chaos-jetzt-nixfiles/README.md
Moritz 'e1mo' Fromm 383ecccbcc
dokuwiki: Fix acronym + remove TODO from README
Co-Authored-By: adb-sh <git@adb.sh>
2022-12-30 16:18:29 +01:00

76 lines
3.3 KiB
Markdown

# chaos-jetzt nixfiles
NixOS configuration for the [chaos.jetzt] project. They are very much work in progress
## (Migration) TODOs
- [mumble-web](https://github.com/johni0702/mumble-web), possibly adding [mumble-web-proxy](https://github.com/johni0702/mumble-web-proxy/) on top
- Both need to be packaged for Nix
- [Dokuwiki](https://www.dokuwiki.org/dokuwiki)
- Migrate away from SSO
- [freescout-helpdesk](https://github.com/freescout-helpdesk)
- @e1mo is already working on a nix package + NixOS module for their private nixfiles
- Migrate away from SSO
- Data migration
- [Matrix synapse](https://github.com/matrix-org/synapse) + [element-web](https://github.com/vector-im/element-web)
- Data migration (synapse)
- Migrate away from SSO (synapse)
- [maubot github](https://github.com/maubot/github)
- Not packaged for nix
- Ditch it?
- [pretix](https://github.com/pretix/pretix)
- Not aware of nix packaging
- Not really used
- Maybe skip it (for now) and use the instance of another space?
## Development setup
These nixfiles are built using nix flakes. See [here][nix-install] for nix installation instructions and the [nixos.wiki page on flakes][nix-flakes]. [colmena] is used for deployment, secret management is done using the [sops] based [sops-nix].
The later two (colmena and sops) are available via a `devShell`, defined in the flake, which can be invoked using `nix develop`. [nix-direnv] can also be used in order to automatically create the respective shell upon entering these nixfiles.
## Deployment
[colmena] is used for deployment:
```bash
# Build all hosts
colmena build
# Build specific host(s)
colmena build --on host-a,host-b
# Deploy all hosts in test mode (activate config but do not add it to the bootloader menu)
colmena apply test
# Deploy specific host (actiavte config and use it at the next boot (switch goal))
colmena apply --on host-a
# A VM of the host can be built using plain nix build
nix build .\#nixosConfigurations.host-a.config.system.build.vmWithBootloader
```
**Note on VMs**: Since the secrets are decrypted for each servers ssh key, the secrets setup will fail.
## Secrets
Secrets are managed using [sops-nix] which is based on [sops]. All secrets are stored in the `secrets/` folder. The `.sops.yaml` configuration file contains information on who has (a) access to keys and (b) which servers can decrypt which keys.
A servers private key can be derived from it's ssh key using [ssh-to-age], generated during initial installation:
```bash
# Only ed25519 keys can be converted using ssh-to-age
ssh-keyscan -t ed25519 shirley.net.chaos.jetzt | nix shell nixpkgs#ssh-to-age -c ssh-to-age
# Or from the host (using legacy nix-shell)
cat /etc/ssh/ssh_host_ed25519_key.pub | nix-shell -p ssh-to-age --run ssh-to-age
```
When users or servers get added or removed, the secret files need to be updated using `sops updatekeys`. Since this can not be called on all files, `find secrets -type f -exec sops updatekeys {} \;` may be used for convenience.
[chaos.jetzt]: https://chaos.jetzt/
[nix-flakes]: https://nixos.wiki/wiki/Flakes
[nix-install]: https://nixos.org/download.html#download-nix
[colmena]: https://github.com/zhaofengli/colmena
[sops]: https://github.com/mozilla/sops
[sops-nix]: https://github.com/Mic92/sops-nix
[nix-direnv]: https://github.com/nix-community/nix-direnv
[ssh-to-age]: https://github.com/Mic92/ssh-to-age