This repository contains nixos modules and terraform code that powers clan.lol. The website and git are currently hosted on Hetzner. The demo server and Jitsi server are hosted on Vultr.
To add a new admin user, follow these steps:
- User generates an age key:
The new user runs:
$ clan secrets key generate
This creates an age key pair, which is used for secret management.
- User provides credentials to an existing admin:
The user shares both of the following with a current admin:
- Their SSH public key
- Their age public key (found in
~/.config/sops/age/keys.txtor~/Library/Application Support/sops/age/keys.txton macOS)
- Admin adds the user:
The admin runs:
$ clan secrets users add <username> <age-key>
$ clan secrets groups add-user admins <username>
Replace <username> and <age-key> with the actual values.
- Admin updates configuration:
Add the new user to the modules/admins.nix file.
The new admin user will now have access according to the configuration.
To connect your device to the clan-infra Zerotier network:
- Get the Zerotier network ID:
On any existing machine (e.g., web01), run:
clan vars list web01Look for the line:
zerotier/zerotier-network-id: a9b4872919354736
- Configure your device to join the network:
Add the following to your NixOS configuration:
services.zerotierone.joinNetworks = [
"a9b4872919354736" # clan-infra network
];- Find your device's Zerotier ID:
After starting Zerotier, run:
sudo zerotier-cli infoThe output will look like:
200 info <myid> 1.14.2 ONLINE
Note your <myid>.
- Authorize your device on the network:
SSH into web01 (or another admin machine) and run:
sudo zerotier-members allow <myid>Once authorized, your device will be connected to the clan-infra Zerotier network.
- Instance type: ax162-r
- CPU: AMD EPYC™ 9454P
- RAM: 256 GB DDR5 ECC
- Storage: 2 x 1.92 TB NVMe
To install the system, you can run the following command:
$ clan machines install web01 --update-hardware-config nixos-facter --no-reboot
Then you can run the following script to reboot the machine and unlock the encrypted root filesystem:
$ ./machines/web01/reboot.sh
- Instance type: vc2-2c-4gb
- CPU: 2 Intel vCPU cores
- RAM: 4 GB
- Storage: 80 GB SSD
$ nix run clan-infra#terraform
$ clan machines update web02
To redeploy the server without running terraform destroy which will take down
the clan.lol DNS:
# Run `apply` script first to ensure `terraform init` gets run
$ nix run clan-infra#terraform
$ nix run clan-infra#terraform.terraform -- apply -replace "vultr_instance.web02"
To destroy just the server without taking down the clan.lol DNS:
# Run `apply` script first to ensure `terraform init` gets run
$ nix run clan-infra#terraform
$ nix run clan-infra#terraform.terraform -- destroy -target "vultr_instance.web02"
$ clan machines update web01
- Instance type: vc2-2c-4gb
- CPU: 2 Intel vCPU cores
- RAM: 4 GB
- Storage: 80 GB SSD
$ nix run clan-infra#terraform
$ clan machines update jitsi01
To redeploy the server without running terraform destroy which will take down
the clan.lol DNS:
# Run `apply` script first to ensure `terraform init` gets run
$ nix run clan-infra#terraform
$ nix run clan-infra#terraform.terraform -- apply -replace "vultr_instance.jitsi01"
To destroy just the server without taking down the clan.lol DNS:
# Run `apply` script first to ensure `terraform init` gets run
$ nix run clan-infra#terraform
$ nix run clan-infra#terraform.terraform -- destroy -target "vultr_instance.jitsi01"
- Instance type: vc2-2c-4gb
- CPU: 2 Intel vCPU cores
- RAM: 4 GB
- Storage: 80 GB SSD
$ nix run clan-infra#terraform
$ clan machines update demo01
To redeploy the server without running terraform destroy which will take down
the clan.lol DNS:
# Run `apply` script first to ensure `terraform init` gets run
$ nix run clan-infra#terraform
$ nix run clan-infra#terraform.terraform -- apply -replace "vultr_instance.demo01"
To destroy just the server without taking down the clan.lol DNS:
# Run `apply` script first to ensure `terraform init` gets run
$ nix run clan-infra#terraform
$ nix run clan-infra#terraform.terraform -- destroy -target "vultr_instance.demo01"
- Instance type: rx170
- CPU: Ampere® Altra® Q80-30
- RAM: 128 GB DDR4 ECC
- Storage: 2 x 960 GB NVMe
To install the system, you can run the following command:
$ nix run clan-infra#terraform
To access this machine, you'll need to add this to your SSH config:
{
programs.ssh.extraConfig = ''
Host build01
ProxyJump tunnel@clan.lol
Hostname build01.vpn.clan.lol
'';
}$ clan machines update build01
- Instance type: Hetzner dedicated server (AMD)
- Platform: x86_64-linux
- Max parallel jobs: 32
- Features: big-parallel, kvm, nixos-test, uid-range, recursive-nix
To install the system, you can run the following command:
$ clan machines install build-x86-01 --update-hardware-config nixos-facter --no-reboot
$ clan machines update build-x86-01
- Instance type: Apple Mac mini (2024) (Mac16,10)
- CPU: Apple M4 chip with 10-core CPU, 10-core GPU, 16-core Neural Engine
- RAM: 24 GB unified memory
- Storage: 512 GB SSD
- Install Nix using the Nix installer from Determinate Systems
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \
sh -s -- install --diagnostic-endpoint=""
- Enable
Screen SharinginSystem Settings > General > Sharing
You can leave both Anyone may request permission to control screen and
VNC viewers may control screen with password disabled as macOS will allow you
to control the screen by connecting with your macOS username and password.
- Clone this repo into a temporary directory
nix run nixpkgs#git -- clone https://git.clan.lol/clan/clan-infra.git temp-bootstrap
- Install nix-darwin from the temporary directory
nix run nix-darwin -- switch --flake ./temp-bootsrap
- Log in to Tailscale
sudo tailscale up
-
Enable
Allow full disk access for remote usersandAllow access for all usersinSystem Settings > General > Sharing > Remote Login -
Delete the temporary directory
rm -rf ./temp-bootstrap
To access this machine, you'll need to add this to your SSH config:
{
programs.ssh.extraConfig = ''
Host build02
ProxyJump <clanuser>@clan.lol
Hostname build02.vpn.clan.lol
'';
}$ clan machines update build02
Add them to the configuration.
The user can create an age key:
$ clan secrets key generate
The private key (identity in age terms) and public key (recipient in age terms)
are stored in ~/.config/sops/age/keys.txt
(~/Library/Application Support/sops/age/keys.txt on macOS).
Add the new user's age key:
$ clan secrets users add <user> <age-key>
Add the new user as an admin:
$ clan secrets groups add-user admins <user>
Currently DNS can't be updated separately to the machines, so you'll need to deploy the entire Terraform configuration:
$ nix run clan-infra#terraform
- Instance type: Storinator Q30
- CPU: Intel Xeon Silver 4216 (16C/32T)
- RAM: 128 GB DDR5 ECC
- Storage:
- OS: 2 x 500GB SATA SSD
- Data: 18 HDDs in zraid2 + 1 Spare == 200TB
To access this machine, you'll need to add this to your SSH config:
{
programs.ssh.extraConfig = ''
Host storinator01
ProxyJump <clan-user>@clan.lol
Hostname storinator01.vpn.clan.lol
'';
}$ clan machines update storinator01
- Copy an existing machine
- Run
clan vars generate <machine> - If you aren't using Terraform to provision the server, make sure to add the Terraform deployment SSH key to your server which you can find by running:
$ nix run clan-infra#terraform.terraform -- init
$ nix run clan-infra#terraform.terraform -- state show tls_private_key.ssh_deploy_key
nix run clan-infra#terraformto run the initial deploy
- Add the 'buildbot-clan' topic to the repository using the "Manage topics" button below the project description
- Go to https://buildbot.clan.lol/#/builders/2 and press "Update projects" after you have logged in.