nix build .#usbboot
sudo dd if=result/iso/<ISO_FILE> of=/dev/<USBKEY> bs=4M conv=fsync status=progress
Don't forget to update ~/.ssh/config (way easier, esp. when
using SSH jump and/or custom SSH port).
nix run github:nix-community/nixos-anywhere -- \
--generate-hardware-config nixos-generate-config ./<HOST>/chewie/hardware-configuration.nix \
--flake .#<HOST> \
--target-host <TARGET>Update the age key (depending on server or desktop, the path might change). Register the machine into tailscale. Update DNS is necessary.
Don't forget to update ~/.ssh/config (way easier, esp. when
using SSH jump and/or custom SSH port).
nixos-rebuild switch --flake ".#<HOST>" \
--target-host <TARGET> \
--build-host <TARGET> \
--sudo \
--use-substitutes
When adding/removing a ZFS datasets, make the changes imperatively, then document the change in datasets.md.
Potential locations where nix configuration must mirror imperative commands:
- zfs.nix to add/remove the pools to mount at boot & update
sanoidconfig - zpools.nix to add/remove zpools
On the target host:
- Tailscale-backed network layout
- Server hardening
- OCI containers deployment
- nix modules deployment
- ZFS datasets with at rest encryption
- KVM compatible workflow for reboot
- Impermanence
- Reverse proxy
- OIDC + SSO
- Alerting
- Monitoring
- Observability
- Logs management
- Per container service CPU/memory limits
- Per nix service CPU/memory limits
- Dedicated node for blackbox monitoring
- Dedicated node for PSU monitoring
- Dedicated node for alertign
- Dedicated node for backup
ssh-keygen -t ed25519mkdir -p ~/.config/sops/age
nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"nix-shell -p age --run "age-keygen -y ~/.config/sops/age/keys.txt"Then add the key to .sops.yaml
sops updatekeys secrets/secrets.yamlsops secrets/secrets.yaml