mirror of https://gitlab.com/curben/blog
post(nixos): discourage nix-env
This commit is contained in:
parent
df9009f987
commit
d2c6db25d3
|
@ -4,10 +4,10 @@ excerpt: "Part 1: Installing NixOS"
|
|||
date: 2020-02-23
|
||||
updated: 2021-02-22
|
||||
tags:
|
||||
- server
|
||||
- linux
|
||||
- caddy
|
||||
- nixos
|
||||
- server
|
||||
- linux
|
||||
- caddy
|
||||
- nixos
|
||||
series: first
|
||||
---
|
||||
|
||||
|
@ -58,13 +58,13 @@ NixOS has a detailed installation [guide](https://nixos.org/nixos/manual/index.h
|
|||
|
||||
1. The LiveCD automatically login as "nixos". Simply switch to the root shell. You could setup SSH before installation. Personally I can accept the KVM console latency and I didn't want to open another port, so I never bother.
|
||||
|
||||
``` sh
|
||||
```sh
|
||||
sudo -s
|
||||
```
|
||||
|
||||
2. Create the necessary partitions. I went with the classic MBR since my VPS provider still supports it and I don't need 2 TB partition. I set up a "swap" partition due to having a tiny RAM; if you have less than 2 GB RAM, it's better to have it, otherwise the `nixos-install` step would fail.
|
||||
|
||||
``` sh
|
||||
```sh
|
||||
# Most KVM-powered VPS use "/dev/vda" naming scheme (instead of "/dev/sda")
|
||||
# Check the output of `ls /dev/` to make sure
|
||||
parted /dev/vda -- mklabel msdos
|
||||
|
@ -79,7 +79,7 @@ parted /dev/vda -- mkpart primary linux-swap -1GiB 100%
|
|||
|
||||
3. Format the partitions.
|
||||
|
||||
``` sh
|
||||
```sh
|
||||
mkfs.btrfs -L nixos /dev/vda1
|
||||
# Or "mkfs.ext4" if preferred
|
||||
|
||||
|
@ -88,14 +88,14 @@ mkswap -L swap /dev/vda2
|
|||
|
||||
4. Mount the partitions.
|
||||
|
||||
``` sh
|
||||
```sh
|
||||
mount /dev/disk/by-label/nixos /mnt
|
||||
swapon /dev/vda2
|
||||
```
|
||||
|
||||
5. Generate the configs. This generates "configuration.nix" and "hardware-configuration.nix".
|
||||
|
||||
``` sh
|
||||
```sh
|
||||
nixos-generate-config --root /mnt
|
||||
```
|
||||
|
||||
|
@ -105,11 +105,11 @@ nixos-generate-config --root /mnt
|
|||
2. Replace "eth0" to "ens3" in firewall config (check output of `ifconfig`)
|
||||
3. Encrypt the file using 7zip before upload.
|
||||
|
||||
``` sh
|
||||
```sh
|
||||
# This is much less memory-intensive than `nix-env -i package`
|
||||
# wormhole-william is Go-implementation of magic-wormhole
|
||||
# Available in 20.09+
|
||||
nix-env -f '<nixpkgs>' -iA google-authenticator p7zip usbguard wormhole-william
|
||||
nix-shell -p google-authenticator p7zip usbguard wormhole-william
|
||||
|
||||
cd /tmp
|
||||
wormhole-william receive configuration.7z
|
||||
|
@ -128,7 +128,7 @@ nixos-install --no-root-passwd
|
|||
|
||||
9. Once the installation is done, before shutting down, secure delete the downloaded files.
|
||||
|
||||
``` sh
|
||||
```sh
|
||||
shred -uz configuration.7z configuration.nix
|
||||
```
|
||||
|
||||
|
@ -136,7 +136,7 @@ shred -uz configuration.7z configuration.nix
|
|||
|
||||
Following is my "configuration.nix". I'll show you how to secure NixOS using hashed password, firewall, DNS-over-TLS and USBGuard in my next post. After that, I'll show you how to setup Caddy and Tor (they are disabled for now).
|
||||
|
||||
``` nix /etc/nixos/configuration.nix
|
||||
```nix /etc/nixos/configuration.nix
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
|
|
@ -29,10 +29,10 @@ Following diagram shows the architecture behind this website.
|
|||
|
||||
## Prerequisites
|
||||
|
||||
Before proceeding to the rest of this guide, there are some system packages that you need to install.
|
||||
Before proceeding to the rest of this guide, there are some packages that you need to install.
|
||||
|
||||
```
|
||||
$ nix-env -f '<nixpkgs>' -iA google-authenticator p7zip usbguard wormhole-william
|
||||
$ nix-shell -p google-authenticator p7zip usbguard wormhole-william
|
||||
```
|
||||
|
||||
## Disable mutableUsers
|
||||
|
|
|
@ -4,11 +4,11 @@ excerpt: "Part 3: Configure Caddy"
|
|||
date: 2020-03-14
|
||||
updated: 2022-07-08
|
||||
tags:
|
||||
- server
|
||||
- linux
|
||||
- caddy
|
||||
- nixos
|
||||
- cloudflare
|
||||
- server
|
||||
- linux
|
||||
- caddy
|
||||
- nixos
|
||||
- cloudflare
|
||||
series: true
|
||||
---
|
||||
|
||||
|
@ -30,7 +30,7 @@ This post is Part 2 of a series of articles that show you how I set up Caddy and
|
|||
|
||||
In NixOS, Caddy can be easily configured through "configuration.nix", without even touching a Caddyfile, if you have a rather simple setup. For example, to serve static files from "/var/www/" folder,
|
||||
|
||||
``` nix configuration.nix
|
||||
```nix configuration.nix
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
email = example@example.com;
|
||||
|
@ -53,7 +53,7 @@ A package is installed in `/nix/store/<hash>/` folder and that hash is what make
|
|||
|
||||
1. Locate the binary in "/nix/store" by checking `$ systemctl status caddy`. This is only available when caddy service is enabled in "configuration.nix". Disabling the service will remove the package.
|
||||
2. Install it as a system package using `environment.systemPackages`.
|
||||
3. Install it as a user package using `$ nix-env -f '<nixpkgs>' -iA caddy`.
|
||||
3. Install it as a user package using Home Manager (recommended), [ad-hoc shell](https://nix.dev/tutorials/first-steps/ad-hoc-shell-environments.html) or `$ nix-env -iA nixpkgs.caddy` ([discouraged](https://stop-using-nix-env.privatevoid.net/)).
|
||||
|
||||
caddy.nix grants `CAP_NET_BIND_SERVICE` capability which is not needed in my use case because I'm not binding caddy to port < 1024.
|
||||
|
||||
|
@ -61,7 +61,7 @@ caddy.nix grants `CAP_NET_BIND_SERVICE` capability which is not needed in my use
|
|||
|
||||
I created another nix file which is similar to "caddy.nix", but without `CAP_NET_BIND_SERVICE` capability. I also removed Let's Encrypt-related options since I'm using Cloudflare origin certificate. I renamed the `options.services.caddy` to `options.services.caddyProxy` to avoid clash with "caddy.nix". Save the file to "/etc/caddy/caddyProxy.nix" with root as owner. We'll revisit this file in "[configuration.nix](#configurationnix)" section later in this guide.
|
||||
|
||||
``` nix /etc/caddy/caddyProxy.nix
|
||||
```nix /etc/caddy/caddyProxy.nix
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
@ -186,9 +186,9 @@ If you followed my {% post_link caddy-nixos-part-2 'Part 2' %} guide, you should
|
|||
|
||||
### Initial setup
|
||||
|
||||
Set up Caddy to listen on apex domain and www.* on port 4430
|
||||
Set up Caddy to listen on apex domain and www.\* on port 4430
|
||||
|
||||
``` plain Caddyfile
|
||||
```plain Caddyfile
|
||||
mdleom.com:4430 www.mdleom.com:4430 {
|
||||
|
||||
}
|
||||
|
@ -234,7 +234,7 @@ If you prefer to redirect apex to www,
|
|||
|
||||
Aside from reverse proxy to curben.netlify.app, I also configured my Netlify website to use Statically CDN for on-the-fly image processing. My current [config](https://gitlab.com/curben/blog) is:
|
||||
|
||||
``` plain source/_redirects https://gitlab.com/curben/blog/-/blob/master/source/_redirects _redirects
|
||||
```plain source/_redirects https://gitlab.com/curben/blog/-/blob/master/source/_redirects _redirects
|
||||
/img/* https://cdn.statically.io/img/:splat 200
|
||||
/screenshot/* https://cdn.statically.io/screenshot/curben.netlify.app/:splat 200
|
||||
/files/* https://gitlab.com/curben/blog/-/raw/site/:splat 200
|
||||
|
@ -242,7 +242,7 @@ Aside from reverse proxy to curben.netlify.app, I also configured my Netlify web
|
|||
|
||||
In Caddyfile, the config can be expressed as:
|
||||
|
||||
``` plain
|
||||
```plain
|
||||
handle /img/* {
|
||||
reverse_proxy https://cdn.statically.io
|
||||
}
|
||||
|
@ -270,38 +270,39 @@ In Caddyfile, the config can be expressed as:
|
|||
To make sure Caddy sends the correct `Host:` header to the upstream/backend locations, I use `header_up` option,
|
||||
|
||||
{% codeblock mark:5,13,18 %}
|
||||
handle /img/* {
|
||||
reverse_proxy https://cdn.statically.io {
|
||||
header_up Host cdn.statically.io
|
||||
}
|
||||
}
|
||||
handle /img/\* {
|
||||
reverse_proxy https://cdn.statically.io {
|
||||
header_up Host cdn.statically.io
|
||||
}
|
||||
}
|
||||
|
||||
handle_path /screenshot/* {
|
||||
rewrite * /screenshot/mdleom.com{path}
|
||||
handle*path /screenshot/* {
|
||||
rewrite \_ /screenshot/mdleom.com{path}
|
||||
|
||||
reverse_proxy https://cdn.statically.io {
|
||||
header_up Host cdn.statically.io
|
||||
}
|
||||
}
|
||||
|
||||
reverse_proxy https://curben.netlify.app {
|
||||
header_up Host curben.netlify.app
|
||||
}
|
||||
}
|
||||
|
||||
reverse_proxy https://curben.netlify.app {
|
||||
header_up Host curben.netlify.app
|
||||
}
|
||||
{% endcodeblock %}
|
||||
|
||||
If there are multiple backends for the reverse_proxy, it's better to use a placeholder instead of hardcording the `Host` header.
|
||||
|
||||
{% codeblock mark:2 %}
|
||||
reverse_proxy https://curben.pages.dev https://curben.netlify.app {
|
||||
header_up Host {http.reverse_proxy.upstream.host}
|
||||
}
|
||||
reverse_proxy https://curben.pages.dev https://curben.netlify.app {
|
||||
header_up Host {http.reverse_proxy.upstream.host}
|
||||
}
|
||||
{% endcodeblock %}
|
||||
|
||||
### Add or remove headers
|
||||
|
||||
To prevent any unnecessary request headers from being sent to the upstreams, I use `header_up`. I use it to remove cookie, referer and [other headers](https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-) added by Cloudflare. Since there are many headers to remove, I group them as a global variable. I apply it to all `reverse_proxy` directives.
|
||||
|
||||
``` Caddyfile
|
||||
```Caddyfile
|
||||
(removeHeaders) {
|
||||
header_up -cdn-loop
|
||||
header_up -cf-cache-status
|
||||
|
@ -417,7 +418,7 @@ I also add the `Cache-Control` and `Referrer-Policy` to the response header. Use
|
|||
|
||||
Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor Onion' %} and {% post_link i2p-eepsite-nixos 'I2P Eepsite' %}, I refactor most of the configuration into "common.conf" and import it into "caddyProxy.conf".
|
||||
|
||||
``` plain common.conf
|
||||
```plain common.conf
|
||||
{
|
||||
## disable admin endpoint
|
||||
# admin off
|
||||
|
@ -587,7 +588,7 @@ Since I also set up reverse proxy for {% post_link tor-hidden-onion-nixos 'Tor O
|
|||
}
|
||||
```
|
||||
|
||||
``` plain caddyProxy.conf
|
||||
```plain caddyProxy.conf
|
||||
import common.conf
|
||||
|
||||
## mdleom.com
|
||||
|
@ -619,7 +620,7 @@ mdleom.com:4430 www.mdleom.com:4430 {
|
|||
|
||||
One last thing to do is to import "[caddyProxy.nix](#caddyproxynix)" and enable `services.caddyProxy`.
|
||||
|
||||
``` nix /etc/nixos/configuration.nix
|
||||
```nix /etc/nixos/configuration.nix
|
||||
require = [ /etc/caddy/caddyProxy.nix ];
|
||||
services.caddyProxy = {
|
||||
enable = true;
|
||||
|
|
Loading…
Reference in New Issue