57 lines
2.2 KiB
Markdown
57 lines
2.2 KiB
Markdown
# extremist software
|
|
|
|
nixos config for the hetzner vps.
|
|
|
|
services:
|
|
- forgejo (git.extremist.software)
|
|
- stalwart (mail.extremist.software)
|
|
- searxng (search.extremist.software)
|
|
- synapse (matrix.extremist.software)
|
|
- grafana/prometheus (status.extremist.software)
|
|
- uptime-kuma (uptime.extremist.software)
|
|
- ntfy (ntfy.extremist.software)
|
|
- mymx (mymx.extremist.software)
|
|
- caddy (reverse proxy + rate limiting)
|
|
- fail2ban
|
|
|
|
## Deployment
|
|
|
|
This repository uses **untracked secrets**, so you must build the system locally before deploying.
|
|
|
|
### 1. Setup Secrets
|
|
1. `cp secrets/secrets.nix.example secrets/secrets.nix`
|
|
2. Fill in the values (generate random keys, etc).
|
|
- `openssl rand -base64 32` is a good way to make a new key
|
|
- `tailscaleKey` must be a **Reusable** key from the Tailscale admin console.
|
|
|
|
### 2. Verify Configuration Locally
|
|
Because `secrets/secrets.nix` is untracked by git, standard `nix flake check` will fail.
|
|
To build the server configuration locally and ensure there are no syntax or evaluation errors before pushing to the server, run:
|
|
|
|
```bash
|
|
nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --dry-run
|
|
```
|
|
|
|
### 3. Initial Install (Wipe & Install)
|
|
Run this command to build and deploy. **Warning: Wipes the server disk.**
|
|
|
|
```bash
|
|
# Replace <TARGET_IP> with your server's IP
|
|
nix run github:nix-community/nixos-anywhere -- --store-paths \
|
|
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --impure --print-out-paths --no-link) \
|
|
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --print-out-paths --no-link) \
|
|
root@<TARGET_IP> | tee install.log
|
|
```
|
|
|
|
### 4. Update Existing Server (No Wipe)
|
|
Once the server is running NixOS, use the `nhs` script to push updates. This repository provides `nhs` and `nh` via `direnv` (loaded from `flake.nix` devShell), so just run `direnv allow` first.
|
|
|
|
```bash
|
|
# Update via Tailscale (uses nhs convenience script)
|
|
nhs
|
|
|
|
# Or manually via IP
|
|
nh os switch --hostname extremist-software --target-host root@<TARGET_IP> --impure path:.
|
|
```
|
|
|
|
repo uses `impure` build to load `secrets/secrets.nix` directly. no encrypted secrets in git.
|