64 32 is a good way to make a new key
    • tailscaleKey must be a Reusable key from the Tailscale admin console.

2. Verify Configuration Locally

Because secrets/secrets.nix is untracked by git, standard nix flake check will fail. To build the server configuration locally and ensure there are no syntax or evaluation errors before pushing to the server, run:

nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --dry-run

3. Initial Install (Wipe & Install)

Run this command to build and deploy. Warning: Wipes the server disk.

# Replace <TARGET_IP> with your server's IP
nix run github:nix-community/nixos-anywhere -- --store-paths \
  $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --impure --print-out-paths --no-link) \
  $(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --print-out-paths --no-link) \
  root@<TARGET_IP> | tee install.log

4. Update Existing Server (No Wipe)

Once the server is running NixOS, use the nhs script to push updates. This repository provides nhs and nh via direnv (loaded from flake.nix devShell), so just run direnv allow first.

# Update via Tailscale (uses nhs convenience script)
nhs

# Or manually via IP
nh os switch --hostname extremist-software --target-host root@<TARGET_IP> --impure path:.

repo uses impure build to load secrets/secrets.nix directly. no encrypted secrets in git.