# nix-infra nix infrastructure configuration for CCCHH. For deployment we're using [infra-rebuild](https://git.hamburg.ccc.de/CCCHH/infra-rebuild). \ To easily get a shell with `infra-rebuild` going, use the following command: ``` nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild ``` After that you can simply run the following to deploy e.g. the git and matrix hosts: ``` infra-rebuild switch git matrix ``` By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used. This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration. ## Setting up secrets with sops-nix for a host 1. Convert the hosts SSH host public key to an age public key. This can be done by connecting to the host and running: ``` cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age ``` 2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys. It should be named something like: `host_age_hostname` 3. Add a new creation rule for the hosts config directory. It should probably have all admin keys and the hosts age key. \ You can use existing creation rules as a reference. 4. Create a file containing the relevant secrets in the hosts config directory. This can be accomplished with a command similar to this: ``` sops config/hosts/hostname/secrets.yaml ``` Note: Nested keys don't seem to be compatible with sops-nix. 5. Add the following entry to the modules of the hosts `nixosConfiguration`: ```nix sops-nix.nixosModules.sops ``` 6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`: ```nix { ... }: { sops = { defaultSopsFile = ./secrets.yaml; }; } ``` 7. Make sure the `sops.nix` gets imported. For example in the `default.nix`. 8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following: ```nix sops.secrets."forgejo_git_smtp_password" = { mode = "0440"; owner = "forgejo"; group = "forgejo"; restartUnits = [ "forgejo.service" ]; }; ``` This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host. ## License This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).