# VPS

## Workflow
### Re-creating everything from scratch

```shell
git crypt unlock
direnv allow
./terraform-update.sh
# wait for the DNS to propagate, so
# letsencrypt can create the certificates
./nixos-update.sh
```

### After an update on `vps.tf`

Same as above.

### After editing `vps-configuration.nix` or other OS files

Just run the `./nixos-update.sh` script.

## Base image
The basic `configuration.nix` file in the current snapshots looks just like this:

```nix
{ config, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix
  ];

  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

  networking.useDHCP = false;
  networking.interfaces.ens3.useDHCP = true;

  environment.systemPackages = with pkgs; [ vim ];

  services.openssh.enable = true;
  services.openssh.permitRootLogin = "no";

  users.extraUsers.andreh = {
    uid = 1000;
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    password = "...tmp password...";
    openssh.authorizedKeys.keys = [
      "...ssh public key..."
    ];
  };

  system.stateVersion = "19.09";
}
```

This basic setup allows it to boot, starts the OpenSSH server agent and allows
the listed `openssh.authorizedKeys.keys` to login.

I've also changed the ownership of `/etc/nixos/configuration.nix` to allow my
user to write to it by piping through SSH without trying some
[non-working solutions like before][0]:

```shell
sudo chown andreh /etc/nixos/configuration.nix
```

With that `./nixos-update.sh` can write to the NixOS configuration file without
running into issues with `sudo` password permissions through the SSH pipe while
writing to stdin.

[0]: https://git.sr.ht/~euandreh/vps/tree/a7983c859f3d8890e35c587176f497b73a7a7dc7/nixos-switch.sh#L7