No description

Find a file

Moritz 'e1mo' Fromm e58bfa3c35 Merge pull request #25 from chaos-jetzt/gha-diff-new-hosts Rework host diffing Now it'll detect wether there are changes to a hosts closure at all, lists build failures as such and is able to handle newly added or removed hosts. https://github.com/chaos-jetzt/chaos-jetzt-nixfiles/actions/runs/5770703946 shows the intended behavior when hosts are added, removed, builds fail or changes are made.		2023-08-11 20:36:19 +02:00
.github	Add error handling to ci build job	2023-08-05 14:37:05 +02:00
common	Add cj.deployment module	2023-08-04 16:39:10 +02:00
hosts	Remove deprevated grub version definition	2023-08-04 16:39:11 +02:00
modules	Add cj.deployment module	2023-08-04 16:39:10 +02:00
packages	Update dokuwiki plugins	2023-07-22 17:47:42 +02:00
secrets	Use full key fingerprint for e1mo in sops	2023-07-23 16:02:25 +02:00
services	services/monitoring: Drop unneeded helpers	2023-08-04 16:39:11 +02:00
.envrc	Initial commit	2022-11-27 23:11:34 +01:00
.gitattributes	dokuwiki: Initial service setup	2022-12-30 14:57:33 +01:00
.gitignore	dokuwiki: Initial service setup	2022-12-30 14:57:33 +01:00
.sops.yaml	Use full key fingerprint for e1mo in sops	2023-07-23 16:02:25 +02:00
CODEOWNERS	Add CODEOWNERS	2023-02-15 12:55:50 +01:00
flake.lock	Nix flake update	2023-07-22 17:47:34 +02:00
flake.nix	Add cj.deployment module	2023-08-04 16:39:10 +02:00
README.md	Dokuwiki has been migrated	2023-08-04 16:39:12 +02:00

README.md

chaos-jetzt nixfiles

NixOS configuration for the chaos.jetzt project. They are very much work in progress

(Migration) TODOs

mumble-web, possibly adding mumble-web-proxy on top
- Both need to be packaged for Nix
Matrix synapse + element-web
- Data migration (synapse)
- Migrate away from SSO (synapse)
maubot github
- Not packaged for nix
- Ditch it?

Development setup

These nixfiles are built using nix flakes. See here for nix installation instructions and the nixos.wiki page on flakes. colmena is used for deployment, secret management is done using the sops based sops-nix. The later two (colmena and sops) are available via a devShell, defined in the flake, which can be invoked using nix develop. nix-direnv can also be used in order to automatically create the respective shell upon entering these nixfiles.

Deployment

colmena is used for deployment:

# Build all hosts
colmena build
# Build specific host(s)
colmena build --on host-a,host-b

# Deploy all dev hosts in test mode (activate config but do not add it to the bootloader menu)
colmena apply --on @dev test

# Deploy specific host (actiavte config and use it at the next boot (switch goal))
colmena apply --on host-a

# A VM of the host can be built using plain nix build
nix build .\#nixosConfigurations.host-a.config.system.build.vmWithBootLoader

Note on VMs: Since the secrets are decrypted for each servers ssh key, the secrets setup will fail.

Secrets

Secrets are managed using sops-nix which is based on sops. All secrets are stored in the secrets/ folder. The .sops.yaml configuration file contains information on who has (a) access to keys and (b) which servers can decrypt which keys.

A servers private key can be derived from it's ssh key using ssh-to-age, generated during initial installation:

# Only ed25519 keys can be converted using ssh-to-age
ssh-keyscan -t ed25519 shirley.net.chaos.jetzt | nix shell nixpkgs#ssh-to-age -c ssh-to-age
# Or from the host (using legacy nix-shell)
cat /etc/ssh/ssh_host_ed25519_key.pub | nix-shell -p ssh-to-age --run ssh-to-age

When users or servers get added or removed, the secret files need to be updated using sops updatekeys. Since this can not be called on all files, find secrets -type f -exec sops updatekeys {} \; may be used for convenience.