About

This is the Nix flake that defines all my NixOS systems. Look into the flake.nix and enter the folders of the individual systems to get more information about their config. Any system-specific secrets are stored encrypted in the secrets/<hostName> directory. The following systems are defined in this repo:

• JuliansFramework: This is my Framework laptop 13 12th Gen and my daily driver. This is the system I use the most which is why it has the most complicated configuration.
• blankISO: This is a system I use to generate ISOs that help me spin up VMs. This way I can boot onto that ISO (mounted as virtual DVD e.g. in Proxmox) and then run my deployment script without having to add ssh keys or anything. Great config to get me started on anything.
• NixOSTesting: Config for a Proxmox PVE VM that I use to test NixOS server and deployment stuff
• Nextcloud: Config for a Proxmox PVE VM that runs my Nextcloud Instance. Currently still in testing phase.
• IonosVPS: Config for my Ionos XS VPS that I use to as an edge server, reverse proxy and general forwarding server (to have a public, static IPv4 address for all my local servers). Currently still in testing phase

Nebula and sops

I use the Nebula overlay network to connect to and between all my servers and machines. The general nebula config can be found in generic/nebula.nix, and any machine might add stuff for themselves (additional firewall rules, etc.). The keys and certificates needed for nebula are stored using sops-nix (together with other secrets a machine might need). See generic/sops.nix, .sops.yaml and the secrets directory for info on the general sops setup. To add new systems to my nebula network quicker and more comfortably I wrote the createNebulaDevice.sh script. Look at its comments and run it without any parameters to get more information about how to use it, but here is an example of its usage:

• ./createNebulaDevice.sh NixOSTesting 48.42.1.150/16 "server,edge"
• Note 1: Don't forget to specify the subnet of the nebula ip address using the CIDR notation (in this example it is /16)
• Note 2: This script requires you to have a working ssh and gnupg setup for your root user, so that you can access your Github Repo and decrypt your sops secrets with it. Look at the home-manager configuration of JuliansFramework for an example of how to just 'inherit' the Nix setup for that from your main user.

Deployment

I wrote the deployment.sh script to deploy NixOS configurations more easily to machines. Look at its comments and run it without any parameters to get more information about how to use it, but here are some examples of its usage:

• ./deployment.sh deploy NixOSTesting 192.168.3.9 192.168.3.120 deploys nixos on the machine with the first ip address (using nixos-anywhere) and clones this git repository onto it after rebooting (using the second ip address)
• ./deployment.sh deploySops NixOSTesting 192.168.3.9 192.168.3.120 same as deploy, but additionally also updates the sops config with the new age key of the target system (which gets generated by sops-nix if the system is new) and reencrypts all the secrets that the target system should have access to (this involves updating the .sops.yaml file)
• ./deployment.sh sops NixOSTesting 192.168.3.120 like deploySops, but without the deploy. Useful if setup the target machine using other methods than this script and nixos-anywhere (for example because the target machine does not fulfill the requirements of nixos-anywhere)
• ./deployment.sh iso NixOSTesting builds an iso based on the specified device configuration name (as in the flake url) and puts it into local directory (using nixos-generate)