Tristan Daniël Maat
05b6738c85
This will reject connections from anywhere except 127.0.0.1, i.e., the pod's network namespace. This makes password authentication properly obsolete, instead of just hiding the password (but still never authenticating with it), but required a change upstream: https://github.com/docker-library/postgres/pull/859 |
||
---|---|---|
configuration | ||
keys | ||
lib | ||
modules | ||
pkgs | ||
.gitignore | ||
flake.lock | ||
flake.nix | ||
LICENSE | ||
README.md |
tlater.net server configuration
This is the NixOS configuration for tlater.net.
Testing
Building
Build the VM with:
nixos-rebuild build-vm --flake '.#vm'
Running
Note: M-2 will bring up a console for poweroff and such
Running should mostly be as simple as running the command the build script echos.
One caveat: create a larger disk image first. This can be done by running the following in the repository root:
qemu-img create -f qcow2 ./tlaternet.qcow2 20G
Everything else should be handled by the devShell.
New services
Whenever a new service is added, append an appropriate
,hostfwd=::3<port>:<port>
to the QEMU_NET_OPTS
specified in
flake.nix
to bind the service to a host port.
There is no way to test this without binding to the host port, sadly.
Deploying
Currently the deployment process is fully manual because there is no CI system.
Nix makes this fairly painless, though, it's simply:
nixos-rebuild switch --use-remote-sudo --target-host tlater.net --build-host localhost --flake .#tlaternet
This has the added benefit of running the build on the dev machine, which is 99% of the time much faster at building than the target (though artifact upload may take some time on slow connections).
Note that this also requires the current local user to also be present
on the target host, as well as for this user to be in the target
host's wheel group. See nix.trustedUsers
.