Installing NixOS

Server specification

Component	Specification
Processor	Intel Core i7-4790, 4x3600 MHz
Memory	32 GB DDR3 1600 MHz
Disks	120 GB SSD x 2, 500 GB SSD x 1, 4 TB HDD x 1

Boot from installation ISO image

Boot from installation ISO image (Minimal, 64-bit Intel/AMD):

1. set a password for the nixos user

   passwd

2. connect from a remote host

   ssh nixos@[SERVER_IP_ADDRESS]

Partitioning of disk

Ignore info messages from parted: Information: You may need to update /etc/fstab.

1. delete data from SSD drives

   sudo shred --verbose /dev/sdX

2. find disk which connected to SATA-port 1

   $ for i in /dev/disk/by-path/*;do [[ ! "$i" =~ '-part[0-9]+$' ]] && echo "Port $(basename "$i"|grep -Po '(?<=ata-)[0-9]+'): $(readlink -f "$i")";done
   Port 1: /dev/sdb

3. create a GPT partition table

   sudo parted /dev/sdb -- mklabel gpt

4. create a root partition, left 16GiB for swap partition at the end of disk and 512MiB for boot partition at the beggining of disk

   sudo parted /dev/sdb -- mkpart primary 512MiB -16GiB

5. create a swap partition

   sudo parted -a none /dev/sdb -- mkpart primary linux-swap -16GiB 100%

6. create a boot partition

   sudo parted /dev/sdb -- mkpart ESP fat32 1MiB 512MiB
   sudo parted /dev/sdb -- set 3 esp on

Formatting of disk

1. format a root partition to ext4, add a label nixos

   sudo mkfs.ext4 -L nixos /dev/sdb1

2. create a swap partition, add a label swap

   sudo mkswap -L swap /dev/sdb2

3. create a boot partition, add a lable boot

   sudo mkfs.fat -F 32 -n boot /dev/sdb3

Installing OS

1. mount the target file system on which NixOS should be installed on /mnt

   sudo mount /dev/disk/by-label/nixos /mnt

2. mount the boot file system on /mnt/boot

   sudo mkdir -p /mnt/boot
   sudo mount /dev/disk/by-label/boot /mnt/boot

3. generate an initial configuration file

   sudo nixos-generate-config --root /mnt

4. edit a configuration file

   sudo nano /mnt/etc/nixos/configuration.nix

   • enable OpenSSH service
   • allow login as root user

   {
     # boot.loader.grub.enable = true;
   
     # Use the systemd-boot EFI boot loader.
     boot.loader.systemd-boot.enable = true;
     boot.loader.efi.canTouchEfiVariables = true;
   
     services.openssh = {
       enable = true;
       settings.PermitRootLogin = "yes";
     };
   }
   

5. run the installation

   sudo nixos-install

6. at the end of the installation set the password for the root user. If something went wrong, set it manually

   [nixos@nixos:~]$ sudo nixos-enter --root '/mnt'
   [root@nixos:/]# passwd
   [root@nixos:/]# exit

7. reboot system

   sudo reboot

8. after reboot check connection under the root user

   ssh root@[SERVER_IP_ADDRESS]

9. delete data from HDD drive

   • run the process in the background, because it can take a long time

     sudo shred --verbose /dev/sdX >> shred.log 2>&1 &

   • display logs

     tail -f shred.log

Setting up a local environment and preparing a server

Prepare

1. Create Service Account in 1Password

   • Allow creation of new vaults

2. create a personal access token (classic) in GitHub

   • Note: Grafana
   • Expiration: No expiration
   • Scopes:
     • repo:status
     • repo_deployment
     • public_repo
     • read:packages
     • read:org
     • read:user
     • user:email
     • read:project

3. create bot and group in Telegram:

   • Grafana Alerting
   • Alertmanager
   • GitLab

4. build an image

   docker build --rm --file Dockerfile --tag ansible:2.19.3 .

5. create a Vault password file secrets/.vault_password with generated password

6. create an encrypted file

   docker run --rm -ti \
     --volume=$(pwd):/etc/ansible \
     ansible:2.19.3 \
       ansible-vault create secrets/host_vars/localhost/vault.yml

7. write credentials to encrypted file

   ---
   vault_server_ip_address: 192.168.0.1
   vault_server_root_account_password: 'S0me P@ssword'
   vault_server_technical_account_username: [value]
   
   vault_domain_name_internal: example.com
   
   vault_1password_service_account_token: [value from point 1]
   vault_1password_vault_name: [value]
   vault_1password_email_address: email@example.com
   
   vault_github_token_grafana: [value from point 2]
   
   vault_telegram_bot_token_grafana_alerting: [value from point 3]
   vault_telegram_chat_id_grafana_alerting: [value from point 3]
   
   vault_telegram_bot_token_alertmanager: [value from point 3]
   vault_telegram_chat_id_alertmanager: [value from point 3]
   
   vault_telegram_bot_token_gitlab: [value from point 3]
   vault_telegram_chat_id_gitlab: [value from point 3]
   
   vault_postgresql_pgadmin_postgresql_username: [value]
   vault_postgresql_exporter_postgresql_username: [value]
   
   vault_mattermost_postgresql_username: [value]
   vault_mattermost_postgresql_database: [value]
   
   vault_grafana_postgresql_username: [value]
   vault_grafana_redis_exporter_username: [value]
   vault_grafana_redis_grafana_username: [value]
   
   vault_loki_redis_exporter_username: [value]
   vault_loki_redis_grafana_username: [value]
   
   vault_gitlab_postgresql_username: [value]
   vault_gitlab_postgresql_database: [value]
   vault_gitlab_redis_exporter_username: [value]
   vault_gitlab_redis_grafana_username: [value]

8. download to packages

   • https://releases.mattermost.com/${version}/mattermost-team-${version}-linux-amd64.tar.gz
   • https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso

9. run a playbook to do an initial configuration on a server and configure a local environment

   docker run --rm -t \
     --volume=$(pwd):/etc/ansible \
     ansible:2.19.3 \
       ansible-playbook site.yml --tags prepare

10. upload Windows ISO image to /mnt/ssd-100/libvirt/iso directory on server

Configuring a server

Deploy

1. run a playbook to configure a server

   docker run --rm -t \
     --volume=$(pwd):/etc/ansible \
     ansible:2.19.3 \
       ansible-playbook site.yml

2. Firefox

   • open: Preferences -> Privacy & Security -> Security -> Certificates -> View Certificates...
   • import certificate authority: Authorities -> Import...
     • secrets/ca.pem
     • choose Trust this CA to identify websites.
   • import user certificate for authentication: Your Certificates -> Import...
     • secrets/user.pfx
     • leave the password field blank and click Log in

3. Windows

   • virtio-win guest agent and tools
     • virtio-win -> guest-agent\qemu-ga-x86_64.msi
     • virtio-win -> virtio-win-guest-tools.exe
   • WinFsp
     • https://github.com/billziss-gh/winfsp/releases
     • install Core
     • configure

       sc config VirtioFsSvc binPath="C:\Program Files\Virtio-Win\VioFS\virtiofs.exe" start=auto depend=VirtioFsDrv
       

     • start service

       sc start VirtioFsSvc
       

   • SPICE Guest Tools
     • host-share -> spice-guest-tools-latest.exe
   • Alloy
     • host-share -> alloy-installer-windows-amd64.exe
     • run cmd as administrator
     • configure

       REG ADD HKEY_LOCAL_MACHINE\Software\GrafanaLabs\Alloy /f /v Arguments /t REG_MULTI_SZ /d "run\0Z:\config.alloy\0--server.http.enable-pprof=false\0--server.http.memory-addr=alloy.internal:12345\0--server.http.listen-addr=127.0.0.1:12345\0--server.http.ui-path-prefix=/alloy\0--storage.path=C:\ProgramData\GrafanaLabs\Alloy\data\0--disable-reporting=true\0--cluster.enabled=false\0--config.format=alloy\0--config.bypass-conversion-errors=false\0--stability.level=public-preview\0--feature.community-components.enabled=false\0--windows.priority=normal"
       

     • restart service

       sc stop Alloy
       sc start Alloy
       

     • ui: http://127.0.0.1:12345/alloy