Skip to content

big-bag/server

Repository files navigation

Installing NixOS

Server specification
Hardware Configuration
Processor Intel Core i7-4790, 4x3600 MHz
Memory 32 GB DDR3 1600 MHz
Disks 120 GB SSD x 2, 4 TB HDD x 1
Boot from installation ISO image

Boot from installation ISO image (Minimal, 64-bit Intel/AMD):

  1. set a password for the nixos user

    passwd
  2. connect from a remote host

    ssh nixos@[SERVER_IP_ADDRESS]
Partitioning of disk

Ignore info messages from parted: Information: You may need to update /etc/fstab.

  1. delete data from SSD drives

    sudo shred --verbose /dev/sdX
  2. find disk which connected to SATA-port 1

    $ for i in /dev/disk/by-path/*;do [[ ! "$i" =~ '-part[0-9]+$' ]] && echo "Port $(basename "$i"|grep -Po '(?<=ata-)[0-9]+'): $(readlink -f "$i")";done
    Port 1: /dev/sdb
  3. create a GPT partition table

    sudo parted /dev/sdb -- mklabel gpt
  4. create a root partition, left 16GiB for swap partition at the end of disk and 512MiB for boot partition at the beggining of disk

    sudo parted /dev/sdb -- mkpart primary 512MiB -16GiB
  5. create a swap partition

    sudo parted -a none /dev/sdb -- mkpart primary linux-swap -16GiB 100%
  6. create a boot partition

    sudo parted /dev/sdb -- mkpart ESP fat32 1MiB 512MiB
    sudo parted /dev/sdb -- set 3 esp on
Formatting of disk
  1. format a root partition to ext4, add a label nixos

    sudo mkfs.ext4 -L nixos /dev/sdb1
  2. create a swap partition, add a label swap

    sudo mkswap -L swap /dev/sdb2
  3. create a boot partition, add a lable boot

    sudo mkfs.fat -F 32 -n boot /dev/sdb3
Installing OS
  1. mount the target file system on which NixOS should be installed on /mnt

    sudo mount /dev/disk/by-label/nixos /mnt
  2. mount the boot file system on /mnt/boot

    sudo mkdir -p /mnt/boot
    sudo mount /dev/disk/by-label/boot /mnt/boot
  3. generate an initial configuration file

    sudo nixos-generate-config --root /mnt
  4. edit a configuration file

    sudo nano /mnt/etc/nixos/configuration.nix
    • enable OpenSSH service
    • allow login as root user
    services.openssh = {
      enable = true;
      settings.PermitRootLogin = "yes";
    };
    
  5. run the installation

    sudo nixos-install
  6. at the end of the installation set the password for the root user. If something went wrong, set it manually

    [nixos@nixos:~]$ sudo nixos-enter --root '/mnt'
    [root@nixos:/]# passwd
    [root@nixos:/]# exit
  7. reboot system

    sudo reboot
  8. after reboot check connection under the root user

    ssh root@[SERVER_IP_ADDRESS]
  9. delete data from HDD drive

    • run the process in the background, because it can take a long time
      sudo shred --verbose /dev/sdX >> shred.log 2>&1 &
    • display logs
      tail -f shred.log

Setting up a local environment and preparing a server

Prepare
  1. create bot and group in Telegram

  2. create a personal access token (classic) in GitHub

    • Note: grafana
    • Expiration: No expiration
    • Scopes:
      • repo:status
      • repo_deployment
      • public_repo
      • read:packages
      • read:org
      • read:user
      • user:email
      • read:project
  3. build an image

    docker build --rm --file Dockerfile --tag ansible:2.16.0 .
  4. create a Vault password file named .vault_password and add a password in it

  5. create an encrypted file

    docker run --rm -ti \
      --volume=$(pwd):/etc/ansible \
      ansible:2.16.0 \
        ansible-vault create host_vars/localhost/vault.yml
  6. write credentials to encrypted file

    ---
    vault_server_ip_address: 192.168.0.1
    vault_server_root_account_password: 'S0me P@ssword'
    vault_server_technical_account_username: [VALUE]
    
    vault_1password_device_id: [VALUE] (can be found in `~/.config/op/config` on Alpine linux)
    vault_1password_master_password: 'S0me P@ssword'
    vault_1password_subdomain: my
    vault_1password_email_address: [email protected]
    vault_1password_secret_key: [VALUE]
    
    vault_telegram_bot_token: [VALUE]
    vault_telegram_chat_id: [VALUE]
    
    vault_domain_name_internal: example.com
    
    vault_mattermost_postgres_username: [VALUE]
    vault_mattermost_postgres_database: [VALUE]
    
    vault_redis_exporter_redis_username: [VALUE]
    
    vault_gitlab_postgres_username: [VALUE]
    vault_gitlab_postgres_database: [VALUE]
    
    vault_postgres_exporter_postgres_username: [VALUE]
    
    vault_pgadmin_postgres_username: [VALUE]
    
    vault_grafana_github_token: [VALUE]
    vault_grafana_postgres_username: [VALUE]
    vault_grafana_redis_username: [VALUE]
  7. run a playbook to do an initial configuration on a server and configure a local environment

    docker run --rm -t \
      --volume=$(pwd):/etc/ansible \
      ansible:2.16.0 \
        ansible-playbook site.yml --tags prepare
  8. grafana dashboard sources

    Service Dashboard source (based on)
    GitHub Connections -> Data sources -> GitHub -> Dashboards -> GitHub Default
    Mimir https://grafana.com/grafana/dashboards/16007-mimir-alertmanager/
    https://grafana.com/grafana/dashboards/16009-mimir-compactor/
    https://grafana.com/grafana/dashboards/16011-mimir-object-store/
    https://grafana.com/grafana/dashboards/16012-mimir-overrides/
    https://grafana.com/grafana/dashboards/16013-mimir-queries/
    https://grafana.com/grafana/dashboards/16016-mimir-reads/
    https://grafana.com/grafana/dashboards/16018-mimir-ruler/
    https://grafana.com/grafana/dashboards/16021-mimir-tenants/
    https://grafana.com/grafana/dashboards/16022-mimir-top-tenants/
    https://grafana.com/grafana/dashboards/16026-mimir-writes/
    Nginx https://github.com/nginxinc/nginx-prometheus-exporter/blob/main/grafana/README.md
    Prometheus Connections -> Data Sources -> Prometheus -> Dashboards -> Prometheus Stats
    Connections -> Data Sources -> Prometheus -> Dashboards -> Prometheus 2.0 Stats
    MinIO https://grafana.com/grafana/dashboards/13502-minio-dashboard/
    Node Exporter https://grafana.com/grafana/dashboards/13978-node-exporter-quickstart-and-dashboard/
    https://grafana.com/grafana/dashboards/6014-host-stats-0-16-0/
    Go Runtime Exporter https://grafana.com/grafana/dashboards/14061-go-runtime-metrics/
    Redis https://grafana.com/grafana/dashboards/14091-redis-dashboard-for-prometheus-redis-exporter-1-x/
    Connections -> Data Sources -> GitLab-Redis -> Dashboards -> Redis
    Connections -> Data Sources -> GitLab-Redis -> Dashboards -> Redis Streaming
    GitLab https://gitlab.com/gitlab-org/grafana-dashboards/-/blob/master/omnibus/gitaly.json
    https://gitlab.com/gitlab-org/grafana-dashboards/-/blob/master/omnibus/overview.json
    https://gitlab.com/gitlab-org/grafana-dashboards/-/blob/master/omnibus/postgresql.json
    https://gitlab.com/gitlab-org/grafana-dashboards/-/blob/master/omnibus/rails-app.json
    https://gitlab.com/gitlab-org/grafana-dashboards/-/blob/master/omnibus/redis.json
    https://gitlab.com/gitlab-org/grafana-dashboards/-/blob/master/omnibus/registry.json
    https://gitlab.com/gitlab-org/grafana-dashboards/-/blob/master/omnibus/service_platform_metrics.json
    PostgreSQL Exporter https://grafana.com/grafana/dashboards/14114-postgres-overview/
    Grafana Connections -> Data Sources -> Prometheus -> Dashboards -> Grafana metrics
  9. run a playbook to upload grafana dashboards

    docker run --rm -t \
      --volume=$(pwd):/etc/ansible \
      ansible:2.16.0 \
        ansible-playbook site.yml --tags dashboards
  10. run a playbook to upgrade NixOS and services to the latest version

    docker run --rm -ti \
      --volume=$(pwd):/etc/ansible \
      ansible:2.16.0 \
        ansible-playbook site.yml --tags upgrade
  11. upload Windows ISO image to /mnt/hdd/libvirt/iso directory on server

Configuring a server

Deploy
  1. run a playbook to configure a server

    docker run --rm -t \
      --volume=$(pwd):/etc/ansible \
      ansible:2.16.0 \
        ansible-playbook site.yml
  2. import certificates in Firefox: Preferences -> Privacy & Security -> Security -> Certificates -> View Certificates...

    • import certificate authority: Authorities -> Import... -> ca.pem (choose Trust this CA to identify websites.)
    • import user certificate for authentication: Your Certificates -> Import... -> user.pfx (leave the password field blank and click Log in)
  3. install guest agent and tools on Windows

    • virtio-win -> guest-agent\qemu-ga-x86_64.msi
    • virtio-win -> virtio-win-guest-tools.exe
    • https://github.com/billziss-gh/winfsp/releases (install Core)
      • configure and start service
        sc config VirtioFsSvc binPath="C:\Program Files\Virtio-Win\VioFS\virtiofs.exe" start=auto depend=VirtioFsDrv
        sc start VirtioFsSvc
        
    • host-share -> spice-guest-tools-latest.exe
    • host-share -> grafana-agent-installer.exe
      • configure and start service
        sc config "Grafana Agent" binpath="\"C:\Program Files\Grafana Agent\grafana-agent-windows-amd64.exe\" -config.file=\"Z:\agent-config.yaml\" -config.expand-env -server.http.address=\"127.0.0.1:12345\" -server.grpc.address=\"127.0.0.1:12346\""
        sc stop "Grafana Agent"
        sc start "Grafana Agent"
        

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages