A place for me to dump nix configs
deploy-rs is used to deploy the configurations.
# all hosts
nix run github:serokell/deploy-rs -- -s "."
# per host
nix run github:serokell/deploy-rs -- -s ".#dee"
# more explicit parameters
nix run github:serokell/deploy-rs -- --keep-result --auto-rollback false --magic-rollback false --activation-timeout 3600 -s ".#dee"catalog.nix is a global state file of sorts. The idea is that anything that is shared across nodes is defined here so that they can build their respective configs.
Services is a mapping of service name to service attributes, it can accept:
host- The node that runs this service
port- Port this service runs on
modules- A list of strings containing the modules to check on the desired host to see if its enabled
- e.g.
[ "prometheusStack" "prometheusStack.grafana" ] - Downstream dependencies resolve to true if both
modules.prometheusStack.enableandmodules.prometheusStack.grafana.enableare true
- e.g.
- Used to determine whether:
- DNS rewrite entry is created on the DNS server
- Blackbox exporter should perform healthchecks against it
- A list of strings containing the modules to check on the desired host to see if its enabled
dashy.section- What section in dashy it should fall under
dashy.description- The description to use in dashy
dashy.icon- The icon to display in dashy
blackbox.name- Whether the service name in healthchecks differs from the DNS name
blackbox.path- The path that blackbox healthchecks should use, if it differs from root
/
- The path that blackbox healthchecks should use, if it differs from root
- dee
- Raspberry Pi 4 4GB
- Replaced dee_rpi3
- dennis
- VM on a Proxmox hypervisor
- macbook
- MBP with nix-darwin
Hosts are defined in nodes, which can have these attributes:
ip.private- Private IP address
ip.tailscale- IP address as tailscale sees it
system- What system architecture is this host
- Also used to determine if it is a nixOS or darwin (macOS) machine
nixosHardware- Any nixos-hardware flakes that should be included on this host
shouldScrape- If Prometheus should scrape this node for metrics
- This is only temporary while I decom the non-NixOS hosts (TODO)
users- list of users that should have home-manager configurations enabled for
-
Update nix flake
nix flake upgrade
-
Update overlays
-
Update container images
Secrets are managed by agenix.
-
Ensure the host or user you're on has it's public key added to
secrets/secrets.nix, look in/etc/ssh/ssh_host_ed25519_key.pub. -
cd to
secrets -
Execute
nix run github:ryantm/agenix -- -e FILENAME.age -
Add the file to git so that flakes can see it
-
Reference the secret where you need it, i.e.:
age.secrets."healthchecks-secrets-file" = {
file = ../../secrets/healthchecks-secrets-file.age;
owner = "healthchecks";
group = "healthchecks";
};
mySecretFile = config.age.secrets."healthchecks-secrets-file".path;Explicitly setting the sha256 attribute to an empty string will have Nix assume no validation.
It will then error on a hash mismatch, so copy the actual hash and paste it in the empty string.
sha256 = "";- Go here for how blank hashes are structured
- If after updating there are complaints about options no longer present, it's likely that they are no longer available, so they need to be removed
- You can use
nixos-optionto find what options are available, and their specification
- Better file structure, look to flake-parts for this
- i.e.:
- generic Nix settings across all systems
- generic NixOS
- generic nix-darwin
- host-level configs
- generic home-manager
- generic Linux home-manager
- generic macOS home-manager
- i.e.:
Resources that I've used to help create the repo, please follow them as they are more talented engineers than I!