1 files changed, 47 insertions, 0 deletions

diff --git a/server/SETUP.md b/server/SETUP.md
new file mode 100644
index 0000000..d187db0
--- /dev/null
+++ b/server/SETUP.md
@@ -0,0 +1,47 @@
+# Bootstrapping nix on a hetzner VM
+
+## Step 1
+
+Create VM on Hetzner using the console. Be sure to provide the
+SSH key that is present on the computer that you will be installing
+from. Choose Ubuntu as the OS.
+
+## Step 2
+
+Next, we'll use nixos-anywhere to swap ubuntu for nixos.
+
+```sh
+SERVER_ADDRESS=46.62.232.180
+nix run github:nix-community/nixos-anywhere -- --flake .#bootstrap --generate-hardware-config nixos-facter ./facter.json --target-host root@$SERVER_ADDRESS --build-on remote
+```
+
+Secrets are committed to this repo. They are encrypted using
+the server's SSH key. When we bootstrap a new server, it will
+have a new SSH key, so we need to re-encrypt the secrets file.
+
+```sh
+# activate our nix development environment, which includes
+# commands necessary for encrypting and descrypting keys
+nix develop
+
+# Copy the SSH key out from the server and convert it to the age format
+ssh-keyscan $SERVER_ADDRESS | ssh-to-age 2>1
+
+```
+Edit edit secrets/.sops.yaml, setting the server's age key.
+Then, run:
+
+```sh
+sops updatekeys secrets/secrets.yaml
+```
+
+(Aside: I created the original empty secrets file by running
+`sops edit secrets/secrets.yaml`.)
+
+## Step 3
+
+Finally, deploy the complete server configuration.
+
+```sh
+nixos-rebuild-ng switch --flake .#server --target-host root@$SERVER_ADDRESS --build-host root@$SERVER_ADDRESS
+```