# nix-infra

nix infrastructure configuration for CCCHH.

For deployment we're using [infra-rebuild](https://git.hamburg.ccc.de/CCCHH/infra-rebuild). \
To easily get a shell with `infra-rebuild` going, use the following command:

```
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
```

After that you can simply run the following to deploy e.g. the git and matrix hosts:

```
infra-rebuild switch git matrix
```

By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.

## Setting up secrets with sops-nix for a host

1. Convert the hosts SSH host public key to an age public key.
   This can be done by connecting to the host and running:
   ```
   cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
   ``` 
2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
   It should be named something like: `host_age_hostname`
3. Add a new creation rule for the hosts config directory.
   It should probably have all admin keys and the hosts age key. \
   You can use existing creation rules as a reference.
4. Create a file containing the relevant secrets in the hosts config directory.
   This can be accomplished with a command similar to this:
   ```
   sops config/hosts/hostname/secrets.yaml
   ```
   Note: Nested keys don't seem to be compatible with sops-nix.
5. Add the following entry to the modules of the hosts `nixosConfiguration`:
   ```nix
   sops-nix.nixosModules.sops
   ```
6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
   ```nix
   { ... }:

   {
     sops = {
       defaultSopsFile = ./secrets.yaml;
     };
   }
   ```
7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
   ```nix
   sops.secrets."forgejo_git_smtp_password" = {
     mode = "0440";
     owner = "forgejo";
     group = "forgejo";
     restartUnits = [ "forgejo.service" ];
   };
   ```
   This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.

## Build NixOS Proxmox VE Template

Build a new NixOS Proxmox VE Template for the thinkcccore's:
```shell
nix build .#proxmox-nixos-template
```
Build a new NixOS Proxmox VE Template for the chaosknoten:
```shell
nix build .#proxmox-chaosknoten-nixos-template
```

## License

This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).  
[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.