dvt-demo
A Clan-managed Dirk cluster using the dvt-lite Clan Service across four Hetzner Cloud VMs.
- alpha -- admin / dirk client
- bravo, charlie, delta -- dirk servers
Machines are reachable via <name>.dvt internally.
Secrets are age-encrypted with optional hardware token support (YubiKey).
Prerequisites
| Requirement | Notes |
|---|---|
| Nix with flakes enabled | experimental-features = nix-command flakes in nix.conf |
| Hetzner Cloud account | Sign up at the Hetzner Cloud Console |
| SSH key pair | For initial root access to the VMs |
Provisioning Hetzner VMs
All server provisioning is done through the Hetzner Cloud Console.
1. Create a project
Open the console and create a new project (e.g. dvt-demo).
2. Add your SSH key
Navigate to Security > SSH Keys and add your public key (e.g. the contents of ~/.ssh/id_ed25519.pub).
3. Create four servers
Under Servers > Add Server, create four servers with the following settings:
| Setting | Value |
|---|---|
| Name | alpha, bravo, charlie, delta (one each) |
| Location | Any (e.g. Falkenstein) |
| Image | Any Linux (e.g. Ubuntu 24.04) -- it will be overwritten during NixOS installation |
| Type | CX23 or larger |
| SSH Key | Select the key added above |
4. Note the public IPs
Once the servers are running, note the IPv4 address assigned to each from the server overview page.
5. Update clan.nix
Edit the internet block in clan.nix with the IPs from the previous step:
internet = {
roles.default.machines = {
alpha.settings.host = "<alpha-ip>";
bravo.settings.host = "<bravo-ip>";
charlie.settings.host = "<charlie-ip>";
delta.settings.host = "<delta-ip>";
};
};
Initial Deployment
1. Enter the dev shell
nix develop # or: direnv allow
2. SSH access
Append your public key(s) to ssh-keys.nix:
[
"ssh-ed25519 AAAA..."
]
After deploying, you can verify access with clan ssh <name> (e.g. clan ssh alpha).
3. Secret decryption (age)
Add your age public key to age-keys.nix.
[
"age1..." # vanilla age key
# or
"age1yubikey1q..." # YubiKey identity
]
To obtain the identity string:
- age:
age-keygen(public key is printed to stderr; private key to the output file) - YubiKey:
age-plugin-yubikey --identity
4. Generate Secrets
Run clan vars generate to generate secrets.
5. Install on the machines
clan machines install alpha
clan machines install bravo
clan machines install charlie
clan machines install delta
This partitions disks (via disko), installs NixOS, and deploys the full configuration including dirk, SSH certificates, and secrets. Accept the prompts for generating the nixos-facter report and installing the machine.
Hardware configuration not found for 'alpha'. Generate it using nixos-facter? [Y/n]
Will generate hardware configuration using nixos-facter
Install alpha to root@123.2.3.13? [y/N] y
6. Subsequent updates
After changing configuration, deploy with:
clan machines update # all machines
clan machines update alpha bravo # specific machines
Useful Commands
| Command | Description |
|---|---|
clan machines list |
List all machines in the clan |
clan machines update |
Deploy configuration to all machines |
clan machines install <name> |
Install NixOS on a machine |
clan machines init-hardware-config <name> |
Generate hardware facts |
clan vars list |
List all vars (public and secret) |
clan vars generate |
(Re-)generate vars for all machines |
clan ssh <name> |
SSH into a machine |
clan show |
Show clan meta information |