No description
Find a file
Moritz 'e1mo' Fromm 840eff4f97
flake update
2023-02-10 15:28:34 +01:00
common Pass flake inputs and outputs in more generic way 2023-01-06 15:51:20 +01:00
hosts dokuwiki: Initial service setup 2022-12-30 14:57:33 +01:00
packages Update website-pelican to current version 2023-01-05 20:17:55 +01:00
secrets Add adb and admin htpasswd user 2023-01-06 15:51:22 +01:00
services Update dokuwiki service config 2023-01-10 10:57:34 +01:00
.envrc Initial commit 2022-11-27 23:11:34 +01:00
.gitattributes dokuwiki: Initial service setup 2022-12-30 14:57:33 +01:00
.gitignore dokuwiki: Initial service setup 2022-12-30 14:57:33 +01:00
.sops.yaml Add adb as admin as per Plenumsbeschluss (23.12.) 2022-12-23 20:19:02 +01:00
flake.lock flake update 2023-02-10 15:28:34 +01:00
flake.nix Pass flake inputs and outputs in more generic way 2023-01-06 15:51:20 +01:00
README.md Remove pretix from TODO 2023-01-10 09:59:56 +01:00

chaos-jetzt nixfiles

NixOS configuration for the chaos.jetzt project. They are very much work in progress

(Migration) TODOs

Development setup

These nixfiles are built using nix flakes. See here for nix installation instructions and the nixos.wiki page on flakes. colmena is used for deployment, secret management is done using the sops based sops-nix. The later two (colmena and sops) are available via a devShell, defined in the flake, which can be invoked using nix develop. nix-direnv can also be used in order to automatically create the respective shell upon entering these nixfiles.

Deployment

colmena is used for deployment:

# Build all hosts
colmena build
# Build specific host(s)
colmena build --on host-a,host-b

# Deploy all hosts in test mode (activate config but do not add it to the bootloader menu)
colmena apply test

# Deploy specific host (actiavte config and use it at the next boot (switch goal))
colmena apply --on host-a

# A VM of the host can be built using plain nix build

nix build .\#nixosConfigurations.host-a.config.system.build.vmWithBootloader

Note on VMs: Since the secrets are decrypted for each servers ssh key, the secrets setup will fail.

Secrets

Secrets are managed using sops-nix which is based on sops. All secrets are stored in the secrets/ folder. The .sops.yaml configuration file contains information on who has (a) access to keys and (b) which servers can decrypt which keys.

A servers private key can be derived from it's ssh key using ssh-to-age, generated during initial installation:

# Only ed25519 keys can be converted using ssh-to-age
ssh-keyscan -t ed25519 shirley.net.chaos.jetzt | nix shell nixpkgs#ssh-to-age -c ssh-to-age
# Or from the host (using legacy nix-shell)
cat /etc/ssh/ssh_host_ed25519_key.pub | nix-shell -p ssh-to-age --run ssh-to-age

When users or servers get added or removed, the secret files need to be updated using sops updatekeys. Since this can not be called on all files, find secrets -type f -exec sops updatekeys {} \; may be used for convenience.