numbus/numbus-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Big update. Data lost found back.

Browse Source
This commit is contained in:
Raphael Numbus
2025-11-14 19:48:16 +01:00
parent 300b0cbccb
commit 60e5dd2615
2 changed files with 202 additions and 275 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy.sh
+155 -229
View File
@@ -1,3 +1,10 @@
#@GEMINI.md @agents Take the NixOS expert role. I would like to make this installer universal, this means that the disko config has to adapt
#to the available disks in the system. Since covering every possible disk configuration would be impossible, I would like to cover a few of them
#that are relevant in the context of a home server. First I want every disk to be encrypted. Second, there always has to be a boot drive on which
#nixos, docker and config data (small data) is installed. This drive can be standalone (even though that is kind of pointless in production but this
#is more for testing purposes). Third, if present, other disks (2 or 3 never more) than the boot drive must be used in a redundant way for the
#big data (nextcloud user data, immich photos, ...). Fourth, if the data disks are SSDs or NVMes, they must use ZFS (mirror or raid1).
#!/bin/bash
set -euo pipefail
@@ -28,33 +35,73 @@ EOF
sleep 1
cleanup() {
echo -e "\n 🏗️ Cleaning up before exit..."
rm -rf /home/numbus-admin/.ssh/id_ed25519 /home/numbus-admin/.ssh/id_ed25519.pub
rm -rf /etc/nixos/*
rm -rf /var/lib/sops-nix/
echo -e "\n ✅ Cleanup done."
hardware_detection() {
echo -e "\n\n 🔎 Detecting graphics card on target host..."
VGA_INFO=$(ssh nixos@$TARGET_HOST 'lspci -nn | grep -i "vga"')
if echo "$VGA_INFO" | grep -iq "intel"; then
echo -e " ✅ Intel graphics card detected."
TARGET_GRAPHICS="true"
elif echo "$VGA_INFO" | grep -iq "amd"; then
echo -e " ✅ AMD graphics card detected."
TARGET_GRAPHICS="true"
elif echo "$VGA_INFO" | grep -iq "nvidia"; then
echo -e " ✅ NVIDIA graphics card detected."
TARGET_GRAPHICS="true"
else
echo -e " ️ No dedicated graphics card detected."
TARGET_GRAPHICS="false"
fi
echo -e "\n\n 🔎 Detecting transconding acceleration on target host..."
if ls /dev/dri/renderD128; then
echo -e " ✅ Transcoding capable card detected."
TARGET_GRAPHICS_RENDERER="true"
else
echo -e " ️ No transcoding capable card detected."
TARGET_GRAPHICS_RENDERER="false"
fi
echo -e "\n\n 🔎 Detecting USB Google Coral TPU on target host..."
if ssh nixos@$TARGET_HOST 'lsusb | grep -iq "google"'; then
echo -e " ✅ USB Google Coral TPU detected."
TARGET_USB_CORAL="true"
else
echo -e " ️ No USB Google Coral TPU detected."
TARGET_USB_CORAL="false"
fi
echo -e "\n\n 🔎 Detecting Zigbee coordinator on target host..."
if ssh nixos@$TARGET_HOST 'ls /dev/serial/by-id/ | grep -i "zigbee"'; then
echo -e " ✅ Zigbee device found in /dev/serial/by-id/."
TARGET_ZIGBEE_DEVICE=$(ssh nixos@$TARGET_HOST 'ls /dev/serial/by-id/ | grep -i "zigbee"')
TARGET_ZIGBEE_DEVICE_PATH="/dev/serial/by-id/$TARGET_ZIGBEE_DEVICE"
TARGET_ZIGBEE="true"
else
echo -e " ️ No Zigbee device found."
TARGET_ZIGBEE="false"
fi
}
files_generation() {
echo -e "\n\n ✅ Generating necessary folder tree..."
mkdir -p extra-files/home/numbus-admin/.ssh/
mkdir -p extra-files/var/lib/sops-nix/
mkdir -p extra-files/etc/nixos/secrets/
mkdir -p extra-files/mnt/config-storage/traefik/config/conf
mkdir -p extra-files/mnt/config-storage/hass/mqtt/config
mkdir -p extra-files/mnt/config-storage/hass/mqtt/data
mkdir -p extra-files/mnt/data-storage/nextcloud
mkdir -p extra-files/mnt/data-storage/immich
echo -e "\n\n ✅ Generating new SSH for numbus-admin..."
mkdir -p /home/numbus-admin/.ssh/
ssh-keygen -t ed25519 -C numbus-admin@numbus-server -f /home/numbus-admin/.ssh/id_ed25519 -N "" -q
ssh-keygen -t ed25519 -C numbus-admin@numbus-server -f extra-files/home/numbus-admin/.ssh/id_ed25519 -N "" -q
echo -e "\n\n ✅ Generating sops-nix keys..."
mkdir -p /var/lib/sops-nix/
age-keygen -o /var/lib/sops-nix/key.txt
SOPS_PUBLIC_KEY=$(age-keygen -y /var/lib/sops-nix/key.txt)
nix run nixpkgs#ssh-to-age -- -private-key -i extra-files/home/numbus-admin/.ssh/id_ed25519 > extra-files/var/lib/sops-nix/key.txt
SOPS_PUBLIC_KEY=$(nix shell nixpkgs#age -c age-keygen -y extra-files/var/lib/sops-nix/key.txt)
echo -e "\n\n ✅ Generating sops-nix configuration files..."
echo """# .sops.yaml
keys:
- &primary $SOPS_PUBLIC_KEY
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *primary""" > .sops.yaml
envsubst < config-files/sops-nix/.sops.yaml > extra-files/etc/nixos/.sops.yaml
echo -e "\n\n ✅ Generating secure random database passwords..."
HOME_ASSISTANT_MQTT_USER=$(openssl rand -base64 29 | tr -d "123456789=+/" | cut -c1-10)
@@ -62,50 +109,13 @@ files_generation() {
PASSBOLT_MYSQL_DATABASE=$(openssl rand -base64 29 | tr -d "123456789=+/" | cut -c1-10)
PASSBOLT_MYSQL_USER=$(openssl rand -base64 29 | tr -d "123456789=+/" | cut -c1-10)
PASSBOLT_MYSQL_PASSWORD=$(openssl rand -base64 29 | tr -d "=+/" | cut -c1-64)
FTLCONF_webserver_api_password=$(openssl rand -base64 29 | tr -d "=+/" | cut -c1-64)
FTLCONF_WEBSERVER_PASSWORD=$(openssl rand -base64 29 | tr -d "=+/" | cut -c1-64)
echo -e "\n\n ✅ Encrypting secrets in the correct file..."
mkdir -p secrets/
cd secrets/
echo """ssh-public-keys: $SSH_PUBLIC_KEY
docker:
nextcloud: |
DOMAIN_NAME=$DOMAIN_NAME
NEXTCLOUD_ENABLE_DRI_DEVICE=$TARGET_GRAPHICS
frigate: |
DOMAIN_NAME=$DOMAIN_NAME
FRIGATE_MQTT_USER=$HOME_ASSISTANT_MQTT_USER
FRIGATE_MQTT_PASSWORD=$HOME_ASSISTANT_MQTT_PASSWORD
traefik: |
DOMAIN_NAME=$DOMAIN_NAME
CF_DNS_API_TOKEN: $CF_DNS_API_TOKEN
hass: |
DOMAIN_NAME=$DOMAIN_NAME
HOME_ASSISTANT_MQTT_USER: $HOME_ASSISTANT_MQTT_USER
HOME_ASSISTANT_MQTT_PASSWORD: $HOME_ASSISTANT_MQTT_PASSWORD
passbolt: |
DOMAIN_NAME=$DOMAIN_NAME
TZ="Europe/Paris"
PASSBOLT_MYSQL_DATABASE: $PASSBOLT_MYSQL_DATABASE
PASSBOLT_MYSQL_USER: $PASSBOLT_MYSQL_USER
PASSBOLT_MYSQL_PASSWORD: $PASSBOLT_MYSQL_PASSWORD
SENDER_EMAIL_ADDRESS: $SENDER_EMAIL_ADDRESS
SENDER_EMAIL_ADDRESS_PASSWORD: $SENDER_EMAIL_ADDRESS_PASSWORD
SENDER_EMAIL_DOMAIN: $SENDER_EMAIL_DOMAIN
SENDER_EMAIL_PORT: $SENDER_EMAIL_PORT
EMAIL_ADDRESS: $EMAIL_ADDRESS
pihole: |
DOMAIN_NAME=$DOMAIN_NAME
TZ="Europe/Paris"
HOME_ROUTER_SUBNET=$HOME_ROUTER_SUBNET
HOME_ROUTER_IP=$HOME_ROUTER_IP
HOME_SERVER_IP=$HOME_SERVER_IP
FTLCONF_webserver_api_password: $FTLCONF_webserver_api_password""" | sops encrypt --filename-override secrets.yaml \
envsubst < "config-files/sops-nix/secrets.yaml" | sops encrypt --filename-override secrets.yaml \
--input-type yaml --output-type yaml \
--age $SOPS_PUBLIC_KEY \
--output secrets.yaml
cd ../
--output extra-files/etc/nixos/secrets/secrets.yaml
echo -e "\n\n ✅ Writing correct disk to disk-config.nix..."
sed -i s+TARGET_DISK+$TARGET_DISK+g disk-config.nix
@@ -114,165 +124,79 @@ docker:
sed -i s+HOME_SERVER_IP+$HOME_SERVER_IP+g configuration.nix
sed -i s+HOME_ROUTER_IP+$HOME_ROUTER_IP+g configuration.nix
echo -e "\n\n ✅ Adapting the docker configuration to your hardware..."
if [[ "$TARGET_GRAPHICS" == "true" && "$TARGET_USB_CORAL" == "true" ]]; then
sed -i.bak '
/^[[:space:]]*# ----------------------------------------- #/{
N;
/DEVICES SECTION WILL APPEAR HERE IF CORAL/{
N;
/TPU OR INTEGRATED GRAPHICS ARE PRESENT/{
N;
/----------------------------------------- #/c\
devices:\
- /dev/dri:/dev/dri\
- /dev/bus/usb:/dev/bus/usb
}
}
}' docker/frigate.nix
elif [[ "$TARGET_GRAPHICS" == "true" && "$TARGET_USB_CORAL" == "false" ]]; then
sed -i.bak '
/^[[:space:]]*# ----------------------------------------- #/{
N;
/DEVICES SECTION WILL APPEAR HERE IF CORAL/{
N;
/TPU OR INTEGRATED GRAPHICS ARE PRESENT/{
N;
/----------------------------------------- #/c\
devices:\
- /dev/dri:/dev/dri\
}
}
}' docker/frigate.nix
elif [[ "$TARGET_GRAPHICS" == "false" && "$TARGET_USB_CORAL" == "true" ]]; then
sed -i.bak '
/^[[:space:]]*# ----------------------------------------- #/{
N;
/DEVICES SECTION WILL APPEAR HERE IF CORAL/{
N;
/TPU OR INTEGRATED GRAPHICS ARE PRESENT/{
N;
/----------------------------------------- #/c\
devices:\
- /dev/bus/usb:/dev/bus/usb
}
}
}' docker/frigate.nix
fi
if [[ "$TARGET_ZIGBEE" == "true" ]]; then
sed -i.bak "
/^[[:space:]]*# ----------------------------------- #/{
N;
/DEVICES SECTION WILL APPEAR HERE IF/{
N;
/ZIGBEE USB DEVICE IS PRESENT/{
N;
/----------------------------------- #/c\
devices:\
- ${TARGET_ZIGBEE_DEVICE_PATH}:/dev/ttyUSB0
}
}
}" docker/hass.nix
fi
echo -e "\n\n ✅ Copying files to the new installation..."
mkdir -p extra-files/etc/nixos/
mkdir -p extra-files/home/numbus-admin/.ssh/
mkdir -p extra-files/var/lib/sops-nix/
mkdir -p extra-files/mnt/config-storage/docker-data/traefik/config/conf
mkdir -p extra-files/mnt/data-storage/docker-data/nextcloud
mkdir -p extra-files/mnt/data-storage/docker-data/immich
mkdir -p extra-files/mnt/config-storage/docker-data/hass/mqtt/config
mkdir -p extra-files/mnt/config-storage/docker-data/hass/mqtt/data
cp -ravu secrets/ docker/ .sops.yaml configuration.nix disk-config.nix flake.nix hardware-configuration.nix extra-files/etc/nixos/
cp -ravu /home/numbus-admin/.ssh/ extra-files/home/numbus-admin/
cp -ravu /var/lib/sops-nix/key.txt extra-files/var/lib/sops-nix/
cp -ravu secrets/ .sops.yaml hardware-configuration.nix extra-files/etc/nixos/
echo -e "\n\n ✅ Writing docker configuration files..."
cat <<EOF > extra-files/mnt/config-storage/docker-data/traefik/config/traefik.yaml
global:
checkNewVersion: false
sendAnonymousUsage: false
# - level: [TRACE, DEBUG, INFO, WARN, ERROR, FATAL]
log:
level: ERROR
accesslog: {}
api:
dashboard: true
insecure: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
forwardedHeaders:
trustedIPs:
# Local IPs
- "127.0.0.1/32"
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"
certificatesResolvers:
cloudflare:
acme:
email: ${EMAIL_ADDRESS}
storage: /var/traefik/certs/cloudflare-acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "9.9.9.9:53"
serversTransport:
insecureSkipVerify: true
providers:
docker:
exposedByDefault: false
network: traefik_frigate, traefik_hass, traefik_nextcloud, traefik_passbolt, traefik_pihole
file:
directory: "/etc/traefik/conf/"
watch: true
EOF
cat <<EOF > extra-files/mnt/config-storage/docker-data/traefik/config/conf/nextcloud.yaml
http:
routers:
nextcloud:
rule: "Host(\`nextcloud.${DOMAIN_NAME}\`)"
entrypoints:
- "websecure"
service: nextcloud
middlewares:
- nextcloud-chain
tls:
certresolver: "cloudflare"
services:
nextcloud:
loadBalancer:
servers:
- url: "http://nextcloud-aio-apache:11000"
middlewares:
nextcloud-secure-headers:
headers:
hostsProxyHeaders:
- "X-Forwarded-Host"
referrerPolicy: "same-origin"
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSIncludeSubdomains: true
STSPreload: true
STSSeconds: 315360000
https-redirect:
redirectscheme:
scheme: https
nextcloud-chain:
chain:
middlewares:
- https-redirect
- nextcloud-secure-headers
EOF
cat <<'EOF' > extra-files/mnt/config-storage/docker-data/traefik/config/conf/headers.yaml
http:
middlewares:
passbolt:
headers:
FrameDeny: true
AccessControlAllowMethods: 'GET,OPTIONS,PUT'
AccessControlAllowOriginList:
- origin-list-or-null
AccessControlMaxAge: 100
AddVaryHeader: true
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSIncludeSubdomains: true
STSPreload: true
ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
CustomFrameOptionsValue: SAMEORIGIN
ReferrerPolicy: same-origin
PermissionsPolicy: vibrate 'self'
STSSeconds: 315360000
EOF
cat <<'EOF' > extra-files/mnt/config-storage/docker-data/traefik/config/conf/tls.yaml
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
curvePreferences:
- CurveP521
- CurveP384
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
EOF
cat <<EOF > extra-files/mnt/config-storage/docker-data/hass/mqtt/config/mosquitto.conf
persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
listener 1883
## Authentication ##
allow_anonymous false
password_file /mosquitto/config/password.txt
EOF
touch extra-files/mnt/config-storage/docker-data/hass/mqtt/config/password.txt
chmod 0700 extra-files/mnt/config-storage/docker-data/hass/mqtt/config/password.txt
nix shell nixpkgs#mosquitto -c mosquitto_passwd -b extra-files/mnt/config-storage/docker-data/hass/mqtt/config/password.txt $HOME_ASSISTANT_MQTT_USER $HOME_ASSISTANT_MQTT_PASSWORD
envsubst < config-files/traefik/headers.yaml > extra-files/mnt/config-storage/traefik/config/conf/headers.yaml
envsubst < config-files/traefik/nextcloud.yaml > extra-files/mnt/config-storage/traefik/config/conf/nextcloud.yaml
envsubst < config-files/traefik/tls.yaml > extra-files/mnt/config-storage/traefik/config/conf/tls.yaml
envsubst < config-files/traefik/traefik.yaml > extra-files/mnt/config-storage/traefik/config/traefik.yaml
envsubst < config-files/hass/mosquitto.conf > extra-files/mnt/config-storage/hass/mqtt/config/mosquitto.conf
touch extra-files/mnt/config-storage/hass/mqtt/config/password.txt
chmod 0700 extra-files/mnt/config-storage/hass/mqtt/config/password.txt
nix shell nixpkgs#mosquitto -c mosquitto_passwd -b extra-files/mnt/config-storage/hass/mqtt/config/password.txt $HOME_ASSISTANT_MQTT_USER $HOME_ASSISTANT_MQTT_PASSWORD
}
deploy() {
@@ -282,7 +206,7 @@ deploy() {
--flake .#numbus-server \
--extra-files "extra-files/" \
--chown "/home/numbus-admin/" 1000:1000 \
--target-host $TARGET_USER@$TARGET_HOST
--target-host nixos@$TARGET_HOST
echo -e "\n\n ✅ Installation successfull !!"
sleep 1
@@ -295,7 +219,7 @@ nixos_deployment() {
if [[ "$SETUP_ANSWER" == "done" ]]; then
:
else
echo "Aborting you did not type 'done'."
echo "Aborting - you did not type 'done'."
exit 1
fi
@@ -304,8 +228,6 @@ nixos_deployment() {
read -r TARGET_HOST
echo -e "\n\n ➡️ Please provide the disk you want to install NixOS on (i.e. /dev/vda, /dev/sda, /dev/nvme0n1...) :"
read -r TARGET_DISK
echo -e "\n\n ➡️ Does the target server has graphics ? (integrated or discrete) :"
read -r TARGET_GRAPHICS
echo -e "\n\n ➡️ Please provide the public SSH key of an authorized device :"
read -r SSH_PUBLIC_KEY
@@ -336,6 +258,11 @@ nixos_deployment() {
echo -e "\n\n ➡️ Please choose the ip address that your server will use (i.e. any address in the 192.168.1.1/24\n range that is not in use. 192.168.1.5 for example.) :"
read -r HOME_SERVER_IP
echo -e "\n\n ➡️ Please provide enter the password of the remote target."
ssh-copy-id nixos@$TARGET_HOST
hardware_detection
files_generation
deploy
@@ -348,12 +275,12 @@ nixos_deployment_with_config() {
if [[ "$SETUP_ANSWER" == "done" ]]; then
:
else
echo "Aborting you did not type 'done'."
echo "Aborting - you did not type 'done'."
exit 1
fi
echo -e "\n\n ➡️ Please provide the path to a config file :"
read -rp "Enter the full path to the config file: " CONFIG_PATH
read -erp CONFIG_PATH
CONFIG_PATH=$(realpath -m "$CONFIG_PATH")
if [[ ! -f "$CONFIG_PATH" ]]; then
echo "Error: '$CONFIG_PATH' does not exist or is not a regular file."
@@ -373,10 +300,10 @@ nixos_deployment_with_config() {
MISSING=0
for VAR in "${REQUIRED_VARS[@]}"; do
if [[ -v $VAR && -n ${!VAR} ]]; then
echo -e "\n\n$VAR imported successfully from the config file"
echo -e "\n ✅ $VAR imported successfully from the config file"
sleep 0.1
else
echo "\n\n$VAR is missing or empty"
echo "\n ❌ $VAR is missing or empty"
sleep 0.1
MISSING=1
fi
@@ -391,7 +318,9 @@ nixos_deployment_with_config() {
deploy
}
trap cleanup EXIT
nixos_update() {
}
echo -e "\n\n Please choose an action (i.e. 1, 2 or 3) :\n"
echo -e " - [1] 🌐 Deploy NixOS on a remote machine"
@@ -401,17 +330,14 @@ read -r ACTION_ANSWER
if [[ "$ACTION_ANSWER" == "1" ]]; then
echo -e "\n ➡️ Proceeding with deployment…"
TARGET_USER="nixos"
nixos_deployment
elif [[ "$ACTION_ANSWER" == "2" ]]; then
echo -e "\n ➡️ Proceeding with deployment using a config file…"
TARGET_USER="nixos"
nixos_deployment_with_config
elif [[ "$ACTION_ANSWER" == "3" ]]; then
echo -e "\n ➡️ Proceeding with update…"
TARGET_USER="numbus-admin"
nixos_deployment_with_config
nixos_update
else
echo "Aborting you did not type '1, 2 or 3'."
echo "Aborting - you did not type '1, 2 or 3'."
exit 1
fi