post(nixos): discourage nix-env

This commit is contained in:
Ming Di Leom 2024-07-25 10:55:33 +00:00
parent df9009f987
commit d2c6db25d3
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
3 changed files with 57 additions and 56 deletions

View File

@ -4,10 +4,10 @@ excerpt: "Part 1: Installing NixOS"
date: 2020-02-23 date: 2020-02-23
updated: 2021-02-22 updated: 2021-02-22
tags: tags:
- server - server
- linux - linux
- caddy - caddy
- nixos - nixos
series: first series: first
--- ---
@ -58,13 +58,13 @@ NixOS has a detailed installation [guide](https://nixos.org/nixos/manual/index.h
1. The LiveCD automatically login as "nixos". Simply switch to the root shell. You could setup SSH before installation. Personally I can accept the KVM console latency and I didn't want to open another port, so I never bother. 1. The LiveCD automatically login as "nixos". Simply switch to the root shell. You could setup SSH before installation. Personally I can accept the KVM console latency and I didn't want to open another port, so I never bother.
``` sh ```sh
sudo -s sudo -s
``` ```
2. Create the necessary partitions. I went with the classic MBR since my VPS provider still supports it and I don't need 2 TB partition. I set up a "swap" partition due to having a tiny RAM; if you have less than 2 GB RAM, it's better to have it, otherwise the `nixos-install` step would fail. 2. Create the necessary partitions. I went with the classic MBR since my VPS provider still supports it and I don't need 2 TB partition. I set up a "swap" partition due to having a tiny RAM; if you have less than 2 GB RAM, it's better to have it, otherwise the `nixos-install` step would fail.
``` sh ```sh
# Most KVM-powered VPS use "/dev/vda" naming scheme (instead of "/dev/sda") # Most KVM-powered VPS use "/dev/vda" naming scheme (instead of "/dev/sda")
# Check the output of `ls /dev/` to make sure # Check the output of `ls /dev/` to make sure
parted /dev/vda -- mklabel msdos parted /dev/vda -- mklabel msdos
@ -79,7 +79,7 @@ parted /dev/vda -- mkpart primary linux-swap -1GiB 100%
3. Format the partitions. 3. Format the partitions.
``` sh ```sh
mkfs.btrfs -L nixos /dev/vda1 mkfs.btrfs -L nixos /dev/vda1
# Or "mkfs.ext4" if preferred # Or "mkfs.ext4" if preferred
@ -88,35 +88,35 @@ mkswap -L swap /dev/vda2
4. Mount the partitions. 4. Mount the partitions.
``` sh ```sh
mount /dev/disk/by-label/nixos /mnt mount /dev/disk/by-label/nixos /mnt
swapon /dev/vda2 swapon /dev/vda2
``` ```
5. Generate the configs. This generates "configuration.nix" and "hardware-configuration.nix". 5. Generate the configs. This generates "configuration.nix" and "hardware-configuration.nix".
``` sh ```sh
nixos-generate-config --root /mnt nixos-generate-config --root /mnt
``` ```
6. I replaced the generated "configuration.nix" with my own "configuration.nix". Before uploading the config to the server, I did the following change, 6. I replaced the generated "configuration.nix" with my own "configuration.nix". Before uploading the config to the server, I did the following change,
1. Replace "/dev/sda" with "/dev/vda" in `boot.loader.grub.device` 1. Replace "/dev/sda" with "/dev/vda" in `boot.loader.grub.device`
2. Replace "eth0" to "ens3" in firewall config (check output of `ifconfig`) 2. Replace "eth0" to "ens3" in firewall config (check output of `ifconfig`)
3. Encrypt the file using 7zip before upload. 3. Encrypt the file using 7zip before upload.
``` sh ```sh
# This is much less memory-intensive than `nix-env -i package` # This is much less memory-intensive than `nix-env -i package`
# wormhole-william is Go-implementation of magic-wormhole # wormhole-william is Go-implementation of magic-wormhole
# Available in 20.09+ # Available in 20.09+
nix-env -f '<nixpkgs>' -iA google-authenticator p7zip usbguard wormhole-william nix-shell -p google-authenticator p7zip usbguard wormhole-william
cd /tmp cd /tmp
wormhole-william receive configuration.7z wormhole-william receive configuration.7z
7z x configuration.7z 7z x configuration.7z
cp configuration.nix /mnt/etc/nixos/ cp configuration.nix /mnt/etc/nixos/
``` ```
7. Install it without setting root password (so that root remains disabled) 7. Install it without setting root password (so that root remains disabled)
@ -128,7 +128,7 @@ nixos-install --no-root-passwd
9. Once the installation is done, before shutting down, secure delete the downloaded files. 9. Once the installation is done, before shutting down, secure delete the downloaded files.
``` sh ```sh
shred -uz configuration.7z configuration.nix shred -uz configuration.7z configuration.nix
``` ```
@ -136,7 +136,7 @@ shred -uz configuration.7z configuration.nix
Following is my "configuration.nix". I'll show you how to secure NixOS using hashed password, firewall, DNS-over-TLS and USBGuard in my next post. After that, I'll show you how to setup Caddy and Tor (they are disabled for now). Following is my "configuration.nix". I'll show you how to secure NixOS using hashed password, firewall, DNS-over-TLS and USBGuard in my next post. After that, I'll show you how to setup Caddy and Tor (they are disabled for now).
``` nix /etc/nixos/configuration.nix ```nix /etc/nixos/configuration.nix
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {

View File

@ -29,10 +29,10 @@ Following diagram shows the architecture behind this website.
## Prerequisites ## Prerequisites
Before proceeding to the rest of this guide, there are some system packages that you need to install. Before proceeding to the rest of this guide, there are some packages that you need to install.
``` ```
$ nix-env -f '<nixpkgs>' -iA google-authenticator p7zip usbguard wormhole-william $ nix-shell -p google-authenticator p7zip usbguard wormhole-william
``` ```
## Disable mutableUsers ## Disable mutableUsers

View File

@ -4,11 +4,11 @@ excerpt: "Part 3: Configure Caddy"
date: 2020-03-14 date: 2020-03-14
updated: 2022-07-08 updated: 2022-07-08
tags: tags:
- server - server
- linux - linux
- caddy - caddy
- nixos - nixos
- cloudflare - cloudflare
series: true series: true
--- ---
@ -30,7 +30,7 @@ This post is Part 2 of a series of articles that show you how I set up Caddy and
In NixOS, Caddy can be easily configured through "configuration.nix", without even touching a Caddyfile, if you have a rather simple setup. For example, to serve static files from "/var/www/" folder, In NixOS, Caddy can be easily configured through "configuration.nix", without even touching a Caddyfile, if you have a rather simple setup. For example, to serve static files from "/var/www/" folder,
``` nix configuration.nix ```nix configuration.nix
services.caddy = { services.caddy = {
enable = true; enable = true;
email = example@example.com; email = example@example.com;
@ -53,7 +53,7 @@ A package is installed in `/nix/store/<hash>/` folder and that hash is what make
1. Locate the binary in "/nix/store" by checking `$ systemctl status caddy`. This is only available when caddy service is enabled in "configuration.nix". Disabling the service will remove the package. 1. Locate the binary in "/nix/store" by checking `$ systemctl status caddy`. This is only available when caddy service is enabled in "configuration.nix". Disabling the service will remove the package.
2. Install it as a system package using `environment.systemPackages`. 2. Install it as a system package using `environment.systemPackages`.
3. Install it as a user package using `$ nix-env -f '<nixpkgs>' -iA caddy`. 3. Install it as a user package using Home Manager (recommended), [ad-hoc shell](https://nix.dev/tutorials/first-steps/ad-hoc-shell-environments.html) or `$ nix-env -iA nixpkgs.caddy` ([discouraged](https://stop-using-nix-env.privatevoid.net/)).
caddy.nix grants `CAP_NET_BIND_SERVICE` capability which is not needed in my use case because I'm not binding caddy to port < 1024. caddy.nix grants `CAP_NET_BIND_SERVICE` capability which is not needed in my use case because I'm not binding caddy to port < 1024.
@ -61,7 +61,7 @@ caddy.nix grants `CAP_NET_BIND_SERVICE` capability which is not needed in my use
I created another nix file which is similar to "caddy.nix", but without `CAP_NET_BIND_SERVICE` capability. I also removed Let's Encrypt-related options since I'm using Cloudflare origin certificate. I renamed the `options.services.caddy` to `options.services.caddyProxy` to avoid clash with "caddy.nix". Save the file to "/etc/caddy/caddyProxy.nix" with root as owner. We'll revisit this file in "[configuration.nix](#configurationnix)" section later in this guide. I created another nix file which is similar to "caddy.nix", but without `CAP_NET_BIND_SERVICE` capability. I also removed Let's Encrypt-related options since I'm using Cloudflare origin certificate. I renamed the `options.services.caddy` to `options.services.caddyProxy` to avoid clash with "caddy.nix". Save the file to "/etc/caddy/caddyProxy.nix" with root as owner. We'll revisit this file in "[configuration.nix](#configurationnix)" section later in this guide.
``` nix /etc/caddy/caddyProxy.nix ```nix /etc/caddy/caddyProxy.nix
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
@ -186,9 +186,9 @@ If you followed my {% post_link caddy-nixos-part-2 'Part 2' %} guide, you should
### Initial setup ### Initial setup
Set up Caddy to listen on apex domain and www.* on port 4430 Set up Caddy to listen on apex domain and www.\* on port 4430
``` plain Caddyfile ```plain Caddyfile
mdleom.com:4430 www.mdleom.com:4430 { mdleom.com:4430 www.mdleom.com:4430 {
} }
@ -234,7 +234,7 @@ If you prefer to redirect apex to www,
Aside from reverse proxy to curben.netlify.app, I also configured my Netlify website to use Statically CDN for on-the-fly image processing. My current [config](https://gitlab.com/curben/blog) is: Aside from reverse proxy to curben.netlify.app, I also configured my Netlify website to use Statically CDN for on-the-fly image processing. My current [config](https://gitlab.com/curben/blog) is:
``` plain source/_redirects https://gitlab.com/curben/blog/-/blob/master/source/_redirects _redirects ```plain source/_redirects https://gitlab.com/curben/blog/-/blob/master/source/_redirects _redirects
/img/* https://cdn.statically.io/img/:splat 200 /img/* https://cdn.statically.io/img/:splat 200
/screenshot/* https://cdn.statically.io/screenshot/curben.netlify.app/:splat 200 /screenshot/* https://cdn.statically.io/screenshot/curben.netlify.app/:splat 200
/files/* https://gitlab.com/curben/blog/-/raw/site/:splat 200 /files/* https://gitlab.com/curben/blog/-/raw/site/:splat 200
@ -242,7 +242,7 @@ Aside from reverse proxy to curben.netlify.app, I also configured my Netlify web
In Caddyfile, the config can be expressed as: In Caddyfile, the config can be expressed as:
``` plain ```plain
handle /img/* { handle /img/* {
reverse_proxy https://cdn.statically.io reverse_proxy https://cdn.statically.io
} }
@ -270,38 +270,39 @@ In Caddyfile, the config can be expressed as:
To make sure Caddy sends the correct `Host:` header to the upstream/backend locations, I use `header_up` option, To make sure Caddy sends the correct `Host:` header to the upstream/backend locations, I use `header_up` option,
{% codeblock mark:5,13,18 %} {% codeblock mark:5,13,18 %}
handle /img/* { handle /img/\* {
reverse_proxy https://cdn.statically.io { reverse_proxy https://cdn.statically.io {
header_up Host cdn.statically.io header_up Host cdn.statically.io
} }
} }
handle_path /screenshot/* { handle*path /screenshot/* {
rewrite * /screenshot/mdleom.com{path} rewrite \_ /screenshot/mdleom.com{path}
reverse_proxy https://cdn.statically.io { reverse_proxy https://cdn.statically.io {
header_up Host cdn.statically.io header_up Host cdn.statically.io
} }
}
reverse_proxy https://curben.netlify.app { }
header_up Host curben.netlify.app
} reverse_proxy https://curben.netlify.app {
header_up Host curben.netlify.app
}
{% endcodeblock %} {% endcodeblock %}
If there are multiple backends for the reverse_proxy, it's better to use a placeholder instead of hardcording the `Host` header. If there are multiple backends for the reverse_proxy, it's better to use a placeholder instead of hardcording the `Host` header.
{% codeblock mark:2 %} {% codeblock mark:2 %}
reverse_proxy https://curben.pages.dev https://curben.netlify.app { reverse_proxy https://curben.pages.dev https://curben.netlify.app {
header_up Host {http.reverse_proxy.upstream.host} header_up Host {http.reverse_proxy.upstream.host}
} }
{% endcodeblock %} {% endcodeblock %}
### Add or remove headers ### Add or remove headers
To prevent any unnecessary request headers from being sent to the upstreams, I use `header_up`. I use it to remove cookie, referer and [other headers](https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) added by Cloudflare. Since there are many headers to remove, I group them as a global variable. I apply it to all `reverse_proxy` directives. To prevent any unnecessary request headers from being sent to the upstreams, I use `header_up`. I use it to remove cookie, referer and [other headers](https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) added by Cloudflare. Since there are many headers to remove, I group them as a global variable. I apply it to all `reverse_proxy` directives.
``` Caddyfile ```Caddyfile
(removeHeaders) { (removeHeaders) {
header_up -cdn-loop header_up -cdn-loop
header_up -cf-cache-status header_up -cf-cache-status
@ -417,7 +418,7 @@ I also add the `Cache-Control` and `Referrer-Policy` to the response header. Use
Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor Onion' %} and {% post_link i2p-eepsite-nixos 'I2P Eepsite' %}, I refactor most of the configuration into "common.conf" and import it into "caddyProxy.conf". Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor Onion' %} and {% post_link i2p-eepsite-nixos 'I2P Eepsite' %}, I refactor most of the configuration into "common.conf" and import it into "caddyProxy.conf".
``` plain common.conf ```plain common.conf
{ {
## disable admin endpoint ## disable admin endpoint
# admin off # admin off
@ -587,7 +588,7 @@ Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor O
} }
``` ```
``` plain caddyProxy.conf ```plain caddyProxy.conf
import common.conf import common.conf
## mdleom.com ## mdleom.com
@ -619,7 +620,7 @@ mdleom.com:4430 www.mdleom.com:4430 {
One last thing to do is to import "[caddyProxy.nix](#caddyproxynix)" and enable `services.caddyProxy`. One last thing to do is to import "[caddyProxy.nix](#caddyproxynix)" and enable `services.caddyProxy`.
``` nix /etc/nixos/configuration.nix ```nix /etc/nixos/configuration.nix
require = [ /etc/caddy/caddyProxy.nix ]; require = [ /etc/caddy/caddyProxy.nix ];
services.caddyProxy = { services.caddyProxy = {
enable = true; enable = true;