Update README extension
This commit is contained in:
James Eversole
95
README.md
Normal file
95
README.md
Normal file
@ -0,0 +1,95 @@
|
||||
# eve-psr-nix0
|
||||
|
||||
This repository holds the configuration for my primary home server.
|
||||
|
||||
---
|
||||
## details
|
||||
|
||||
- Defines a single node host
|
||||
- Follows the latest stable nixpkgs
|
||||
- Utilizes the nixpkgs-fmt code formatter
|
||||
-> /flake.nix
|
||||
|
||||
- Provides a devShell with direnv/nix-direnv integration
|
||||
- Common project scripts are packaged and then exposed via devShell/direnv
|
||||
-> /shell.nix
|
||||
|
||||
- Allows SSH Access
|
||||
- Enables the Hydra build server
|
||||
- Enables the nix-serve-ng binary cache server
|
||||
-> /system/services.nix
|
||||
|
||||
- HTTP entrypoint is an Nginx Reverse Proxy
|
||||
- Automatic TLS provisioning via Let's Encrypt ACME
|
||||
- Directly reference nix packages and configuration in Virtual Host definitions
|
||||
-> /applcation/nginx.nix
|
||||
|
||||
- Monitoring stack consisting of Prometheus, Grafana, Loki, and Promtail
|
||||
- Complete monitoring stack and connections are defined declaratively via Nix
|
||||
-> /monitoring/*.nix
|
||||
|
||||
- podman & systemd container orchestration
|
||||
- podman services are exposed only to localhost and are reverse proxied by Nginx
|
||||
-> /application/containers.nix
|
||||
|
||||
- agenix for secrets encryption and management
|
||||
-> /system/age.nix
|
||||
|
||||
## cheatsheet
|
||||
|
||||
### Enter the developer shell without cloning the repository:
|
||||
```
|
||||
$> nix develop git+https://git.eversole.co/eve-psr-nix0
|
||||
$nix> # Success!
|
||||
```
|
||||
|
||||
The rest of the cheatsheet assumes you have entered the developer shell or are using direnv:
|
||||
```
|
||||
$> git clone https://git.eversole.co/eve-psr-nix0
|
||||
$> cd eve-psr-nix0
|
||||
$> nix develop
|
||||
$nix> # Success! Now we have our development dependencies.
|
||||
````
|
||||
|
||||
### Use the developer shell alias to remotely build and deploy the configuration to eve-psr-nix0:
|
||||
```
|
||||
# This is it! Check the package definitions in /shell.nix for more details.
|
||||
$nix> deploy
|
||||
```
|
||||
|
||||
### Format .nix source files:
|
||||
```
|
||||
# This is it! Check the package definitions in /shell.nix for more details.
|
||||
$nix> format
|
||||
```
|
||||
|
||||
### Create a new agenix secret:
|
||||
```
|
||||
# Add a new key to the secrets.nix attribute set
|
||||
$nix> $EDITOR secrets.nix
|
||||
# Replace $SECRET_PATH with the actual 'secrets/$SECRET_NAME.age' path to edit the secrets file
|
||||
$nix> agenix -e $SECRET_PATH
|
||||
# Redeploy; the secret will now be available in /run/agenix/$SECRET_NAME on the target host
|
||||
$nix> deploy
|
||||
```
|
||||
|
||||
### Add a new agenix secret recipient:
|
||||
```
|
||||
# Add a named variable in the let binding; associate it in the "publicKeys" list of applicable secrets
|
||||
$nix> #EDITOR secrets.nix
|
||||
# Redeploy
|
||||
$nix> deploy
|
||||
```
|
||||
|
||||
## agenix
|
||||
|
||||
agenix ( https://github.com/ryantm/agenix ) is utilized by this project for
|
||||
secret management, allowing us to include sensitive environment information
|
||||
or other secrets that the deployment target may need. The files are included
|
||||
directly in the nix store, but they are encrypted via/to ed25519 SSH keys
|
||||
and are then decrypted on the target host.
|
||||
|
||||
## license and copyright
|
||||
|
||||
Copyright James Eversole
|
||||
Refer to LICENSE file for ISC license details
|
||||
Reference in New Issue
Block a user