# VPS ## Workflow ### Re-creating everything from scratch ```shell git crypt unlock direnv allow ./terraform-update.sh # wait for the DNS to propagate, so # letsencrypt can create the certificates ./nixos-update.sh ``` ### After an update on `vps.tf` Same as above. ### After editing `vps-configuration.nix` or other OS files Just run the `./nixos-update.sh` script. ## Base image The basic `configuration.nix` file in the current snapshots looks just like this: ```nix { config, pkgs, ... }: { imports = [ ./hardware-configuration.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/vda"; networking.useDHCP = false; networking.interfaces.ens3.useDHCP = true; environment.systemPackages = with pkgs; [ vim ]; services.openssh.enable = true; services.openssh.permitRootLogin = "no"; users.extraUsers.andreh = { uid = 1000; isNormalUser = true; extraGroups = [ "wheel" ]; password = "...tmp password..."; openssh.authorizedKeys.keys = [ "...ssh public key..." ]; }; system.stateVersion = "19.09"; } ``` This basic setup allows it to boot, starts the OpenSSH server agent and allows the listed `openssh.authorizedKeys.keys` to login. I've also changed the ownership of `/etc/nixos/configuration.nix` to allow my user to write to it by piping through SSH without trying some [non-working solutions like before][0]: ```shell sudo chown andreh /etc/nixos/configuration.nix ``` With that `./nixos-update.sh` can write to the NixOS configuration file without running into issues with `sudo` password permissions through the SSH pipe while writing to stdin. [0]: https://git.sr.ht/~euandreh/vps/tree/a7983c859f3d8890e35c587176f497b73a7a7dc7/nixos-switch.sh#L7