# Server Setup Instructions / Server-Einrichtungsanleitung --- # 🇬🇧 English Instructions ## 1. Prerequisites Ensure you have the following tools installed on your local machine: - `nix` (with flakes enabled) - `sops` - `age` - `ssh` ## 2. DNS Configuration Configure the following DNS records for your domain `cryodev.xyz`: | Hostname | Type | Value | Purpose | |----------|------|-------|---------| | `@` | A | `` | Main entry point | | `@` | AAAA | `` | Main entry point (IPv6) | | `git` | CNAME | `@` | Forgejo | | `headscale` | CNAME | `@` | Headscale | | `headplane` | CNAME | `@` | Headplane | | `netdata` | CNAME | `@` | Netdata Monitoring | | `mail` | A | `` | Mailserver | | `mail` | AAAA | `` | Mailserver (IPv6) | | `@` | MX | `10 mail.cryodev.xyz.` | Mail delivery | | `@` | TXT | `"v=spf1 mx ~all"` | SPF Record | | `_dmarc` | TXT | `"v=DMARC1; p=none"` | DMARC Record | ## 3. Secret Management (SOPS) This repository uses `sops-nix` to manage secrets encrypted with `age`, utilizing the SSH host keys of the servers. ### 3.1 Get Server Public Keys You need to convert the servers' SSH host public keys to age public keys. **For `cryodev-main`:** ```bash nix-shell -p ssh-to-age --run 'ssh-keyscan -t ed25519 | ssh-to-age' ``` **For `cryodev-pi`:** ```bash nix-shell -p ssh-to-age --run 'ssh-keyscan -t ed25519 | ssh-to-age' ``` ### 3.2 Configure `.sops.yaml` Edit the `.sops.yaml` file in the root of this repository. Add the age public keys to the `keys` section and ensure creation rules exist for both hosts. ```yaml keys: - &admin_key age1e8p35795htf7twrejyugpzw0qja2v33awcw76y4gp6acnxnkzq0s935t4t # Admin Key (Steffen) - &main_key age1... # cryodev-main Key - &pi_key age1... # cryodev-pi Key creation_rules: - path_regex: hosts/cryodev-main/secrets.yaml$ key_groups: - age: - *admin_key - *main_key - path_regex: hosts/cryodev-pi/secrets.yaml$ key_groups: - age: - *admin_key - *pi_key ``` ### 3.3 Generating Secret Values **Mailserver Passwords (for `cryodev-main`):** ```bash nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' ``` **Headplane Secrets (for `cryodev-main`):** ```bash nix-shell -p openssl --run "openssl rand -hex 16" # Agent Pre-Authkey requires Headscale running: sudo headscale users create headplane-agent sudo headscale preauthkeys create --expiration 99y --reusable --user headplane-agent ``` **Tailscale Auth Keys (for both hosts):** *Requires Headscale running on `cryodev-main`.* ```bash # For cryodev-main: sudo headscale preauthkeys create --expiration 99y --reusable --user default # For cryodev-pi: sudo headscale preauthkeys create --expiration 99y --reusable --user default ``` **Netdata Child UUID (for `cryodev-pi`):** ```bash uuidgen ``` **Forgejo Runner Token:** Get from Forgejo Admin Panel. ### 3.4 Creating Secrets Files **`hosts/cryodev-main/secrets.yaml`:** ```bash sops hosts/cryodev-main/secrets.yaml ``` ```yaml mailserver: accounts: forgejo: "$2y$05$..." admin: "$2y$05$..." forgejo-runner: token: "..." headplane: cookie_secret: "..." agent_pre_authkey: "..." tailscale: auth-key: "..." ``` **`hosts/cryodev-pi/secrets.yaml`:** ```bash sops hosts/cryodev-pi/secrets.yaml ``` ```yaml tailscale: auth-key: "..." netdata: stream: child-uuid: "..." # Output from uuidgen ``` ## 4. Initial Deployment (Bootstrap) Before the continuous deployment can take over, you must perform an initial deployment manually using the provided install script. ### 4.1 Prepare Target Machine 1. Boot into the NixOS Installation ISO. 2. Set a root password (for SSH): `passwd`. 3. Ensure internet connectivity. ### 4.2 Run Install Script From your local machine (where this repo is), copy the script to the target or run it directly if you can fetch it. **Method A: Copy Script via SSH** ```bash scp scripts/install.sh nixos@:install.sh ssh nixos@ sudo -i chmod +x /home/nixos/install.sh ./home/nixos/install.sh -r -n ``` **Method B: Run on Target (if repo is public or reachable)** ```bash # On the target machine (as root) nix-shell -p git git clone /tmp/nixos cd /tmp/nixos bash scripts/install.sh -n ``` *Note: The script handles disk partitioning (via disko/script), hardware config generation, and installation.* ## 5. Continuous Deployment (CD) ### 5.1 cryodev-pi (Pull-based via Comin) The `cryodev-pi` host is configured to pull updates automatically via `comin`. 1. **Create Repository:** Create a new repository named `cryodev-server` on your Forgejo instance (`https://git.cryodev.xyz`). 2. **Push Configuration:** Push this entire NixOS configuration to the `main` branch of that repository. 3. **Comin URL:** The configuration expects the repository at: `https://git.cryodev.xyz/steffen/cryodev-server.git`. ### 5.2 cryodev-main (Push-based via Forgejo Actions) The main server is deployed via a Forgejo Action. 1. **Generate SSH Key:** ```bash ssh-keygen -t ed25519 -f deploy_key -C "forgejo-actions" ``` 2. **Add Public Key:** Add the content of `deploy_key.pub` to `/root/.ssh/authorized_keys` on `cryodev-main`. 3. **Add Secret:** Add the content of `deploy_key` (private key) as a secret named `DEPLOY_SSH_KEY` in your Forgejo repository settings. ## 6. Creating New Hosts (Templates) To quickly bootstrap a new host configuration, you can use the provided templates. 1. **Copy Template:** ```bash # For a Raspberry Pi: cp -r templates/raspberry-pi hosts/new-pi-name # For a generic x86 server: cp -r templates/generic-server hosts/new-server-name ``` 2. **Adjust Configuration:** * **Hostname:** Edit `hosts/new-name/networking.nix`. * **Flake:** Register the new host in `flake.nix` under `nixosConfigurations`. * **Constants:** Add IP and ports to `constants.nix`. * **Secrets:** Add keys to `.sops.yaml` and create `hosts/new-name/secrets.yaml`. --- # 🇩🇪 Deutsche Anleitung ## 1. Voraussetzungen Stellen Sie sicher, dass folgende Tools lokal installiert sind: - `nix` (mit Flakes) - `sops` - `age` - `ssh` - `ssh-to-age` - `uuidgen` ## 2. DNS-Konfiguration Richten Sie folgende DNS-Einträge für `cryodev.xyz` ein: | Hostname | Typ | Wert | Zweck | |----------|-----|------|-------| | `@` | A | `` | Hauptserver | | `@` | AAAA | `` | Hauptserver (IPv6) | | `git` | CNAME | `@` | Forgejo | | `headscale` | CNAME | `@` | Headscale | | `headplane` | CNAME | `@` | Headplane | | `netdata` | CNAME | `@` | Netdata Monitoring | | `mail` | A | `` | Mailserver | | `mail` | AAAA | `` | Mailserver (IPv6) | | `@` | MX | `10 mail.cryodev.xyz.` | Mail-Empfang | | `@` | TXT | `"v=spf1 mx ~all"` | SPF-Record | | `_dmarc` | TXT | `"v=DMARC1; p=none"` | DMARC-Record | ## 3. Verwaltung von Geheimnissen (SOPS) Dieses Repository nutzt `sops-nix` mit den SSH-Host-Keys der Server. ### 3.1 Public Keys abrufen **Für `cryodev-main`:** ```bash nix-shell -p ssh-to-age --run 'ssh-keyscan -t ed25519 | ssh-to-age' ``` **Für `cryodev-pi`:** ```bash nix-shell -p ssh-to-age --run 'ssh-keyscan -t ed25519 | ssh-to-age' ``` ### 3.2 `.sops.yaml` konfigurieren Bearbeiten Sie `.sops.yaml` und fügen Sie die Keys sowie Regeln für beide Hosts hinzu: ```yaml keys: - &admin_key age1e8p35795htf7twrejyugpzw0qja2v33awcw76y4gp6acnxnkzq0s935t4t # Admin Key (Steffen) - &main_key age1... # cryodev-main Key - &pi_key age1... # cryodev-pi Key creation_rules: - path_regex: hosts/cryodev-main/secrets.yaml$ key_groups: - age: - *admin_key - *main_key - path_regex: hosts/cryodev-pi/secrets.yaml$ key_groups: - age: - *admin_key - *pi_key ``` ### 3.3 Werte generieren **Mailserver:** `mkpasswd -sm bcrypt` **Headplane:** `openssl rand -hex 16` **Netdata UUID:** `uuidgen` **Tailscale Auth Keys (auf `cryodev-main`):** ```bash sudo headscale preauthkeys create --expiration 99y --reusable --user default ``` ### 3.4 Secrets-Dateien erstellen **`hosts/cryodev-main/secrets.yaml`:** ```bash sops hosts/cryodev-main/secrets.yaml ``` ```yaml mailserver: accounts: forgejo: "$2y$05$..." admin: "$2y$05$..." forgejo-runner: token: "..." headplane: cookie_secret: "..." agent_pre_authkey: "..." tailscale: auth-key: "..." ``` **`hosts/cryodev-pi/secrets.yaml`:** ```bash sops hosts/cryodev-pi/secrets.yaml ``` ```yaml tailscale: auth-key: "..." netdata: stream: child-uuid: "..." # Output von uuidgen ``` ## 4. Erstes Deployment (Bootstrap) Bevor das automatische Deployment funktionieren kann, müssen Sie das System einmal manuell mit dem Installationsskript installieren. ### 4.1 Zielmaschine vorbereiten 1. Booten Sie das NixOS Installations-ISO. 2. Setzen Sie ein Root-Passwort: `passwd`. 3. Stellen Sie eine Internetverbindung her. ### 4.2 Install-Script ausführen Kopieren Sie das Skript von Ihrem lokalen Rechner auf das Zielsystem. **Methode A: Per SCP** ```bash scp scripts/install.sh nixos@:install.sh ssh nixos@ sudo -i chmod +x /home/nixos/install.sh ./home/nixos/install.sh -r -n ``` **Methode B: Direkt auf dem Ziel (bei öffentlichem/erreichbarem Repo)** ```bash # Auf der Zielmaschine (als root) nix-shell -p git git clone /tmp/nixos cd /tmp/nixos bash scripts/install.sh -n ``` *Hinweis: Das Skript kümmert sich um Partitionierung, Hardware-Config und Installation.* ## 5. Continuous Deployment (CD) ### 5.1 cryodev-pi (Pull-basiert via Comin) Der Host `cryodev-pi` zieht Updates automatisch via `comin`. 1. **Repository erstellen:** Erstellen Sie ein Repository namens `cryodev-server` auf `https://git.cryodev.xyz`. 2. **Konfiguration pushen:** Pushen Sie diese Konfiguration in den `main`-Branch. 3. **Comin URL:** `https://git.cryodev.xyz/steffen/cryodev-server.git`. ### 5.2 cryodev-main (Push-basiert via Forgejo Actions) Der Hauptserver wird über eine Forgejo Action deployt. 1. **SSH Key generieren:** ```bash ssh-keygen -t ed25519 -f deploy_key -C "forgejo-actions" ``` 2. **Public Key hinzufügen:** Inhalt von `deploy_key.pub` in `/root/.ssh/authorized_keys` auf `cryodev-main` eintragen. 3. **Secret hinzufügen:** Inhalt von `deploy_key` (Private Key) als Secret `DEPLOY_SSH_KEY` im Forgejo-Repository hinterlegen. ## 6. Neue Hosts erstellen (Templates) Um schnell eine neue Host-Konfiguration zu erstellen, können Sie die bereitgestellten Templates nutzen. 1. **Template kopieren:** ```bash # Für einen Raspberry Pi: cp -r templates/raspberry-pi hosts/neuer-pi-name # Für einen generischen x86 Server: cp -r templates/generic-server hosts/neuer-server-name ``` 2. **Konfiguration anpassen:** * **Hostname:** Bearbeiten Sie `hosts/neuer-name/networking.nix`. * **Flake:** Registrieren Sie den neuen Host in `flake.nix` unter `nixosConfigurations`. * **Constants:** Fügen Sie IP und Ports in `constants.nix` hinzu. * **Secrets:** Fügen Sie Keys zu `.sops.yaml` hinzu und erstellen Sie `hosts/neuer-name/secrets.yaml`.