From c70b805d3fe4384aa7c5119441f3fc64b0715619 Mon Sep 17 00:00:00 2001 From: "user@node5.net" Date: Sat, 30 May 2026 08:58:46 +0200 Subject: Nix on my server: Do another passthrough improving various things --- NixOS on my server/index.md | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/NixOS on my server/index.md b/NixOS on my server/index.md index 1ae1c27..28a15c4 100644 --- a/NixOS on my server/index.md +++ b/NixOS on my server/index.md @@ -10,7 +10,8 @@ as it mainly serves as my playground. I will be deploying nix the nix way, to get the full benefits. This means transition all my services to being fully declared with nix. -My services: +## My services: + - 1 static NGINX website - 1 CGit instance - 4 python flask applications @@ -25,8 +26,8 @@ you'll be supprised how many small things you've set up over the years ### Problem -I recently set out to migrate this server to NixOS. -It's only available over wireguard, when running `nixos-rebuild switch` with the wireguard address as `--target-host`, + +This server is only available over wireguard, when running `nixos-rebuild switch` with the wireguard address as `--target-host`, it's really easy to set some config option that makes the system unreachable. ### Simple native solution @@ -51,7 +52,12 @@ dry-activate: show what would be done if this configuration were activated ``` Now it would be nice if there was an automated rollback in case the system became unreachable. -This could be as simple as: run a root tmux with `sleep 300 && /run/booted-system/bin/switch-to-configuration` +This could be as simple as: run a root tmux with + +```bash +sleep 300 && /run/booted-system/bin/switch-to-configuration +``` + However what does it do if an activation take more than 5 minutes, what if you forget? Plus i even had once where the wireguard service didn't come up by it self again. It would be nicer with a purpose build tool. @@ -67,6 +73,10 @@ and instructing the target node to automatically roll back if it is not confirme Here's a nice [deploy-rs setup guide - crystalwobsite.gay](https://crystalwobsite.gay/posts/2025-02-09-deploying_nixos#deploying-via-flakes) +#### Test server + +Let's try it out on a test server + 
 diff --git a/flake.nix b/flake.nix
 index a056d72..b47d632 100644
@@ -223,7 +233,15 @@ note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
     ~/dot-files   master *4 +6 !5 ───────────────────────────────────────────── ✔ 1|0   1m 29s   impure  21:38:27
---- +Success! + +``` +🚀 ❌ [deploy] [ERROR] Deployment to node node5-test failed, rolled back to previous generation +``` + +#### Prod server wireguard + +Cool, let's ship it to prod 🚢 
 🚀 ℹ️ [deploy] [INFO] Running checks for flake in /home/user/dot-files/
@@ -250,6 +268,8 @@ stopping the following units: wg-quick-wg0.service
+Bollocks, it still takes down the wireguard service as part of the deployment, and doesn't recover automatically. +Solution: switch from wg-quick to native wireguard. 
 diff --git a/modules/hosts/node5-test/wireguard.nix b/modules/hosts/node5-test/wireguard.nix
-- 
cgit 1.4.1