NixOS config for remote servers with little connectivity and available skills.
TODO https://nixos.org/nixos/download.html
TODO: is the tunnel private key the one of the relay server??? Intervert public/private?
If you want to specify a graphql endpoint other than https://graphql.platyplus.io
:
export API_ENDPOINT=https://endpoint.com
If you want to specify a hard drive other than /dev/sda:
export TGTDEV=/dev/xxx
Run the installation script, and install NixOS
curl https://raw.githubusercontent.com/platyplus/remote-host/master/install.sh | bash
nixos-install --no-root-passwd --max-jobs 4
TODO: network...
Remove the USB key and reboot the system.
ssh from the tunnel?
ssh xxx@platyplus.io -p 2222
sudo nix-channel --list
sudo nix-channel --add https://nixos.org/channels/nixos-18.03 nixos
sudo nixos-rebuild switch --upgrade --install-bootloader
See NixOS infect and this tutorial
Create the data partition, using up the remaining space in the volume group
sudo lvcreate -l 100%FREE -n nixos_data LVMVolGroup
Create the encrypted LUKS volume on top of this, use a strong passphrase, preferably 128 characters and randomly generated by a password manager. Make sure to store this passphrase securely in the password manager!
sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random luksFormat --type luks2 /dev/LVMVolGroup/nixos_data
Next, we open the volume and create a filesystem on it
sudo cryptsetup open /dev/LVMVolGroup/nixos_data nixos_data_decrypted
sudo mkfs.ext4 -L nixos_data /dev/mapper/nixos_data_decrypted
sudo tune2fs -m 0 /dev/disk/by-label/nixos_data
We will mount the encrypted filesystem on /opt
sudo mkdir /opt
sudo mount /dev/disk/by-label/nixos_data /opt
Next we will bind mount /var/lib/docker
into the encrypted volume on /opt/docker
. Make sure docker is not running, if it is run these commands first:
sudo systemctl stop docker.socket
sudo systemctl stop docker.service
sudo rm -r /var/lib/docker/
Otherwise or after this, we can create the mount
sudo mkdir /opt/docker
sudo mkdir /var/lib/docker
sudo mount --bind /opt/docker/ /var/lib/docker
Finally, we will add a keyfile to be able to unlock the encrypted volume automatically on boot
sudo dd bs=512 count=4 if=/dev/urandom of=/keyfile
sudo chown root:root /keyfile
sudo chmod 0600 /keyfile
sudo cryptsetup luksAddKey /dev/LVMVolGroup/nixos_data /keyfile
Now enable crypto.nix
in settings.nix
to have automounting at boot time and reboot to test.