96 lines
2.8 KiB
Plaintext
96 lines
2.8 KiB
Plaintext
# eve-psr-nix0
|
|
|
|
This repository holds the configuration for my primary home server.
|
|
|
|
---
|
|
## details
|
|
|
|
- Defines a single node host
|
|
- Follows the latest stable nixpkgs
|
|
- Utilizes the nixpkgs-fmt code formatter
|
|
-> /flake.nix
|
|
|
|
- Provides a devShell with direnv/nix-direnv integration
|
|
- Common project scripts are packaged and then exposed via devShell/direnv
|
|
-> /shell.nix
|
|
|
|
- Allows SSH Access
|
|
- Enables the Hydra build server
|
|
- Enables the nix-serve-ng binary cache server
|
|
-> /system/services.nix
|
|
|
|
- HTTP entrypoint is an Nginx Reverse Proxy
|
|
- Automatic TLS provisioning via Let's Encrypt ACME
|
|
- Directly reference nix packages and configuration in Virtual Host definitions
|
|
-> /applcation/nginx.nix
|
|
|
|
- Monitoring stack consisting of Prometheus, Grafana, Loki, and Promtail
|
|
- Complete monitoring stack and connections are defined declaratively via Nix
|
|
-> /monitoring/*.nix
|
|
|
|
- podman & systemd container orchestration
|
|
- podman services are exposed only to localhost and are reverse proxied by Nginx
|
|
-> /application/containers.nix
|
|
|
|
- agenix for secrets encryption and management
|
|
-> /system/age.nix
|
|
|
|
## cheatsheet
|
|
|
|
### Enter the developer shell without cloning the repository:
|
|
```
|
|
$> nix develop git+https://git.eversole.co/eve-psr-nix0
|
|
$nix> # Success!
|
|
```
|
|
|
|
The rest of the cheatsheet assumes you have entered the developer shell or are using direnv:
|
|
```
|
|
$> git clone https://git.eversole.co/eve-psr-nix0
|
|
$> cd eve-psr-nix0
|
|
$> nix develop
|
|
$nix> # Success! Now we have our development dependencies.
|
|
````
|
|
|
|
### Use the developer shell alias to remotely build and deploy the configuration to eve-psr-nix0:
|
|
```
|
|
# This is it! Check the package definitions in /shell.nix for more details.
|
|
$nix> deploy
|
|
```
|
|
|
|
### Format .nix source files:
|
|
```
|
|
# This is it! Check the package definitions in /shell.nix for more details.
|
|
$nix> format
|
|
```
|
|
|
|
### Create a new agenix secret:
|
|
```
|
|
# Add a new key to the secrets.nix attribute set
|
|
$nix> $EDITOR secrets.nix
|
|
# Replace $SECRET_PATH with the actual 'secrets/$SECRET_NAME.age' path to edit the secrets file
|
|
$nix> agenix -e $SECRET_PATH
|
|
# Redeploy; the secret will now be available in /run/agenix/$SECRET_NAME on the target host
|
|
$nix> deploy
|
|
```
|
|
|
|
### Add a new agenix secret recipient:
|
|
```
|
|
# Add a named variable in the let binding; associate it in the "publicKeys" list of applicable secrets
|
|
$nix> #EDITOR secrets.nix
|
|
# Redeploy
|
|
$nix> deploy
|
|
```
|
|
|
|
## agenix
|
|
|
|
agenix ( https://github.com/ryantm/agenix ) is utilized by this project for
|
|
secret management, allowing us to include sensitive environment information
|
|
or other secrets that the deployment target may need. The files are included
|
|
directly in the nix store, but they are encrypted via/to ed25519 SSH keys
|
|
and are then decrypted on the target host.
|
|
|
|
## license and copyright
|
|
|
|
Copyright James Eversole
|
|
Refer to LICENSE file for ISC license details
|