curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

post(nixos): discourage nix-env

This commit is contained in:
Ming Di Leom 2024-07-25 10:55:33 +00:00
parent df9009f987
commit d2c6db25d3
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
3 changed files with 57 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
source/_posts/caddy-nixos-part-1.md
View File

@ -4,10 +4,10 @@ excerpt: "Part 1: Installing NixOS"
date: 2020-02-23
updated: 2021-02-22
tags:
- server
- linux
- caddy
- nixos
- server
- linux
- caddy
- nixos
series: first
---
@ -58,13 +58,13 @@ NixOS has a detailed installation [guide](https://nixos.org/nixos/manual/index.h
1. The LiveCD automatically login as "nixos". Simply switch to the root shell. You could setup SSH before installation. Personally I can accept the KVM console latency and I didn't want to open another port, so I never bother.
``` sh
```sh
sudo -s
```
2. Create the necessary partitions. I went with the classic MBR since my VPS provider still supports it and I don't need 2 TB partition. I set up a "swap" partition due to having a tiny RAM; if you have less than 2 GB RAM, it's better to have it, otherwise the `nixos-install` step would fail.
``` sh
```sh
# Most KVM-powered VPS use "/dev/vda" naming scheme (instead of "/dev/sda")
# Check the output of `ls /dev/` to make sure
parted /dev/vda -- mklabel msdos
@ -79,7 +79,7 @@ parted /dev/vda -- mkpart primary linux-swap -1GiB 100%
3. Format the partitions.
``` sh
```sh
mkfs.btrfs -L nixos /dev/vda1
# Or "mkfs.ext4" if preferred
@ -88,35 +88,35 @@ mkswap -L swap /dev/vda2
4. Mount the partitions.
``` sh
```sh
mount /dev/disk/by-label/nixos /mnt
swapon /dev/vda2
```
5. Generate the configs. This generates "configuration.nix" and "hardware-configuration.nix".
``` sh
```sh
nixos-generate-config --root /mnt
```
6. I replaced the generated "configuration.nix" with my own "configuration.nix". Before uploading the config to the server, I did the following change,
1. Replace "/dev/sda" with "/dev/vda" in `boot.loader.grub.device`
2. Replace "eth0" to "ens3" in firewall config (check output of `ifconfig`)
3. Encrypt the file using 7zip before upload.
1. Replace "/dev/sda" with "/dev/vda" in `boot.loader.grub.device`
2. Replace "eth0" to "ens3" in firewall config (check output of `ifconfig`)
3. Encrypt the file using 7zip before upload.
``` sh
# This is much less memory-intensive than `nix-env -i package`
# wormhole-william is Go-implementation of magic-wormhole
# Available in 20.09+
nix-env -f '<nixpkgs>' -iA google-authenticator p7zip usbguard wormhole-william
```sh
# This is much less memory-intensive than `nix-env -i package`
# wormhole-william is Go-implementation of magic-wormhole
# Available in 20.09+
nix-shell -p google-authenticator p7zip usbguard wormhole-william
cd /tmp
wormhole-william receive configuration.7z
7z x configuration.7z
cd /tmp
wormhole-william receive configuration.7z
7z x configuration.7z
cp configuration.nix /mnt/etc/nixos/
```
cp configuration.nix /mnt/etc/nixos/
```
7. Install it without setting root password (so that root remains disabled)
@ -128,7 +128,7 @@ nixos-install --no-root-passwd
9. Once the installation is done, before shutting down, secure delete the downloaded files.
``` sh
```sh
shred -uz configuration.7z configuration.nix
```
@ -136,7 +136,7 @@ shred -uz configuration.7z configuration.nix
Following is my "configuration.nix". I'll show you how to secure NixOS using hashed password, firewall, DNS-over-TLS and USBGuard in my next post. After that, I'll show you how to setup Caddy and Tor (they are disabled for now).
``` nix /etc/nixos/configuration.nix
```nix /etc/nixos/configuration.nix
{ config, pkgs, ... }:
{

4
source/_posts/caddy-nixos-part-2.md
View File

@ -29,10 +29,10 @@ Following diagram shows the architecture behind this website.
## Prerequisites
Before proceeding to the rest of this guide, there are some system packages that you need to install.
Before proceeding to the rest of this guide, there are some packages that you need to install.
```
$ nix-env -f '<nixpkgs>' -iA google-authenticator p7zip usbguard wormhole-william
$ nix-shell -p google-authenticator p7zip usbguard wormhole-william
```
## Disable mutableUsers

61
source/_posts/caddy-nixos-part-3.md
View File

@ -4,11 +4,11 @@ excerpt: "Part 3: Configure Caddy"
date: 2020-03-14
updated: 2022-07-08
tags:
- server
- linux
- caddy
- nixos
- cloudflare
- server
- linux
- caddy
- nixos
- cloudflare
series: true
---
@ -30,7 +30,7 @@ This post is Part 2 of a series of articles that show you how I set up Caddy and
In NixOS, Caddy can be easily configured through "configuration.nix", without even touching a Caddyfile, if you have a rather simple setup. For example, to serve static files from "/var/www/" folder,
``` nix configuration.nix
```nix configuration.nix
services.caddy = {
enable = true;
email = example@example.com;
@ -53,7 +53,7 @@ A package is installed in `/nix/store/<hash>/` folder and that hash is what make
1. Locate the binary in "/nix/store" by checking `$ systemctl status caddy`. This is only available when caddy service is enabled in "configuration.nix". Disabling the service will remove the package.
2. Install it as a system package using `environment.systemPackages`.
3. Install it as a user package using `$ nix-env -f '<nixpkgs>' -iA caddy`.
3. Install it as a user package using Home Manager (recommended), [ad-hoc shell](https://nix.dev/tutorials/first-steps/ad-hoc-shell-environments.html) or `$ nix-env -iA nixpkgs.caddy` ([discouraged](https://stop-using-nix-env.privatevoid.net/)).
caddy.nix grants `CAP_NET_BIND_SERVICE` capability which is not needed in my use case because I'm not binding caddy to port < 1024.
@ -61,7 +61,7 @@ caddy.nix grants `CAP_NET_BIND_SERVICE` capability which is not needed in my use
I created another nix file which is similar to "caddy.nix", but without `CAP_NET_BIND_SERVICE` capability. I also removed Let's Encrypt-related options since I'm using Cloudflare origin certificate. I renamed the `options.services.caddy` to `options.services.caddyProxy` to avoid clash with "caddy.nix". Save the file to "/etc/caddy/caddyProxy.nix" with root as owner. We'll revisit this file in "[configuration.nix](#configurationnix)" section later in this guide.
``` nix /etc/caddy/caddyProxy.nix
```nix /etc/caddy/caddyProxy.nix
{ config, lib, pkgs, ... }:
with lib;
@ -186,9 +186,9 @@ If you followed my {% post_link caddy-nixos-part-2 'Part 2' %} guide, you should
### Initial setup
Set up Caddy to listen on apex domain and www.* on port 4430
Set up Caddy to listen on apex domain and www.\* on port 4430
``` plain Caddyfile
```plain Caddyfile
mdleom.com:4430 www.mdleom.com:4430 {
}
@ -234,7 +234,7 @@ If you prefer to redirect apex to www,
Aside from reverse proxy to curben.netlify.app, I also configured my Netlify website to use Statically CDN for on-the-fly image processing. My current [config](https://gitlab.com/curben/blog) is:
``` plain source/_redirects https://gitlab.com/curben/blog/-/blob/master/source/_redirects _redirects
```plain source/_redirects https://gitlab.com/curben/blog/-/blob/master/source/_redirects _redirects
/img/* https://cdn.statically.io/img/:splat 200
/screenshot/* https://cdn.statically.io/screenshot/curben.netlify.app/:splat 200
/files/* https://gitlab.com/curben/blog/-/raw/site/:splat 200
@ -242,7 +242,7 @@ Aside from reverse proxy to curben.netlify.app, I also configured my Netlify web
In Caddyfile, the config can be expressed as:
``` plain
```plain
handle /img/* {
reverse_proxy https://cdn.statically.io
}
@ -270,38 +270,39 @@ In Caddyfile, the config can be expressed as:
To make sure Caddy sends the correct `Host:` header to the upstream/backend locations, I use `header_up` option,
{% codeblock mark:5,13,18 %}
handle /img/* {
reverse_proxy https://cdn.statically.io {
header_up Host cdn.statically.io
}
}
handle /img/\* {
reverse_proxy https://cdn.statically.io {
header_up Host cdn.statically.io
}
}
handle_path /screenshot/* {
rewrite * /screenshot/mdleom.com{path}
handle*path /screenshot/* {
rewrite \_ /screenshot/mdleom.com{path}
reverse_proxy https://cdn.statically.io {
header_up Host cdn.statically.io
}
}
reverse_proxy https://curben.netlify.app {
header_up Host curben.netlify.app
}
}
reverse_proxy https://curben.netlify.app {
header_up Host curben.netlify.app
}
{% endcodeblock %}
If there are multiple backends for the reverse_proxy, it's better to use a placeholder instead of hardcording the `Host` header.
{% codeblock mark:2 %}
reverse_proxy https://curben.pages.dev https://curben.netlify.app {
header_up Host {http.reverse_proxy.upstream.host}
}
reverse_proxy https://curben.pages.dev https://curben.netlify.app {
header_up Host {http.reverse_proxy.upstream.host}
}
{% endcodeblock %}
### Add or remove headers
To prevent any unnecessary request headers from being sent to the upstreams, I use `header_up`. I use it to remove cookie, referer and [other headers](https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) added by Cloudflare. Since there are many headers to remove, I group them as a global variable. I apply it to all `reverse_proxy` directives.
``` Caddyfile
```Caddyfile
(removeHeaders) {
header_up -cdn-loop
header_up -cf-cache-status
@ -417,7 +418,7 @@ I also add the `Cache-Control` and `Referrer-Policy` to the response header. Use
Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor Onion' %} and {% post_link i2p-eepsite-nixos 'I2P Eepsite' %}, I refactor most of the configuration into "common.conf" and import it into "caddyProxy.conf".
``` plain common.conf
```plain common.conf
{
## disable admin endpoint
# admin off
@ -587,7 +588,7 @@ Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor O
}
```
``` plain caddyProxy.conf
```plain caddyProxy.conf
import common.conf
## mdleom.com
@ -619,7 +620,7 @@ mdleom.com:4430 www.mdleom.com:4430 {
One last thing to do is to import "[caddyProxy.nix](#caddyproxynix)" and enable `services.caddyProxy`.
``` nix /etc/nixos/configuration.nix
```nix /etc/nixos/configuration.nix
require = [ /etc/caddy/caddyProxy.nix ];
services.caddyProxy = {
enable = true;