try out one of my services: draw.oleina.xyz

Below is an image of the tldraw instance if its down for any reason.

• intro writeup
• ingress, through cloudflare tunnels & a private network

This is my tiny home server! It uses k3s and nixos.

• Services are exposed to the internet using cloudflare tunnels.
• Custom containers are built using nix-snapshotter.
• In general, any cloud infra is cloudflare - DNS, domains, etc.
• Colmena, nixos anywhere, and disko are used for hardware management.
• Secrets are stored in this repo, under either sops-nix or sealed-secrets, depending if we need them at build time for nix modules or if we can get away with decrypting them at runtime as a kubernetes secret.

It runs on small lenovo server. The frontend is a surface go running KDE plasma. I do have a second node ready to be stood up, but I have no reason to have the extra power draw currently since I'm only running a single service.

You need a masterkey to decrypt, so rage-keygen -o ~/.secrets/age-pk.age and then put that in secrets/secrets.nix in a masterkey. Then, an old masterkey needs to rekey all the secrets so the new masterkey can decrypt it.

The below instructions assume that you are me; that is, all the configuation of your devices are exactly the same - you should read this disclaimer as "this repo is useless unless you change all the constants first". These constants reside in ssot.nix.

This documentation is mostly for myself - I wouldn't expect this to be very helpful for others, unless they copy my exact setup.

1. build an iso with nix build .#bootable-sio.
2. Format a drive with the iso using dd, enter BIOS and boot the iso. sudo dd if=./result/iso/nixos-minimal-25.05pre-git-x86_64-linux.iso of=/dev/sda bs=4M status=progress oflag=sync
3. plug in a direct ethernet connection with the device. You need it to have an IP. turn the device on with the bootable stick. If you're lucky, BIOS is in the right order and you can do this headlessly. Otherwise connect a monitor, enter BIOS, and make USB boot first.
4. make note of the devices IP from arp-scan. If connecting properly, it should "show up". the bootable iso's hostname is "boot", so if you ssh into a device and the hostname is boot you've found it.
5. make sure you have colmena config for that device and a nixos configuration in default.nix. in ./hosts/<device>/default.nix, you should add a networking.hostname, and an empty directory called "secrets".

{flake-config, ...}: {
  imports = with flake-config.flake.modules.nixos; [
    # will be generated. comment this out the first run.
    ./hardware-config.nix
    boilerplate
    disk-efi
  ];

  networking.hostName = "whatever";
  # lsblk on the host. Don't select the external drives (/dev/sda)
  diskName = "/dev/nvme01";
  # get this from ssh-keyscan `ip`
  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAt+996k/n+fGtlQFsrXOeSzfgLKF3tHhOd3sonLLH3b";
}

1. run agenix rekey from the instructions above. You should see rekeying <hostname> nm-secrets.
2. nixos-anywhere --generate-hardware-config nixos-facter \ ./hosts/<device>/facter.json --flake .#<device> root@boot.lan will format the disk and generate you the hardware config, as well as install the nixOS configuration to the device.
3. Unfortunately, you now have to redo ssh-keyscan, fix age.rekey.pubKey, regenerate the secrets, colmena apply --impure to re-upload the newly keyed devices to all systems.
4. When still wired, ssh into the device and double check that wifi is working. The router is likely to give it a different IP when you get off ethernet so you'll probably have to arp-scan again.

Colmena will manage the systems from then on.

there seems to be a bug where the nonexistance of a key causes rekey to fail.

you can specify the pubkey like AGENIX_REKEY_PRIMARY_IDENTITY=<pubkey> agenix edit to get it to work.

activate the devshell then run seal <secret name>.

• a r2 bucket was created manually on cloudflare.