New Host Checklist
Provisioning
- Add terraform entry for VM, then run
terraform plan, verify, and thenterraform apply - Follow nixOS provisioning steps
NixOS Configuration
- Create/copy config folder for host with intended name in hosts i.e. hosts/hostname. Copy the default.nix template, and the hardware-configuration.nix file from the actual host after installation
- Add the systemd-boot bootloader config to hardware-configuration.nix for the host
- Generate SOPS/Age private key and paste to /var/lib/sops/age/keys.txt
- Generate SOPS/Age public key and paste to .sops.yaml, create separate config section
- If backups are needed for this host, create the borgmatic_pass section with local and remote subkeys, generate passwords in secrets/{hostname}.yml
- This is the bare minimum configuration for the encrypted sops file:
borgmatic_pass: local: someStrongPassword remote: someOtherStrongPassword
- This is the bare minimum configuration for the encrypted sops file:
Manual Steps
- If borgmatic was configured, follow these steps below
- Add the ssh host's ssh host public key to the backup server's configuration
- Copy the ssh host's ssh host public key to the rsyncnet authorized_keys file, then push up to rsync.net account
- Manually run the command
borgmatic -v 2to get the unknown ssh host prompt to appear, select yes for both