Garuda Linux server configurations

built with nix deploy docs

General information

  • Our current infrastructure is hosted in one of these.
  • The only other server not being contained in this dedicated server is our mail server.
  • Both servers are being backed up to Hetzner storage boxes via Borg.
  • After multiple different setups, we settled on NixOS as our main OS as it provides reproducible and atomically updated system states
  • Most (sub)domains are protected by Cloudflare while also making use of its caching feature. Exemptions are services such as our mail server and parts violating Cloudflares rules such as proxying Piped content.

Devshell and how to enter it

This NixOS flake provides a devshell which contains all deployment tools as well as handy aliases for common tasks. The only requirement for using it is having the Nix package manager available. It can be installed on various distributions via the package manager or the following script (click me for more information):

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix -o nix-install.sh # Check its content afterwards
sh ./nix-install.sh install --diagnostic-endpoint=""

This installs the Nix packages with flakes already pre-enabled. After that, the shell can be invoked as follows:

nix develop # The intended way to use the devshell
nix-shell # Legacy, non-flakes way if flakes are not available for some reason

This also sets up pre-commit-hooks and shows the currently implemented tasks, which can be executed by running the command.

[infra-nix]

ansible-core    - Radically simple IT automation
apply           - Applies the infra-nix configuration previously deployed to the servers
buildiso-local  - Spawns a local buildiso shell to build to ./buildiso (needs Docker)
buildiso-remote - Spawns a buildiso shell on the iso-runner builder
clean           - Runs the garbage collection on the servers
deploy          - Deploys the local NixOS configuration to the servers
update          - Performs a full system update on the servers by bumping flake lock
update-forum    - Updates the Discourse container of our forum
update-toolbox  - Updates the locked Chaotic toolbox commit and deploys the changes
update-website  - Updates the locked website commit and deploys the changes