No description
Find a file
2023-08-13 21:00:27 +02:00
.github Fix diff script when running on main 2023-08-12 11:41:00 +02:00
common Add cj.deployment module 2023-08-04 16:39:10 +02:00
hosts hedgedoc: Init 2023-08-13 21:00:26 +02:00
modules Add cj.deployment module 2023-08-04 16:39:10 +02:00
packages Update dokuwiki plugins 2023-07-22 17:47:42 +02:00
secrets hedgedoc: Init 2023-08-13 21:00:26 +02:00
services hedgedoc: Disable SSO and login for now 2023-08-13 21:00:27 +02:00
.envrc Initial commit 2022-11-27 23:11:34 +01:00
.gitattributes dokuwiki: Initial service setup 2022-12-30 14:57:33 +01:00
.gitignore dokuwiki: Initial service setup 2022-12-30 14:57:33 +01:00
.sops.yaml hosts/hamilton: init 2023-08-12 11:48:39 +02:00
CODEOWNERS Add CODEOWNERS 2023-02-15 12:55:50 +01:00
flake.lock Nix flake update 2023-07-22 17:47:34 +02:00
flake.nix hosts/hamilton: init 2023-08-12 11:48:39 +02:00
README.md Dokuwiki has been migrated 2023-08-04 16:39:12 +02:00

chaos-jetzt nixfiles

NixOS configuration for the chaos.jetzt project. They are very much work in progress

(Migration) TODOs

Development setup

These nixfiles are built using nix flakes. See here for nix installation instructions and the nixos.wiki page on flakes. colmena is used for deployment, secret management is done using the sops based sops-nix. The later two (colmena and sops) are available via a devShell, defined in the flake, which can be invoked using nix develop. nix-direnv can also be used in order to automatically create the respective shell upon entering these nixfiles.

Deployment

colmena is used for deployment:

# Build all hosts
colmena build
# Build specific host(s)
colmena build --on host-a,host-b

# Deploy all dev hosts in test mode (activate config but do not add it to the bootloader menu)
colmena apply --on @dev test

# Deploy specific host (actiavte config and use it at the next boot (switch goal))
colmena apply --on host-a

# A VM of the host can be built using plain nix build
nix build .\#nixosConfigurations.host-a.config.system.build.vmWithBootLoader

Note on VMs: Since the secrets are decrypted for each servers ssh key, the secrets setup will fail.

Secrets

Secrets are managed using sops-nix which is based on sops. All secrets are stored in the secrets/ folder. The .sops.yaml configuration file contains information on who has (a) access to keys and (b) which servers can decrypt which keys.

A servers private key can be derived from it's ssh key using ssh-to-age, generated during initial installation:

# Only ed25519 keys can be converted using ssh-to-age
ssh-keyscan -t ed25519 shirley.net.chaos.jetzt | nix shell nixpkgs#ssh-to-age -c ssh-to-age
# Or from the host (using legacy nix-shell)
cat /etc/ssh/ssh_host_ed25519_key.pub | nix-shell -p ssh-to-age --run ssh-to-age

When users or servers get added or removed, the secret files need to be updated using sops updatekeys. Since this can not be called on all files, find secrets -type f -exec sops updatekeys {} \; may be used for convenience.