Chessboard

This repository contains the server configuration to host applications from Dr. Nekoma and Don’t Rely on Nulls. Currently, the following projects are hosted here:

• Lyceum

This setup is also an ongoing experiment that mixes multiple infrastructure and deployment tools, including Nix/NixOS (with disko and impermanence), devenv (for local development environments), OpenTofu, and Terrateam.

Development

Enter the Nix shell via the CLI, or leverage direnv for automatic environment loading:

# Using the Nix CLI
nix develop --impure

# Or, if using direnv
direnv allow

Setting Up Local Keys

If you don’t have SSH keys configured yet:

cd $HOME/.ssh
ssh-keygen -t ed25519 -C "your.email@gmail.com"

Then, return to this project’s root directory and:

1. Modify ./keys/default.nix to add your user and public key following the existing format.
2. If you want to add a new secret, edit ./secrets/secrets.nix and include it there. Use everyone as the list of public keys.

   # If your SSH agent already has a key loaded
   agenix -e "my_secret.age"
   
   # Or, explicitly specify your private key
   agenix -e "my_secret.age" -i ~/.ssh/your_private_key
       

3. Finally, rekey all secrets:

   # With the agent
   agenix --rekey
   
   # Or manually
   agenix --rekey -i $HOME/.ssh/your_private_key
       

QEMU VM

To build and run a local virtual machine for testing:

just build-qemu   # or: just bq, or simply: bq

Then:

just run-qemu     # or: just rq, or simply: rq

Inside the VM, verify services are running correctly:

systemctl status sshd.service
# or, if the configuration includes PostgreSQL
sudo --user postgres psql

You can also add a convenient SSH config entry (on $HOME/.ssh/config):

Host nekoma_vm
  HostName 127.0.0.1
  Port 2222
  User root 
  IdentityFile /dev/null
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  CheckHostIP no

# Also useful when targeting the cloud providers
Host nekoma_vm
  HostName <whatever-you-get-from-tofu>
  Port 22
  User your_user
  IdentityFile your_key

Then connect with:

ssh nekoma_vm

Once the VM is up, you can run:

just deploy-qemu

Custom ISO

To build a bootable ISO image (for testing or deployment bootstraps):

nix build .#iso

Deployment

Trashcan uses a two-stage deployment process that combines OpenTofu and NixOS for reproducible configuration management.

1. Bootstrap Infrastructure

   This stage provisions the minimal infrastructure required to get the system running, including:

   • Networking setup (VPCs, subnets).
   • A static IP.
   • Base compute instances.
   • A minimal NixOS configuration that includes:
     • SSH
     • A couple base users
     • Common packages and tools

     and is deployed using the Terraform modules from nixos-anywhere.

2. Declarative Configuration (NixOS)

   Once the base system is up, NixOS takes over. This configuration then evolves into a final one, which adds services like:

   • PostgreSQL and PgBouncer
   • Secrets management (via agenix)
   • Application deployments (e.g., Lyceum’s game server)

Provisioning with OpenTofu

We target two cloud providers as of now:

• AWS
• Magalu Cloud

Make sure that each environment has their proper access tokens configured.

AWS

just plan "aws"     # or 'pa'
just apply "aws"    # or 'aa'

# To destroy all infrastructure
just destroy "aws"  # or 'da'

Magalu Cloud

just plan "mgc"     # or 'pm'
just apply "mgc"    # or 'am'

# To destroy all infrastructure
just destroy "mgc"  # or 'dm'

Acknowledgements

• The initial Terraform-based (now OpenTofu) bootstrap is adapted from the excellent NixOS in Production book, later heavily customized.
• The Magalu Cloud setup was inspired by the Declarative Factorio project.