# chaos-jetzt nixfiles NixOS configuration for the [chaos.jetzt] project. They are very much work in progress ## (Migration) TODOs - [mumble-web](https://github.com/johni0702/mumble-web), possibly adding [mumble-web-proxy](https://github.com/johni0702/mumble-web-proxy/) on top - Both need to be packaged for Nix - [Dokuwiki](https://www.dokuwiki.org/dokuwiki) - NixOS module exists: `services.dokuwiki` - Data migration - Migrate away from SSO - [freescout-helpdesk](https://github.com/freescout-helpdesk) - @e1mo is already working on a nix package + NixOS module for their private nixfiles - Migrate away from SSO - Data migration - [Matrix synapse](https://github.com/matrix-org/synapse) + [element-web](https://github.com/vector-im/element-web) - Data migration (synapse) - Migrate away from SSO (synapse) - [maubot github](https://github.com/maubot/github) - Not packaged for nix - Ditch it? - [pretix](https://github.com/pretix/pretix) - Not aware of nix packaging - Not really used - Maybe skip it (for now) and use the instance of another space? ## Development setup These nixfiles are built using nix flakes. See [here][nix-install] for nix installation instructions and the [nixos.wiki page on flakes][nix-flakes]. [colmena] is used for deployment, secret management is done using the [sops] based [sops-nix]. The later two (colmena and sops) are available via a `devShell`, defined in the flake, which can be invoked using `nix develop`. [nix-direnv] can also be used in order to automatically create the respective shell upon entering these nixfiles. ## Deployment [colmena] is used for deployment: ```bash # Build all hosts colmena build # Build specific host(s) colmena build --on host-a,host-b # Deploy all hosts in test mode (activate config but do not add it to the bootloader menu) colmena apply test # Deploy specific host (actiavte config and use it at the next boot (switch goal)) colmena apply --on host-a # A VM of the host can be built using plain nix build nix build .\#nixosConfigurations.host-a.config.system.build.vmWithBootloader ``` **Note on VMs**: Since the secrets are decrypted for each servers ssh key, the secrets setup will fail. ## Secrets Secrets are managed using [sops-nix] which is based on [sops]. All secrets are stored in the `secrets/` folder. The `.sops.yaml` configuration file contains information on who has (a) access to keys and (b) which servers can decrypt which keys. A servers private key can be derived from it's ssh key using [ssh-to-age], generated during initial installation: ```bash # Only ed25519 keys can be converted using ssh-to-age ssh-keyscan -t ed25519 shirley.net.chaos.jetzt | nix shell nixpkgs#ssh-to-age -c ssh-to-age # Or from the host (using legacy nix-shell) cat /etc/ssh/ssh_host_ed25519_key.pub | nix-shell -p ssh-to-age --run ssh-to-age ``` When users or servers get added or removed, the secret files need to be updated using `sops updatekeys`. Since this can not be called on all files, `find secrets -type f -exec sops updatekeys {} \;` may be used for convenience. [chaos.jetzt]: https://chaos.jetzt/ [nix-flakes]: https://nixos.wiki/wiki/Flakes [nix-install]: https://nixos.org/download.html#download-nix [colmena]: https://github.com/zhaofengli/colmena [sops]: https://github.com/mozilla/sops [sops-nix]: https://github.com/Mic92/sops-nix [nix-direnv]: https://github.com/nix-community/nix-direnv [ssh-to-age]: https://github.com/Mic92/ssh-to-age