aboutsummaryrefslogtreecommitdiff
path: root/README.md
blob: df4707af37db9669255d22857b2e1f88f5814926 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# VPS

## Workflow
### Re-creating everything from scratch

```shell
git crypt unlock
direnv allow
./terraform-update.sh
# wait for the DNS to propagate, so
# letsencrypt can create the certificates
./nixos-update.sh
```

### After an update on `vps.tf`

Same as above.

### After editing `vps-configuration.nix` or other OS files

Just run the `./nixos-update.sh` script.

## Base image
The basic `configuration.nix` file in the current snapshots looks just like this:

```nix
{ config, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix
  ];

  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

  networking.useDHCP = false;
  networking.interfaces.ens3.useDHCP = true;

  environment.systemPackages = with pkgs; [ vim ];

  services.openssh.enable = true;
  services.openssh.permitRootLogin = "no";

  users.extraUsers.andreh = {
    uid = 1000;
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    password = "...password...";
    openssh.authorizedKeys.keys = [
      "...ssh public key..."
    ];
  };

  system.stateVersion = "19.09";
}
```

This basic setup allows it to boot, starts the OpenSSH server agent and allows
the listed `openssh.authorizedKeys.keys` to login.

I've also changed the nix-channel to the `nixos-unstable` imperatively before
creating the image snapshot:

```shell
sudo nix-channel --remove nixos
sudo nix-channel --add https://nixos.org/channels/nixos-unstable nixos
```

So the first run of `./nixos-update.sh` will already get the latest channel from
unstable, which makes this image not tied to the particular original 19.09 NixOS
distribution.