blob: d187db01267c1653c3ac68476cac5ba1a27c94cb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
# Bootstrapping nix on a hetzner VM
## Step 1
Create VM on Hetzner using the console. Be sure to provide the
SSH key that is present on the computer that you will be installing
from. Choose Ubuntu as the OS.
## Step 2
Next, we'll use nixos-anywhere to swap ubuntu for nixos.
```sh
SERVER_ADDRESS=46.62.232.180
nix run github:nix-community/nixos-anywhere -- --flake .#bootstrap --generate-hardware-config nixos-facter ./facter.json --target-host root@$SERVER_ADDRESS --build-on remote
```
Secrets are committed to this repo. They are encrypted using
the server's SSH key. When we bootstrap a new server, it will
have a new SSH key, so we need to re-encrypt the secrets file.
```sh
# activate our nix development environment, which includes
# commands necessary for encrypting and descrypting keys
nix develop
# Copy the SSH key out from the server and convert it to the age format
ssh-keyscan $SERVER_ADDRESS | ssh-to-age 2>1
```
Edit edit secrets/.sops.yaml, setting the server's age key.
Then, run:
```sh
sops updatekeys secrets/secrets.yaml
```
(Aside: I created the original empty secrets file by running
`sops edit secrets/secrets.yaml`.)
## Step 3
Finally, deploy the complete server configuration.
```sh
nixos-rebuild-ng switch --flake .#server --target-host root@$SERVER_ADDRESS --build-host root@$SERVER_ADDRESS
```
|
