This repository contains NixOS configurations for multiple machines in the drkr.io domain:
core: Base server providing authentication servicesmedia: Media server with NVIDIA Quadro P400 driver supportbuilder: Build server with Hydra CI and Nix cachepublic-1andpublic-2: Public-facing VM servers with DNS (Blocky) and NTP servicesdvr: Digital Video Recorder running on a Raspberry Pimonitoring: Monitoring server with Prometheus, Grafana, Loki, and Tempo
- Install NixOS following the official guide
- Clone this repository:
sudo mkdir -p /etc/nixos/ git clone https://github.com/yourusername/nix-config.git /etc/nixos
- Create a hardware configuration for your machine:
nixos-generate-config --show-hardware-config > /etc/nixos/hosts/your-machine/hardware-configuration.nix - Customize your configuration:
- Copy an existing configuration from a similar machine
- Update hostname and any hardware-specific settings
- Setup SOPS (see below)
- Apply the configuration:
nixos-rebuild switch --flake .#your-machine
This configuration uses SOPS-Nix for secret management. The setup has been completed with your AGE key, and a comprehensive guide is available in SOPS-SETUP.md.
-
Your personal AGE key is configured at
~/.config/sops/age/keys.txt- Public key:
age198e00r627fttqxts3qmdrvenc60uw6e468rpnp0eh9juprps6gcq2vgh5h
- Public key:
-
The
.sops.yamlfile is configured to encrypt secrets for:- You personally (for local development)
- Each machine using its SSH host key (for production)
-
Secret files are set up at:
hosts/common/secrets.yaml- Shared secrets for all machineshosts/<machine>/secrets.yaml- Machine-specific secrets
-
View or edit encrypted secrets:
sops hosts/common/secrets.yaml sops hosts/core/secrets.yaml
-
Reference secrets in configuration:
# Define the secret sops.secrets."tailscale/auth_key" = { owner = "root"; group = "root"; mode = "0400"; }; # Use the secret services.tailscale = { enable = true; authKeyFile = config.sops.secrets."tailscale/auth_key".path; };
-
Secret access via containers: Mount secrets into containers:
volumes = [ "${config.sops.secrets."auth_container/admin_password".path}:/run/secrets/admin_password" ];
For each new machine:
-
First boot the machine with SSH host keys generated
nixos-rebuild switch --flake .#your-machine -
Get the AGE key from the SSH host key:
ssh root@your-machine "cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age" -
Update
.sops.yamlwith the machine's AGE key -
Re-encrypt all relevant secrets:
sops updatekeys hosts/your-machine/secrets.yaml sops updatekeys hosts/common/secrets.yaml
See SOPS-SETUP.md for complete details on adding new machines or rotating keys.
This configuration forwards your SSH agent to remote machines. To use:
-
Start SSH agent and add your key:
eval $(ssh-agent) ssh-add ~/.ssh/id_ed25519
-
Connect to any machine with agent forwarding:
ssh your-machine
-
Use your local SSH key on the remote machine:
ssh-add -l # Should show your key git clone git@github.com:your-private-repo/example.git # Works!
-
Create a new directory for the machine:
mkdir -p hosts/new-machine/services
-
Create basic configuration files:
cp hosts/core/default.nix hosts/new-machine/
-
Generate hardware configuration:
nixos-generate-config --show-hardware-config > hosts/new-machine/hardware-configuration.nix -
Add the machine to
flake.nix -
Set up SOPS keys for the machine
-
Apply the configuration:
nixos-rebuild switch --flake .#new-machine