blob: df4707af37db9669255d22857b2e1f88f5814926 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
# VPS
## Workflow
### Re-creating everything from scratch
```shell
git crypt unlock
direnv allow
./terraform-update.sh
# wait for the DNS to propagate, so
# letsencrypt can create the certificates
./nixos-update.sh
```
### After an update on `vps.tf`
Same as above.
### After editing `vps-configuration.nix` or other OS files
Just run the `./nixos-update.sh` script.
## Base image
The basic `configuration.nix` file in the current snapshots looks just like this:
```nix
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false;
networking.interfaces.ens3.useDHCP = true;
environment.systemPackages = with pkgs; [ vim ];
services.openssh.enable = true;
services.openssh.permitRootLogin = "no";
users.extraUsers.andreh = {
uid = 1000;
isNormalUser = true;
extraGroups = [ "wheel" ];
password = "...password...";
openssh.authorizedKeys.keys = [
"...ssh public key..."
];
};
system.stateVersion = "19.09";
}
```
This basic setup allows it to boot, starts the OpenSSH server agent and allows
the listed `openssh.authorizedKeys.keys` to login.
I've also changed the nix-channel to the `nixos-unstable` imperatively before
creating the image snapshot:
```shell
sudo nix-channel --remove nixos
sudo nix-channel --add https://nixos.org/channels/nixos-unstable nixos
```
So the first run of `./nixos-update.sh` will already get the latest channel from
unstable, which makes this image not tied to the particular original 19.09 NixOS
distribution.
|