In this repository resides the configuration for my new homelab and some of my VPS hosts.
Technologies used:
- NixOS for the declarative OS and service configuration
- deploy-rs to deploy my NixOS configuration
- Terraform for the automated DNS and OVH configuration
- Backblaze for the cheap object storage
- Ansible for imperative configuration management with tasks, roles, etc.
- OKD is an OpenShift (Kubernetes) distribution without license requirements
- Ovirt and Ovirt Node is used on my single server to host my Kubernetes deployment
TODO: https://plantuml.com/nwdiag
- Create a VPS at
$HOSTING_PROVIDER nixos-infectthe VPS
nix run .#terraform-fhs to get access to all the required
variables and to be able to use the terraform-provider-b2.
- Get an API token from OVH and update secrets/ovh.yaml
- Get an API token from Cloudflare and update secrets/cloudflare.yaml
- Get an API token from Backblaze and update secrets/backblaze.yaml
- Create a Backblaze bucket and application key for that bucket for the Terraform state and update secrets/terraform-backend.yaml
All required secrets keys are public in the appropriate SOPS file in
secrets/ (but not their values).
cd terraform && terraform init
$ sops -i secrets/cloudflare.yaml edit stuff in $EDITOR :wq File is encrypted inline
$ sops exec-env secrets/some-file bash bash-4.4$The Terraform state is managed outside of the repository in a B2 bucket.
Terraform needs to be run from the FHS provided in the flake default package because the Backblaze B2 provider extracts a binary embedded in its binary and the paths needs to be =patchelf=d.
nix-shell will spawn you in the FHS with the required packages for the
Terraform B2 plugin to work.
Retention settings for the dovecot email bucket: 30 days
This requires the kustomize-sops plugin. This plugin is automatically exposed in the flake shell.To encrypt a secret: sops -i -e k8s/something/overlays/prod/secrets/some-secret for instance.
deploy .#mouse --auto-rollback=false for instance.
I host different services on my NixOS VMs.