+rwx

read, write, execute

I got infected by the NixOS Virus. I've been hearing about this declarative operating system stuff for a while now but never got intrigued enough to try it out. Partly because I knew it would be a huge time-sink.

Last week I started thinking about converting my VPS into a NixOS machine. It's not much more than a proxy for my Unraid Server at home. It exposes a bunch of services to the internet using tailscale and hosts my homepage and this blog. Seems like an easy target for trying out NixOS.

Deployment

Remote deployment took me a few hours/weeks/??? to grasp and to configure. I settled for nixos-anywhere.

Now the workflow for setting up the server from scratch looks like:

  • Create a new machine at Hetzner, make sure you add a SSH key
  • Run the init.sh in my nixos repo and watch the magic happen

Could not be any simpler.

To update the system, I just change the configuration and run another script, aptly named pu.sh which essentially runs the nixos-rebuild switch command with a few options.

Homeserver Proxy

I have Tailscale running on most of my devices. This enables me to use my VPS as a proxy for my homeserver, so I have access to my local Nextcloud over a public domain, without being in the Tailnet. In my Tailscale ACLs I allowed the VPS to only access ports which these public services need and added a smol virtual host to my caddy configuration:

{ ... }:
let
  domain = "cloud.inhji.de";
  host = "neuromancer.banded-sun.ts.net";
  port = "11000";
in
{
  # Virtual Host
  services.caddy.virtualHosts.${domain}.extraConfig = ''
    reverse_proxy ${host}:${port}
  '';
}