search

platyplus / remote-host

0 stars 0 forks source link

readme

NixOS

NixOS config for remote servers with little connectivity and available skills.

Installing NixOS automatically

Prepare a bootable USB key

TODO https://nixos.org/nixos/download.html

Install NixOS from the installation script

TODO: is the tunnel private key the one of the relay server??? Intervert public/private?

If you want to specify a graphql endpoint other than https://graphql.platyplus.io:

export API_ENDPOINT=https://endpoint.com

If you want to specify a hard drive other than /dev/sda:

export TGTDEV=/dev/xxx

Run the installation script, and install NixOS

curl https://raw.githubusercontent.com/platyplus/remote-host/master/install.sh | bash
nixos-install --no-root-passwd --max-jobs 4

TODO: network...

Remove the USB key and reboot the system.

Update to the correct NixOS channel

ssh from the tunnel?

ssh xxx@platyplus.io -p 2222
sudo nix-channel --list
sudo nix-channel --add https://nixos.org/channels/nixos-18.03 nixos
sudo nixos-rebuild switch --upgrade --install-bootloader

Installing NixOS on a Digital Ocean droplet

See NixOS infect and this tutorial

TODO: Creating an encrypted data partition

Create the data partition, using up the remaining space in the volume group

sudo lvcreate -l 100%FREE -n nixos_data LVMVolGroup

Create the encrypted LUKS volume on top of this, use a strong passphrase, preferably 128 characters and randomly generated by a password manager. Make sure to store this passphrase securely in the password manager!

sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random luksFormat --type luks2 /dev/LVMVolGroup/nixos_data

Next, we open the volume and create a filesystem on it

sudo cryptsetup open /dev/LVMVolGroup/nixos_data nixos_data_decrypted
sudo mkfs.ext4 -L nixos_data /dev/mapper/nixos_data_decrypted
sudo tune2fs -m 0 /dev/disk/by-label/nixos_data

We will mount the encrypted filesystem on /opt

sudo mkdir /opt
sudo mount /dev/disk/by-label/nixos_data /opt

Next we will bind mount /var/lib/docker into the encrypted volume on /opt/docker. Make sure docker is not running, if it is run these commands first:

sudo systemctl stop docker.socket
sudo systemctl stop docker.service
sudo rm -r /var/lib/docker/

Otherwise or after this, we can create the mount

sudo mkdir /opt/docker
sudo mkdir /var/lib/docker
sudo mount --bind /opt/docker/ /var/lib/docker

Finally, we will add a keyfile to be able to unlock the encrypted volume automatically on boot

sudo dd bs=512 count=4 if=/dev/urandom of=/keyfile
sudo chown root:root /keyfile
sudo chmod 0600 /keyfile

sudo cryptsetup luksAddKey /dev/LVMVolGroup/nixos_data /keyfile

Now enable crypto.nix in settings.nix to have automounting at boot time and reboot to test.