CCCHH/nix-infra
CCCHH/nix-infra
59
2
Fork 2
Code Issues Pull requests 3 Projects Wiki Activity

Compare commits

base: CCCHH:579b63fe8999418852a6d87b5e7926fe3c187903
Branches Tags
CCCHH:main
CCCHH:simple-clean-up
CCCHH:howto-build-proxmox-ve-template
CCCHH:yate
CCCHH:ptouch-print-server
CCCHH:Bendodroid-ldflagsSpaceapid
...
compare: CCCHH:bc98327cda900346961236b050243abe7c39af33
Branches Tags
CCCHH:simple-clean-up
CCCHH:main
CCCHH:howto-build-proxmox-ve-template
CCCHH:yate
CCCHH:ptouch-print-server
CCCHH:Bendodroid-ldflagsSpaceapid

2 commits
579b63fe89 ... bc98327cda

Author SHA1 Message Date
June bc98327cda
Add ssh-to-age to the admin tooling 2024-06-09 21:10:19 +02:00
June 06e52eed74
Document how to use sops and sops-nix 2024-06-09 21:10:19 +02:00
2 changed files with 44 additions and 0 deletions
Show stats Expand all files Collapse all files

43
README.md
View file

@ -18,3 +18,46 @@ infra-rebuild switch git matrix
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used. However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration. This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
## Setting up secrets with sops-nix for a host
1. Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
```
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
```
2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
It should be named something like: `host_age_hostname`
3. Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key. \
You can use existing creation rules as a reference.
4. Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
```
sops config/hosts/hostname/secrets.yaml
```
Note: Nested keys don't seem to be compatible with sops-nix.
5. Add the following entry to the modules of the hosts `nixosConfiguration`:
```
sops-nix.nixosModules.sops
```
6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
```
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}
```
7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
```
sops.secrets."forgejo_git_smtp_password" = {
mode = "0440";
owner = "forgejo";
group = "forgejo";
restartUnits = [ "forgejo.service" ];
};
```

1
config/common/admin-environment.nix
View file

@ -13,6 +13,7 @@
git git
curl curl
rsync rsync
ssh-to-age
usbutils usbutils
nix-tree nix-tree
# For kitty terminfo. # For kitty terminfo.