These nixfiles are built using nix flakes. See [here][nix-install] for nix installation instructions and the [nixos.wiki page on flakes][nix-flakes]. [colmena] is used for deployment, secret management is done using the [sops] based [sops-nix].
The later two (colmena and sops) are available via a `devShell`, defined in the flake, which can be invoked using `nix develop`. [nix-direnv] can also be used in order to automatically create the respective shell upon entering these nixfiles.
## Deployment
[colmena] is used for deployment:
```bash
# Build all hosts
colmena build
# Build specific host(s)
colmena build --on host-a,host-b
# Deploy all hosts in test mode (activate config but do not add it to the bootloader menu)
colmena apply test
# Deploy specific host (actiavte config and use it at the next boot (switch goal))
colmena apply --on host-a
# A VM of the host can be built using plain nix build
**Note on VMs**: Since the secrets are decrypted for each servers ssh key, the secrets setup will fail.
## Secrets
Secrets are managed using [sops-nix] which is based on [sops]. All secrets are stored in the `secrets/` folder. The `.sops.yaml` configuration file contains information on who has (a) access to keys and (b) which servers can decrypt which keys.
A servers private key can be derived from it's ssh key using [ssh-to-age], generated during initial installation:
```bash
# Only ed25519 keys can be converted using ssh-to-age
When users or servers get added or removed, the secret files need to be updated using `sops updatekeys`. Since this can not be called on all files, `find secrets -type f -exec sops updatekeys {} \;` may be used for convenience.
