Compare commits
2 commits
579b63fe89
...
bc98327cda
Author | SHA1 | Date | |
---|---|---|---|
June | bc98327cda | ||
June | 06e52eed74 |
43
README.md
43
README.md
|
@ -18,3 +18,46 @@ infra-rebuild switch git matrix
|
||||||
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
|
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
|
||||||
However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
|
However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
|
||||||
This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
|
This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
|
||||||
|
|
||||||
|
## Setting up secrets with sops-nix for a host
|
||||||
|
|
||||||
|
1. Convert the hosts SSH host public key to an age public key.
|
||||||
|
This can be done by connecting to the host and running:
|
||||||
|
```
|
||||||
|
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
|
||||||
|
```
|
||||||
|
2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
|
||||||
|
It should be named something like: `host_age_hostname`
|
||||||
|
3. Add a new creation rule for the hosts config directory.
|
||||||
|
It should probably have all admin keys and the hosts age key. \
|
||||||
|
You can use existing creation rules as a reference.
|
||||||
|
4. Create a file containing the relevant secrets in the hosts config directory.
|
||||||
|
This can be accomplished with a command similar to this:
|
||||||
|
```
|
||||||
|
sops config/hosts/hostname/secrets.yaml
|
||||||
|
```
|
||||||
|
Note: Nested keys don't seem to be compatible with sops-nix.
|
||||||
|
5. Add the following entry to the modules of the hosts `nixosConfiguration`:
|
||||||
|
```
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
```
|
||||||
|
6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
|
||||||
|
```
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ./secrets.yaml;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
```
|
||||||
|
7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
|
||||||
|
8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
|
||||||
|
```
|
||||||
|
sops.secrets."forgejo_git_smtp_password" = {
|
||||||
|
mode = "0440";
|
||||||
|
owner = "forgejo";
|
||||||
|
group = "forgejo";
|
||||||
|
restartUnits = [ "forgejo.service" ];
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
git
|
git
|
||||||
curl
|
curl
|
||||||
rsync
|
rsync
|
||||||
|
ssh-to-age
|
||||||
usbutils
|
usbutils
|
||||||
nix-tree
|
nix-tree
|
||||||
# For kitty terminfo.
|
# For kitty terminfo.
|
||||||
|
|
Loading…
Reference in a new issue