Improve NixOS server post with the proofreading results

This commit is contained in:
Gabriel Arazas 2023-02-26 21:08:12 +08:00
parent 11b9234b44
commit 810d1180e8
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC

View File

@ -26,7 +26,7 @@ However, I've gone back to using it sometime at the start of 2022 and used it th
At the start of this year, however, I'm starting to learn managing Linux-based systems for servers. At the start of this year, however, I'm starting to learn managing Linux-based systems for servers.
What could be a better way (not necessarily as we'll discuss it) of managing it with the devil I know: NixOS. What could be a better way (not necessarily as we'll discuss it) of managing it with the devil I know: NixOS.
In this post, I'll be discussing my experience managing a NixOS server for 2 months. footnote:[Very fitting note as in that previous post I also wrote my experience using NixOS as a desktop driver also in 2 months of usage. I didn't plan for this, I swear.] In this post, I'll be journaling my experience managing a NixOS server for 2 months. footnote:[Very fitting note as in that previous post I also wrote my experience using NixOS as a desktop driver also in 2 months of usage. I didn't plan for this, I swear.]
@ -34,23 +34,23 @@ In this post, I'll be discussing my experience managing a NixOS server for 2 mon
[#why-nixos-redux-version] [#why-nixos-redux-version]
== Why NixOS? (redux version) == Why NixOS? (redux version)
As you may already heard from any staunch advocates which xref:../moving-into-nixos/index.adoc#why-nixos[I've even said something about those lines myself], there are a couple of good reasons to use NixOS. As you may already heard from any staunch advocates which xref:../2020-11-06-moving-into-nixos/index.adoc#why-nixos[I've even said something about those lines myself], there are a couple of good reasons to use NixOS.
But I'm fairly sure you've heard a fair share of the same bullet points at this point so let me give you my perspective from using it for some time instead. But I'm fairly sure you've heard a fair share of the same bullet points at this point so let me give you my perspective from using it for some time instead.
What I like about it is the perspective of building NixOS systems just like how one would program applications. What I like about it is the perspective of building NixOS systems just like how one would program applications.
You create a text file containing NixOS configuration, you pass the file to the builder (e.g., `nix-build` or `nix build`), then you "compiled" an operating system. You create a text file containing a Nix program, you pass the program to the compiler (or in this case, the Nix build daemon), then you "compiled" an operating system.
Furthermore, the overall Nix ecosystem has some things helping to create a NixOS system such as link:https://github.com/NixOS/nixpkgs/[nixpkgs] which does not only have link:https://repology.org/repositories/statistics/total[one of the largest package repositories] (as of 2023-02-14) but also link:https://nixos.org/manual/nixos/unstable/options.html[a wide set of options] including... Furthermore, the overall Nix ecosystem has some things helping to create a NixOS system such as link:https://github.com/NixOS/nixpkgs/[nixpkgs] which does not only have link:https://repology.org/repositories/statistics/total[one of the largest package repositories] (as of 2023-02-14) but also link:https://nixos.org/manual/nixos/unstable/options.html[a wide set of options] including...
- Services which includes server-oriented programs (e.g., nginx, Bind, borgbackup) to complete desktop sessions (e.g., GNOME, KDE Plasma, i3, bspwm). - Services from server-oriented programs (e.g., nginx, Bind, borgbackup) to complete desktop sessions (e.g., GNOME, KDE Plasma, i3, bspwm) with additional options to configure them.
- Various programs such as tmux, vim, and command-line shells (e.g., Bash, zsh, fish) which typically includes further configuration options for them. - Various programs such as tmux, vim, and command-line shells (e.g., Bash, zsh, fish) which also includes configuration options for them.
- Hardware tweaks such as installing certain hardware drivers, a declarative networking setup (which is very useful for servers), and setting up filesystems complete with mount options. - Hardware tweaks such as installing certain hardware drivers, a declarative networking setup (which is very useful for servers), and setting up filesystems complete with mount options.
All of those can be made to create NixOS systems for a variety of purposes. All of those can be made to create NixOS systems for a variety of purposes.
Prior to this post (and also at least 2 months), I use NixOS as my desktop OS of choice for at least a year. Prior to this post, I use NixOS as my desktop OS of choice for at least a year.
Let me show you some examples of how I use it. Let me show you some examples of how I use it.
- link:https://github.com/foo-dogsquared/nixos-config/blob/70e2e077d17de5ae48063bf56e376a45d469d2c9/modules/nixos/workflows/a-happy-gnome/default.nix[A complete configuration for my GNOME desktop environment] with a list of programs, services, and link:https://github.com/foo-dogsquared/nixos-config/tree/70e2e077d17de5ae48063bf56e376a45d469d2c9/modules/nixos/workflows/a-happy-gnome/config[settings] to enable. - link:https://github.com/foo-dogsquared/nixos-config/blob/70e2e077d17de5ae48063bf56e376a45d469d2c9/modules/nixos/workflows/a-happy-gnome/default.nix[A complete configuration for my GNOME desktop environment] with a list of programs, services, and link:https://github.com/foo-dogsquared/nixos-config/tree/70e2e077d17de5ae48063bf56e376a45d469d2c9/modules/nixos/workflows/a-happy-gnome/config[settings] to enable.
@ -61,9 +61,9 @@ Let me show you some examples of how I use it.
Here's link:https://github.com/foo-dogsquared/nixos-config/blob/70e2e077d17de5ae48063bf56e376a45d469d2c9/modules/nixos/tasks/multimedia-archive/data/jobs.yt-dlp.json[an example of additional URLs intended for yt-dlp to download]. Here's link:https://github.com/foo-dogsquared/nixos-config/blob/70e2e077d17de5ae48063bf56e376a45d469d2c9/modules/nixos/tasks/multimedia-archive/data/jobs.yt-dlp.json[an example of additional URLs intended for yt-dlp to download].
The aforementioned dataset is created from link:https://github.com/foo-dogsquared/nixos-config/blob/70e2e077d17de5ae48063bf56e376a45d469d2c9/modules/nixos/tasks/multimedia-archive/scripts/create-jobs-from-newpipe-db.py[a script that generates it from a Newpipe database]. footnote:[Complete declarative configuration! MUAHAHAHAHA! Although, I don't use it much these days but I kept it because it's neat.] The aforementioned dataset is created from link:https://github.com/foo-dogsquared/nixos-config/blob/70e2e077d17de5ae48063bf56e376a45d469d2c9/modules/nixos/tasks/multimedia-archive/scripts/create-jobs-from-newpipe-db.py[a script that generates it from a Newpipe database]. footnote:[Complete declarative configuration! MUAHAHAHAHA! Although, I don't use it much these days but I kept it because it's neat.]
The point is... NixOS is very flexible despite that it already gives you a complete set of knobs to tinker with especially with mechanisms in place such as Nix modules (which is an entire world in and of itself), nixpkgs overrides, overlays, and flakes. The point is... NixOS is very flexible despite that it already gives you a complete set of knobs to tinker with especially with mechanisms in place such as Nix modules footnote:[Which is an entire world in and of itself.], nixpkgs overrides, overlays, and flakes.
Unlike configuring from a traditional Linux system (e.g., Debian, Arch, Fedora), NixOS (and similar systems such as link:https://guix.gnu.org/[Guix system]) is nicer in terms of user experience for configuration since you only have to monitor one location to consolidate the configuration. Unlike configuring from a traditional Linux system (e.g., Debian, Arch, Fedora), NixOS is nicer in terms of UX for configuring the system since you only have to monitor one location to consolidate the system configuration.
@ -71,8 +71,8 @@ Unlike configuring from a traditional Linux system (e.g., Debian, Arch, Fedora),
[#the-nix-ecosystem] [#the-nix-ecosystem]
== The Nix ecosystem == The Nix ecosystem
It's not as large as other ecosystems such as from Docker with its link:https://hub.docker.com/[large selection of images] and tools such as link:https://kubernetes.io/[Kubernetes]. It's not as large as other ecosystems such as from Docker with its link:https://hub.docker.com/[vast selection of images] and widespread tools such as link:https://kubernetes.io/[Kubernetes].
The amount of things within the containers ecosystem is just too vast which rallies more support behind it. The amount of things within the containers ecosystem is just too huge which rallies even more support behind it.
This doesn't mean the Nix ecosystem is something to be scoffed at. This doesn't mean the Nix ecosystem is something to be scoffed at.
There's more to what you can do with NixOS especially link:https://nix-community.github.io/awesome-nix/[there's an ecosystem beyond nixpkgs]. There's more to what you can do with NixOS especially link:https://nix-community.github.io/awesome-nix/[there's an ecosystem beyond nixpkgs].
@ -81,13 +81,13 @@ Here's some of the tools I use related to managing the server.
- link:https://github.com/nix-community/home-manager/[home-manager] is quite similar to NixOS that it instead of building an operating system, it builds a home environment allowing you to specify user-specific tweaks that is otherwise not available from nixpkgs that are more focused on the holistic side of operating systems (i.e., system-wide services, programs, and configurations). - link:https://github.com/nix-community/home-manager/[home-manager] is quite similar to NixOS that it instead of building an operating system, it builds a home environment allowing you to specify user-specific tweaks that is otherwise not available from nixpkgs that are more focused on the holistic side of operating systems (i.e., system-wide services, programs, and configurations).
+ +
However, most of the options found here are oriented toward desktop usage but it's still useful for user-specific tweaks (e.g., putting certain files in its home directory). While most of the options found here are oriented toward desktop usage, it's still useful for servers (e.g., putting certain files in its home directory).
- nixpkgs can build NixOS systems into various formats including container images, a plethora of cloud provider-specific image formats, and virtual machines. - nixpkgs can build NixOS systems into various formats including container images, a plethora of cloud provider-specific image formats, and virtual machines.
link:github.com/nix-community/nixos-generators[nixos-generators] builds upon this as a nice frontend to easily make use of it. link:github.com/nix-community/nixos-generators[nixos-generators] builds upon this as a nice frontend to easily make use of it.
+ +
I've used it to generate a link:https://github.com/foo-dogsquared/nixos-config/releases/tag/latest[personalized NixOS installer as part of a release from my config]. I've used it to generate a link:https://github.com/foo-dogsquared/nixos-config/releases/tag/latest[personalized NixOS installer as part of a release from my config].
Also, I've used it to generate a Google Cloud image that can easily create a Compute instance from it. At some point, I've also used it to generate a Google Cloud image that can easily create a Compute instance from it.
- link:https://github.com/serokell/deploy-rs[deploy-rs] is my deployment tool of choice. - link:https://github.com/serokell/deploy-rs[deploy-rs] is my deployment tool of choice.
It comes with niceties such as magic rollback which is useful if it rendered your configuration to be unconnectable. It comes with niceties such as magic rollback which is useful if it rendered your configuration to be unconnectable.
@ -104,7 +104,7 @@ My tool of choice is link:https://github.com/Mic92/sops-nix[sops-nix] given that
== Configuring the server == Configuring the server
I'm managing one instance in Hetzner Cloud. I'm managing one instance in Hetzner Cloud.
While it doesn't have a NixOS image (or used to be), it is easy to initiate a NixOS instance with the link:https://github.com/elitak/nixos-infect[nixos-infect] script which will... infect a Linux system into a NixOS one (without the spreading of NixOS disease though). While it doesn't have a NixOS image, it is easy to initiate a NixOS instance with the link:https://github.com/elitak/nixos-infect[nixos-infect] script which will... infect a Linux system into a NixOS one (without the spreading of NixOS disease though).
Thankfully, this can be automated since Hetzner also has link:https://github.com/hetznercloud/awesome-hcloud[an ecosystem of libraries and tools for more flexibility] including link:https://github.com/hetznercloud/cli[a command-line interface for managing Hetzner Cloud deployments]. Thankfully, this can be automated since Hetzner also has link:https://github.com/hetznercloud/awesome-hcloud[an ecosystem of libraries and tools for more flexibility] including link:https://github.com/hetznercloud/cli[a command-line interface for managing Hetzner Cloud deployments].
@ -127,10 +127,10 @@ If you're looking into managing a NixOS system in Hetzner Cloud, I recommend to
This is important to see the network interfaces configuration and configure your networking interfaces based from it. This is important to see the network interfaces configuration and configure your networking interfaces based from it.
==== ====
One would have to statically configure hardware of the server, mostly relating to networking setup. One would have to statically configure the hardware of the server, mostly relating to networking setup.
For this, I used systemd-networkd service that integrates well in NixOS. For this, I used systemd-networkd service that integrates well in NixOS.
The following systemd-networkd configuration is based from the generated systemd network unit from Ubuntu 22.04. The following systemd-networkd configuration is based from the generated systemd network unit from Ubuntu 22.04 image from Hetzner Cloud.
It assumes that you have an global IPv4 and IPv6 address and a private IPv4 subnet from link:https://docs.hetzner.com/cloud/networks/[networks feature]. It assumes that you have an global IPv4 and IPv6 address and a private IPv4 subnet from link:https://docs.hetzner.com/cloud/networks/[networks feature].
[source, nix] [source, nix]
@ -144,8 +144,7 @@ include::./assets/server-systemd-networkd-config.nix[]
Currently (as of NixOS 23.05-unstable), there are two main ways to declaratively configure the networking setup: `networking.interfaces` and `systemd.network`. Currently (as of NixOS 23.05-unstable), there are two main ways to declaratively configure the networking setup: `networking.interfaces` and `systemd.network`.
`networking.interfaces` is considered the default seeing as it is used on the installers for NixOS. `networking.interfaces` is considered the default seeing as it is used on the installers for NixOS.
Although, there seems to be link:https://github.com/NixOS/nixpkgs/issues/10001[interest to switch to systemd-networkd as the default way]. Although, there seems to be link:https://github.com/NixOS/nixpkgs/issues/10001[interest to switch to systemd-networkd as the default way] — not to mention, part of the description of the `networking.interfaces` recommends using `systemd.network.netdevs` instead.
Not to mention, part of the description of the `networking.interfaces` recommends using `systemd.network.netdevs` instead.
If this would be configured with `networking.interfaces`, then it would look something like the following listing (without the other aspects of networking such as proper routing). If this would be configured with `networking.interfaces`, then it would look something like the following listing (without the other aspects of networking such as proper routing).
@ -168,7 +167,7 @@ Fortunately, nixpkgs already has a link:https://github.com/NixOS/nixpkgs/blob/f9
} }
---- ----
Now with the most important things are done, you can now proceed with the service configuration. With the most important things done, you can now proceed with the service configuration.
Here's a non-exhaustive list of things that I've done for the server. Here's a non-exhaustive list of things that I've done for the server.
- systemd-networkd link:https://github.com/systemd/systemd/blob/0da4cc97b446b43802692f2415e5a774771b0ca9/NEWS#L7674-L7675[can configure Wireguard interfaces since v237] so I eventually used it for configuring Wireguard tunnels instead of standing up an OpenVPN server. - systemd-networkd link:https://github.com/systemd/systemd/blob/0da4cc97b446b43802692f2415e5a774771b0ca9/NEWS#L7674-L7675[can configure Wireguard interfaces since v237] so I eventually used it for configuring Wireguard tunnels instead of standing up an OpenVPN server.
@ -179,7 +178,7 @@ This could also be used to avoid using root directly, only using `sudo` when nee
In my case, I created two non-root users: link:https://github.com/foo-dogsquared/nixos-config/blob/70e2e077d17de5ae48063bf56e376a45d469d2c9/users/nixos/admin/default.nix[specifically to be used for deployment] and link:https://github.com/foo-dogsquared/nixos-config/blob/70e2e077d17de5ae48063bf56e376a45d469d2c9/users/nixos/plover/default.nix[one to be used as the entry point for the server] since the former doesn't have a password to enter privilege mode. In my case, I created two non-root users: link:https://github.com/foo-dogsquared/nixos-config/blob/70e2e077d17de5ae48063bf56e376a45d469d2c9/users/nixos/admin/default.nix[specifically to be used for deployment] and link:https://github.com/foo-dogsquared/nixos-config/blob/70e2e077d17de5ae48063bf56e376a45d469d2c9/users/nixos/plover/default.nix[one to be used as the entry point for the server] since the former doesn't have a password to enter privilege mode.
The latter has a customized user environment done through home-manager. The latter has a customized user environment done through home-manager.
- Enable all of the services you want. - Enable all of the services you want which I've included some details in <<the-results-and-the-maintenance-process, the next chapter>>.
Of course, as long as it fits in the server with its expected amount of traffic and the average amount of resources. Of course, as long as it fits in the server with its expected amount of traffic and the average amount of resources.
- Setting a remote backup service. - Setting a remote backup service.
@ -263,6 +262,30 @@ It is done with sops and sops-nix then manually putting the private key in its s
I don't think it's efficient but it is what it is. I don't think it's efficient but it is what it is.
I'm fairly sure there's a better way to provision the server alongside the secrets but solving that problem seems like diminishing returns. I'm fairly sure there's a better way to provision the server alongside the secrets but solving that problem seems like diminishing returns.
The maintenance process also considers budget especially in the long run so let's be a good I.T. department for ourselves and enumerate them in a table.
.Monthly budget for running a personal cloud infrastructure
[%header, cols="2"]
|===
| Thing
| Cost
| A Hetzner Cloud server
| €6
| A Hetzner Storage Box
| €4
| `foodogsquared.one` domain (paid yearly)
| €1.2
| mailbox.org standard account
| €3
|===
A total of €14.2 or ₱712 in my local currency which is nice in my personal budget of under ₱1000 (€17.3).
[#things-to-keep-in-mind] [#things-to-keep-in-mind]