nixos-config/hosts/plover/README.adoc

= Plover, the general-purpose server
:toc:
:nixos-infect-commit: bca605ce2c91bc4d79bf8afaa4e7ee4fee9563d4

This is Plover, a configuration meant to be used in a low-powered general-purpose machine.
It isn't much of an instance to be seriously used yet but hopefully it is getting there.

This configuration is expected to be deployed in a Google Compute instance.

It has a reasonable set of assumptions to keep in mind when modifying this configuration:

- Most of the defaults are left to the link:https://github.com/NixOS/nixpkgs/tree/f92201f46109aabbbf41b8dc24bb9d342eb93a35/nixos/modules/virtualisation[image profiles from nixpkgs] including networking options and filesystems.
- No additional storage drives.
- At least 32 GB of space is assumed.

Some of the self-hosted services from this server:

* An nginx server which will make tie all of the self-hosted services together.
* A link:https://github.com/dani-garcia/vaultwarden[Vaultwarden] instance for a little password management.
* A link:https://gitea.io/[Gitea] instance for my personal projects.
* A link:https://www.keycloak.org/[Keycloak] instance for identity management.
* An LDAP server with link:https://www.openldap.org/[OpenLDAP].


[#general-deployment-guidelines]
== General deployment guidelines

If you want to deploy it anywhere else, you have to keep some things in mind.

* This uses link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix] to decrypt secrets.
It mainly use the private key to the link:./files/age-key.pub[`./files/age-key.pub`] and move it to the appropriate location (i.e., `/var/lib/sops-nix/key.txt`).

* Be sure to set the appropriate firewalls either in the NixOS configuration or in the VPS provider firewall settings.
Take note some formats such as Google Compute image disable them entirely so it's safer to leave the firewall service and just configure the allowed ports and other settings.

* There are some things that are manually configured such as additional setup for the database.
Mostly related to setting up the proper roles which should be set up with the initial script at this point but there are some still left.

* If needed, restoring the application data from the backup into the services (e.g., Gitea, Keycloak, Vaultwarden).

* Configuring the remaining parts for the services (which unfortunately involves manually going into each application).

* Configure the database users with each appropriate service.


== Deploying it as a Google Compute instance

Some documented guidelines to deploy this instance in Google Cloud Platform (GCP) so you won't have to re-read those documentation like a stuck rat the next time you visit them.

* A GCP Compute Instance image of the configuration is available to be stored at your storage buckets.
You can simply build it at `packages.plover-gce` and store it there.
+
You can take it further automating it by running link:../../scripts/generate-and-upload-gce-image[`../../scripts/generate-and-upload-gce-image`] which is just a modified version of the link:https://github.com/NixOS/nixpkgs/blob/ebdafd7244832f1f52cacd3eda39f2156988957e/nixos/maintainers/scripts/gce/create-gce.sh[`create-gce.sh` script from nixpkgs].

* If you already have access to at least one GCP KMS key, then skip this part.
Add a key to be used for deployment to wherever relevant file in the link:./secrets[secrets directory]. footnote:[Of course, you need previous keys which you're likely using the private age key for this system.]
For this, you'll have to create a GCP keyring on their key management system (KMS) and generate a key there.

* Enable link:https://cloud.google.com/compute/docs/oslogin/set-up-oslogin[OS Login] for your Compute Engine instance.

* Enable HTTP and HTTPS traffic in the firewall settings.

* Don't forget to set the appropriate scopes for the instance.
Use the least privileged scopes as much as possible.

* Reserve a static IP address, pls.
Just don't forget to immediately assign it to the instance since it will charge higher if you just leave it alone.

* Creating a dedicated link:https://cloud.google.com/iam/docs/service-accounts[service account] for the VM is recommended.
Just make sure to set the least amount of privileges for that account.


== Deploying it to Hetzner Cloud

To deploy this to Hetzner Cloud, just initialize a server and run link:https://github.com/elitak/nixos-infect/[nixos-infect] script.
As an example, you can run the server with the following link:https://community.hetzner.com/tutorials/basic-cloud-config[cloud config].

[source, yaml, subs=attributes]
----
#cloud-config

runcmd:
  - curl https://raw.githubusercontent.com/elitak/nixos-infect/{nixos-infect-commit}/nixos-infect | NIX_CHANNEL=nixos-unstable bash 2>&1 | tee /tmp/infect.log
----

You could also easily create a server with `hcloud` with the following command:

[source, shell]
----
hcloud server create --location hel1 --type cx21 --image ubuntu-22.04 \
    --user-data-from-file ./files/hcloud-user-data.yml \
    --ssh-key foodogsquared@foodogsquared.one \
    --name nixos-plover
----

If you don't want to setup the firewall in the system, you could use the firewall from Hetzner (which is recommended anyways).

Then, don't forget to setup the prerequisites such as filesystems properly.
Here's a set of commands setting up to the current filesystem configuration.

[source, shell]
----
e2label /dev/sda1 nixos
fatlabel /dev/sda15 boot
----

Next, do the steps as written from <<general-deployment-guidelines>>.
hosts/plover: init 2022-11-23 05:27:01 +00:00			`= Plover, the general-purpose server`
hosts/plover: update README 2022-12-28 06:10:16 +00:00			`:toc:`
hosts/plover: add documentation for deploying into Hetzner Cloud 2023-01-04 14:12:52 +00:00			`:nixos-infect-commit: bca605ce2c91bc4d79bf8afaa4e7ee4fee9563d4`
hosts/plover: init 2022-11-23 05:27:01 +00:00
			`This is Plover, a configuration meant to be used in a low-powered general-purpose machine.`
			`It isn't much of an instance to be seriously used yet but hopefully it is getting there.`

			`This configuration is expected to be deployed in a Google Compute instance.`

			`It has a reasonable set of assumptions to keep in mind when modifying this configuration:`

			`- Most of the defaults are left to the link:https://github.com/NixOS/nixpkgs/tree/f92201f46109aabbbf41b8dc24bb9d342eb93a35/nixos/modules/virtualisation[image profiles from nixpkgs] including networking options and filesystems.`
			`- No additional storage drives.`
			`- At least 32 GB of space is assumed.`

			`Some of the self-hosted services from this server:`

			`* An nginx server which will make tie all of the self-hosted services together.`
			`* A link:https://github.com/dani-garcia/vaultwarden[Vaultwarden] instance for a little password management.`
			`* A link:https://gitea.io/[Gitea] instance for my personal projects.`
hosts/plover: update README 2022-12-28 06:10:16 +00:00			`* A link:https://www.keycloak.org/[Keycloak] instance for identity management.`
			`* An LDAP server with link:https://www.openldap.org/[OpenLDAP].`
docs: update 2022-11-29 02:43:27 +00:00



hosts/plover: add documentation for deploying into Hetzner Cloud 2023-01-04 14:12:52 +00:00			`[#general-deployment-guidelines]`
hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`== General deployment guidelines`

			`If you want to deploy it anywhere else, you have to keep some things in mind.`

			`* This uses link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix] to decrypt secrets.`
			It mainly use the private key to the link:./files/age-key.pub[`./files/age-key.pub`] and move it to the appropriate location (i.e., `/var/lib/sops-nix/key.txt`).

			`* Be sure to set the appropriate firewalls either in the NixOS configuration or in the VPS provider firewall settings.`
			`Take note some formats such as Google Compute image disable them entirely so it's safer to leave the firewall service and just configure the allowed ports and other settings.`

hosts/plover: update README 2022-12-28 06:10:16 +00:00			`* There are some things that are manually configured such as additional setup for the database.`
			`Mostly related to setting up the proper roles which should be set up with the initial script at this point but there are some still left.`

			`* If needed, restoring the application data from the backup into the services (e.g., Gitea, Keycloak, Vaultwarden).`

			`* Configuring the remaining parts for the services (which unfortunately involves manually going into each application).`

hosts/plover: add documentation for deploying into Hetzner Cloud 2023-01-04 14:12:52 +00:00			`* Configure the database users with each appropriate service.`

hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00


docs: update 2022-11-29 02:43:27 +00:00			`== Deploying it as a Google Compute instance`

			`Some documented guidelines to deploy this instance in Google Cloud Platform (GCP) so you won't have to re-read those documentation like a stuck rat the next time you visit them.`

			`* A GCP Compute Instance image of the configuration is available to be stored at your storage buckets.`
			You can simply build it at `packages.plover-gce` and store it there.
			`+`
			You can take it further automating it by running link:../../scripts/generate-and-upload-gce-image[`../../scripts/generate-and-upload-gce-image`] which is just a modified version of the link:https://github.com/NixOS/nixpkgs/blob/ebdafd7244832f1f52cacd3eda39f2156988957e/nixos/maintainers/scripts/gce/create-gce.sh[`create-gce.sh` script from nixpkgs].

			`* If you already have access to at least one GCP KMS key, then skip this part.`
			`Add a key to be used for deployment to wherever relevant file in the link:./secrets[secrets directory]. footnote:[Of course, you need previous keys which you're likely using the private age key for this system.]`
			`For this, you'll have to create a GCP keyring on their key management system (KMS) and generate a key there.`

			`* Enable link:https://cloud.google.com/compute/docs/oslogin/set-up-oslogin[OS Login] for your Compute Engine instance.`

hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`* Enable HTTP and HTTPS traffic in the firewall settings.`

docs: update 2022-11-29 02:43:27 +00:00			`* Don't forget to set the appropriate scopes for the instance.`
hosts/plover: update config In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings. 2022-12-10 10:45:36 +00:00			`Use the least privileged scopes as much as possible.`
docs: update 2022-11-29 02:43:27 +00:00
			`* Reserve a static IP address, pls.`
			`Just don't forget to immediately assign it to the instance since it will charge higher if you just leave it alone.`

			`* Creating a dedicated link:https://cloud.google.com/iam/docs/service-accounts[service account] for the VM is recommended.`
			`Just make sure to set the least amount of privileges for that account.`
hosts/plover: add documentation for deploying into Hetzner Cloud 2023-01-04 14:12:52 +00:00



			`== Deploying it to Hetzner Cloud`

			`To deploy this to Hetzner Cloud, just initialize a server and run link:https://github.com/elitak/nixos-infect/[nixos-infect] script.`
			`As an example, you can run the server with the following link:https://community.hetzner.com/tutorials/basic-cloud-config[cloud config].`

			`[source, yaml, subs=attributes]`
			`----`
			`#cloud-config`

			`runcmd:`
			`- curl https://raw.githubusercontent.com/elitak/nixos-infect/{nixos-infect-commit}/nixos-infect \| NIX_CHANNEL=nixos-unstable bash 2>&1 \| tee /tmp/infect.log`
			`----`

			You could also easily create a server with `hcloud` with the following command:

			`[source, shell]`
			`----`
			`hcloud server create --location hel1 --type cx21 --image ubuntu-22.04 \`
			`--user-data-from-file ./files/hcloud-user-data.yml \`
			`--ssh-key foodogsquared@foodogsquared.one \`
			`--name nixos-plover`
			`----`

docs: update various READMEs 2023-01-06 12:26:13 +00:00			`If you don't want to setup the firewall in the system, you could use the firewall from Hetzner (which is recommended anyways).`

			`Then, don't forget to setup the prerequisites such as filesystems properly.`
			`Here's a set of commands setting up to the current filesystem configuration.`

			`[source, shell]`
			`----`
			`e2label /dev/sda1 nixos`
			`fatlabel /dev/sda15 boot`
			`----`

hosts/plover: add documentation for deploying into Hetzner Cloud 2023-01-04 14:12:52 +00:00			`Next, do the steps as written from <<general-deployment-guidelines>>.`