mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-01-31 22:57:55 +00:00
8adcc0d512
In preparation of deploying it in a non-Google Compute Engine environment, we'll update some of the settings.
61 lines
3.4 KiB
Plaintext
61 lines
3.4 KiB
Plaintext
= Plover, the general-purpose server
|
|
|
|
This is Plover, a configuration meant to be used in a low-powered general-purpose machine.
|
|
It isn't much of an instance to be seriously used yet but hopefully it is getting there.
|
|
|
|
This configuration is expected to be deployed in a Google Compute instance.
|
|
|
|
It has a reasonable set of assumptions to keep in mind when modifying this configuration:
|
|
|
|
- Most of the defaults are left to the link:https://github.com/NixOS/nixpkgs/tree/f92201f46109aabbbf41b8dc24bb9d342eb93a35/nixos/modules/virtualisation[image profiles from nixpkgs] including networking options and filesystems.
|
|
- No additional storage drives.
|
|
- At least 32 GB of space is assumed.
|
|
|
|
Some of the self-hosted services from this server:
|
|
|
|
* An nginx server which will make tie all of the self-hosted services together.
|
|
* A link:https://github.com/dani-garcia/vaultwarden[Vaultwarden] instance for a little password management.
|
|
* A link:https://gitea.io/[Gitea] instance for my personal projects.
|
|
|
|
|
|
|
|
|
|
== General deployment guidelines
|
|
|
|
If you want to deploy it anywhere else, you have to keep some things in mind.
|
|
|
|
* This uses link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix] to decrypt secrets.
|
|
It mainly use the private key to the link:./files/age-key.pub[`./files/age-key.pub`] and move it to the appropriate location (i.e., `/var/lib/sops-nix/key.txt`).
|
|
|
|
* Be sure to set the appropriate firewalls either in the NixOS configuration or in the VPS provider firewall settings.
|
|
Take note some formats such as Google Compute image disable them entirely so it's safer to leave the firewall service and just configure the allowed ports and other settings.
|
|
|
|
|
|
|
|
|
|
== Deploying it as a Google Compute instance
|
|
|
|
Some documented guidelines to deploy this instance in Google Cloud Platform (GCP) so you won't have to re-read those documentation like a stuck rat the next time you visit them.
|
|
|
|
* A GCP Compute Instance image of the configuration is available to be stored at your storage buckets.
|
|
You can simply build it at `packages.plover-gce` and store it there.
|
|
+
|
|
You can take it further automating it by running link:../../scripts/generate-and-upload-gce-image[`../../scripts/generate-and-upload-gce-image`] which is just a modified version of the link:https://github.com/NixOS/nixpkgs/blob/ebdafd7244832f1f52cacd3eda39f2156988957e/nixos/maintainers/scripts/gce/create-gce.sh[`create-gce.sh` script from nixpkgs].
|
|
|
|
* If you already have access to at least one GCP KMS key, then skip this part.
|
|
Add a key to be used for deployment to wherever relevant file in the link:./secrets[secrets directory]. footnote:[Of course, you need previous keys which you're likely using the private age key for this system.]
|
|
For this, you'll have to create a GCP keyring on their key management system (KMS) and generate a key there.
|
|
|
|
* Enable link:https://cloud.google.com/compute/docs/oslogin/set-up-oslogin[OS Login] for your Compute Engine instance.
|
|
|
|
* Enable HTTP and HTTPS traffic in the firewall settings.
|
|
|
|
* Don't forget to set the appropriate scopes for the instance.
|
|
Use the least privileged scopes as much as possible.
|
|
|
|
* Reserve a static IP address, pls.
|
|
Just don't forget to immediately assign it to the instance since it will charge higher if you just leave it alone.
|
|
|
|
* Creating a dedicated link:https://cloud.google.com/iam/docs/service-accounts[service account] for the VM is recommended.
|
|
Just make sure to set the least amount of privileges for that account.
|