I'm surprised no one mentioned using NixOS[0] for that kind of personal server thing, which is how I discovered it myself.
Setting up unnecessary "control plane" daemons and services in an awful indent-nightmare Yaml DSL feels so clunky and error prone compared to writing a few hundred lines of Nix, which reproducibly builds your entire server image either live or on a boot medium. The result image can also be tested by launching a qemu VM with no additional code.
The language itself provides some amount of syntactic validation. Thousands of fairly up-to-date packages[1] readily available and pre-compiled (but you can also build them if you prefer). Most sysadmin tooling already comes with specific, type-safe config parameters. Just override the defaults you don't like. Let's Encrypt support for an nginx vhost is a single "enableACME = true" line!
While there are still some rough edges like secret sharing/storage, I'd encourage giving it a try before getting to the big, unnecessary guns.
Setting up unnecessary "control plane" daemons and services in an awful indent-nightmare Yaml DSL feels so clunky and error prone compared to writing a few hundred lines of Nix, which reproducibly builds your entire server image either live or on a boot medium. The result image can also be tested by launching a qemu VM with no additional code.
The language itself provides some amount of syntactic validation. Thousands of fairly up-to-date packages[1] readily available and pre-compiled (but you can also build them if you prefer). Most sysadmin tooling already comes with specific, type-safe config parameters. Just override the defaults you don't like. Let's Encrypt support for an nginx vhost is a single "enableACME = true" line!
While there are still some rough edges like secret sharing/storage, I'd encourage giving it a try before getting to the big, unnecessary guns.
[0] https://nixos.org [1] https://search.nixos.org/packages