Start server setup from scratch with disko and nixos-anywhere

README.md

@@ -34,9 +34,9 @@ Refer to the respective host directories for more information.
 - [ ] Dev environments
 - [ ] Full Neovim setup
 - [x] Full nix-darwin setup with system configuration
-- [ ] Server setup
-  - [ ] Explore [disko](https://github.com/nix-community/disko) for declarative disk management
-  - [ ] Explore [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) for remote installation
+- [x] Server setup
+  - [x] Explore [disko](https://github.com/nix-community/disko) for declarative disk management
+  - [x] Explore [nixos-anywhere](https://github.com/nix-community/nixos-anywhere) for remote installation
 
 ## Useful resources
 - [NixOS & Flakes Book](https://nixos-and-flakes.thiscute.world/)

hosts/organ/README.md

@@ -4,3 +4,22 @@
 
 # organ
 ARM-based server running on Hetzner cloud
+
+## Setup
+1. Create a new server on Hetzner Cloud
+  - Tested with Ubuntu 24.04
+  - Arm64 architecture
+  - Assign an IPv4 and IPv6 address
+  - Add your SSH key
+2. Get the SSH keys from the server
+  ```sh
+  ssh-keyscan <server-ip>
+  ```
+3. Update the [`secrets.nix`](../../secrets/secrets.nix) file with the SSH key, and re-key all the relevant secrets
+4. Update [`networking.nix`](./networking.nix) with the correct IP addresses
+5. Run the following command from the root of the repository
+  ```sh
+  ./hosts/organ/install.sh
+  ```
+
+And that's it!

hosts/organ/default.nix

@@ -1,33 +1,44 @@
 {
   config,
   lib,
-  pkgs,
+  modulesPath,
   ...
 }: {
   imports =
     [
-      ./git.nix
-      ./hardware-configuration.nix
-      ./mail.nix
+      (modulesPath + "/profiles/qemu-guest.nix")
+      ./disko.nix
+      # ./git.nix
+      # ./mail.nix
       ./networking.nix
-      ./nginx.nix
+      # ./nginx.nix
       ./ssh.nix
-      ./syncthing.nix
+      # ./syncthing.nix
       ./users.nix
     ]
     ++ lib._.moduleImports [
       "common/nix"
       "common/packages"
-      "server/dns"
+      # "server/dns"
       "server/tailscale"
     ];
 
   age.secrets = lib._.defineSecrets ["organ-tailscale-auth-key"] {};
 
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      systemd-boot.configurationLimit = 5;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd.kernelModules = ["virtio_gpu"];
+    kernelParams = ["console=tty"];
+  };
+
   time.timeZone = "Europe/Prague";
 
   server = {
-    dns.zones."jakubarbet.me" = ./dns/jakubarbet.me.zone;
+    #   dns.zones."jakubarbet.me" = ./dns/jakubarbet.me.zone;
     tailscale = {
       tailnet = "ide-vega.ts.net";
       tailscaleIpv4 = "100.67.2.27";

hosts/organ/disko.nix

@@ -0,0 +1,64 @@
+{
+  inputs,
+  lib,
+  ...
+}: {
+  imports = [inputs.disko.nixosModules.disko];
+
+  disko.devices.disk.main = {
+    type = "disk";
+    device = lib.mkDefault "/dev/sda";
+    content = {
+      type = "gpt";
+      partitions = {
+        ESP = {
+          priority = 1;
+          name = "ESP";
+          start = "1M";
+          end = "128M";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+            mountOptions = ["umask=0077"];
+          };
+        };
+        root = {
+          end = "-2G";
+          content = {
+            type = "btrfs";
+            extraArgs = ["-f"]; # Override existing partition
+            subvolumes = {
+              "/root" = {
+                mountpoint = "/";
+              };
+              "/home" = {
+                mountOptions = ["compress=zstd" "noatime"];
+                mountpoint = "/home";
+              };
+              "/persist" = {
+                mountOptions = ["compress=zstd" "noatime"];
+                mountpoint = "/persist";
+              };
+              "/nix" = {
+                mountOptions = ["compress=zstd" "noatime"];
+                mountpoint = "/nix";
+              };
+              "/log" = {
+                mountOptions = ["compress=zstd" "noatime"];
+                mountpoint = "/var/log";
+              };
+            };
+          };
+        };
+        swap = {
+          size = "100%";
+          content.type = "swap";
+        };
+      };
+    };
+  };
+
+  fileSystems."/var/log".neededForBoot = true;
+}

hosts/organ/install.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+organ_dir="$(dirname "$0")"
+networking_conf="$organ_dir/networking.nix"
+ipv4=$(sed -n 's/.*ipv4 = "\(.*\)".*/\1/p' "$networking_conf")
+ipv6=$(sed -n 's/.*ipv6 = "\(.*\)".*/\1/p' "$networking_conf")
+
+nix run github:nix-community/nixos-anywhere -- \
+  --build-on-remote \
+  --copy-host-keys \
+  --flake ".#organ" \
+  root@$ipv4

hosts/organ/networking.nix

@@ -1,9 +1,8 @@
-{config, ...}: let
-  ipv4 = "116.203.250.61";
-  ipv6 = "2a01:4f8:c012:58f4::";
+{...}: let
+  ipv4 = "116.202.110.124";
+  ipv6 = "2a01:4f8:c013:5899::";
 in {
   networking = {
-    hostName = "organ";
     domain = "jakubarbet.me";
     useDHCP = false;
     nameservers = ["1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001"];
@@ -20,8 +19,8 @@ in {
       matchConfig.Name = "enp1s0";
       networkConfig.DHCP = "no";
       address = [
-        "${config.ipv4}/32"
-        "${config.ipv6}/64"
+        "${ipv4}/32"
+        "${ipv6}/64"
       ];
       routes = [
         {

hosts/organ/users.nix

@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }: {
   age.secrets = lib._.defineSecrets ["organ-jakub-password-hash"] {};

modules/common/nix.nix

@@ -10,6 +10,8 @@
     # Enable support for nix commands and flakes
     settings.experimental-features = ["nix-command" "flakes"];
 
+    settings.trusted-users = ["root" "jakub"];
+
     # Pinning the registry to the system pkgs on NixOS
     registry.nixpkgs.flake = inputs.nixpkgs;
 

modules/server/tailscale.nix

@@ -20,25 +20,26 @@ with lib; {
     services = {
       # Let dnsmasq handle DNS resolution for the tailscale network
       bind = {
-        listenOn = ["!${config.tailscaleIpv4}"];
-        listenOnIpv6 = ["!${config.tailscaleIpv6}"];
+        listenOn = ["!${config.server.tailscale.tailscaleIpv4}"];
+        listenOnIpv6 = ["!${config.server.tailscale.tailscaleIpv6}"];
       };
 
       # Used to define DNS override for FQDN to tailscale IPs so devices
       # connected to the tailnet can access the site which is behind
       # an tailscale-auth protection
       dnsmasq = {
         enable = true;
+        resolveLocalQueries = false;
         settings = {
           bind-interfaces = true;
-          listen-address = "${config.tailscaleIpv4},${config.tailscaleIpv6}";
-          address = ["/${config.networking.fqdn}/${config.tailscaleIpv4}" "/${config.networking.fqdn}/${config.tailscaleIpv6}"];
+          listen-address = "${config.server.tailscale.tailscaleIpv4},${config.server.tailscale.tailscaleIpv6}";
+          address = ["/${config.networking.fqdn}/${config.server.tailscale.tailscaleIpv4}" "/${config.networking.fqdn}/${config.server.tailscale.tailscaleIpv6}"];
         };
       };
 
       nginx.tailscaleAuth = {
         enable = true;
-        expectedTailnet = config.tailnet;
+        expectedTailnet = config.server.tailscale.tailnet;
         virtualHosts = [config.networking.fqdn];
       };
 
@@ -57,7 +58,7 @@ with lib; {
     };
 
     networking.firewall = {
-      trustedInterfaces = config.services.tailscale.interfaceName;
+      trustedInterfaces = [config.services.tailscale.interfaceName];
     };
   };
 }