Skip to content

krupkat/gcp-nixos

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

gcp-nixos

This is an example project using NixOS to declaratively configure a VM with multiple services that can run on a free tier micro instance (see howto for details).

The configuration is mostly not specific to the cloud service and can be adapted to other providers (e.g. Amazon EC2).

Services overview

Following services are defined using NixOS options.

  1. ACME
    1. This uses the lego client to manage and renew SSL certificates from Let's Encrypt.
    2. Wildcard certificate verification using dns verification check (connecting to Websupport DNS API)
    3. Auto restarts dependent services upon certificate renewal.
  2. nginx
    1. Use as a reverse proxy to manage multiple subdomains and forward traffic to the respective services.
    2. Host a static website on the root domain
    3. Force SSL on all endpoints
    4. Gate specific subdomains behind SSO login using the auth_request module and the vouch-proxy service.
  3. node-red
    1. Home automation toolbox
    2. Protected by SSO (https://node-red.tomaskrupka/cz)
  4. mosquitto
    1. mqtt broker with two listeners defined
      1. Unauthenticated traffic for local services
      2. mqtt over SSL for remote connections
  5. restic
    1. Daily backups of user data to a GCS bucket:
      1. node-red data directory
      2. flatnotes data directory
      3. website root

Following services are packaged in the modules directory of this repository:

  1. vouch-proxy
    1. SSO solution for nginx
    2. Configured to use Google OAuth 2.0 and only pass whitelisted users
    3. See details in the modules/vouch.nix file
  2. inadyn
    1. Dynamic DNS service
    2. Runs periodically to check the VM public address and update DNS records (Websupport DynDNS API)
    3. See details in the modules/inadyn.nix file
  3. flatnotes
    1. Personal note taking
    2. Protected by SSO (https://notes.tomaskrupka.cz)
    3. See details in the modules/flatnotes.nix file

Secrets management

The services require quite a few keys / tokens / secrets to be able to run. All the secrets are managed using sops-nix:

  • Secrets definitions are in the secrets.nix file
  • Encrypted secrets are included in the secrets directory
  • The secrets are decrypted on the VM during system activation and have permissions set to read-only either for root or a specific service user.

Website content

The static content of the website is expected to be served from /home/github-actions/www:

  • The github-actions user is defined in the configuration file
  • The nginx user has read access to its home directory
  • An authorized ssh public key is configured so that the content can be uploaded from another machine