2024-06-08 19:57:40 +02:00
# nix-infra
nix infrastructure configuration for CCCHH.
For deployment we're using [infra-rebuild ](https://git.hamburg.ccc.de/CCCHH/infra-rebuild ). \
To easily get a shell with `infra-rebuild` going, use the following command:
```
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
```
After that you can simply run the following to deploy e.g. the git and matrix hosts:
```
infra-rebuild switch git matrix
```
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a [`deployment_configuration.json` ](./deployment_configuration.json ) can be used.
This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
2024-06-09 21:08:52 +02:00
## Setting up secrets with sops-nix for a host
1. Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
```
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
```
2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
It should be named something like: `host_age_hostname`
3. Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key. \
You can use existing creation rules as a reference.
4. Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
```
sops config/hosts/hostname/secrets.yaml
```
Note: Nested keys don't seem to be compatible with sops-nix.
5. Add the following entry to the modules of the hosts `nixosConfiguration` :
2024-06-09 21:24:42 +02:00
```nix
2024-06-09 21:08:52 +02:00
sops-nix.nixosModules.sops
```
6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml` :
2024-06-09 21:24:42 +02:00
```nix
2024-06-09 21:08:52 +02:00
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}
```
7. Make sure the `sops.nix` gets imported. For example in the `default.nix` .
8. To use a secret stored under e.g. `forgejo_git_smtp_password` , you can then do something like the following:
2024-06-09 21:24:42 +02:00
```nix
2024-06-09 21:08:52 +02:00
sops.secrets."forgejo_git_smtp_password" = {
mode = "0440";
owner = "forgejo";
group = "forgejo";
restartUnits = [ "forgejo.service" ];
};
```
2024-06-09 21:15:14 +02:00
This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
2024-06-11 23:19:13 +02:00
## Build NixOS Proxmox VE Template
2024-06-22 15:56:13 +02:00
Build a new NixOS Proxmox VE Template for the thinkcccore's:
2024-06-11 23:19:13 +02:00
```shell
nix build .#proxmox-nixos-template
```
2024-06-22 15:56:13 +02:00
Build a new NixOS Proxmox VE Template for the chaosknoten:
2024-06-11 23:19:13 +02:00
```shell
nix build .#proxmox-chaosknoten-nixos-template
2024-06-22 15:56:13 +02:00
```
2024-11-10 18:14:42 +01:00
## License
This CCCHH nix-infra repository is licensed under the [MIT License ](./LICENSE ).