Flake lock file updates: • Updated input 'authorizedKeysRepo': 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D&rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6' (2025-04-28) → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D' (2025-04-28) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e?narHash=sha256-f3pO%2B9lg66mV7IMmmIqG4PL3223TYMlnlw%2Bpnpelbss%3D' (2025-07-15) → 'github:nixos/nixpkgs/92c2e04a475523e723c67ef872d8037379073681?narHash=sha256-yLuz5cz5Z%2Bsn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c%3D' (2025-07-21) |
||
---|---|---|
config | ||
modules/services/audio | ||
.editorconfig | ||
.gitignore | ||
.sops.yaml | ||
deployment_configuration.json | ||
flake.lock | ||
flake.nix | ||
LICENSE | ||
README.md |
nix-infra
nix infrastructure configuration for CCCHH.
For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild
going, use the following command:
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
After that you can simply run the following to deploy e.g. the git and matrix hosts:
infra-rebuild switch git matrix
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a deployment_configuration.json
can be used.
This is exactly what we're doing to set the default deployment user to colmena-deploy
and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
Setting up secrets with sops-nix for a host
- Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
- Add the resulting age public key to the
.sops.yaml
as a YAML anchor in keys. It should be named something like:host_age_hostname
- Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key.
You can use existing creation rules as a reference. - Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
Note: Nested keys don't seem to be compatible with sops-nix.sops config/hosts/hostname/secrets.yaml
- Add the following entry to the modules of the hosts
nixosConfiguration
:sops-nix.nixosModules.sops
- Create a
sops.nix
in the hosts config directory containing the following content to include thesecrets.yaml
:{ ... }: { sops = { defaultSopsFile = ./secrets.yaml; }; }
- Make sure the
sops.nix
gets imported. For example in thedefault.nix
. - To use a secret stored under e.g.
forgejo_git_smtp_password
, you can then do something like the following:
This secret would then be available undersops.secrets."forgejo_git_smtp_password" = { mode = "0440"; owner = "forgejo"; group = "forgejo"; restartUnits = [ "forgejo.service" ]; };
/run/secrets/forgejo_git_smtp_password
on the host.
Build NixOS Proxmox VE Template
Build a new NixOS Proxmox VE Template for the thinkcccore's:
nix build .#proxmox-nixos-template
Build a new NixOS Proxmox VE Template for the chaosknoten:
nix build .#proxmox-chaosknoten-nixos-template
License
This CCCHH nix-infra repository is licensed under the MIT License.
0001_oidc_group_and_role_mapping_custom_pipeline.patch
is licensed under the Creative Commons: CC BY-SA 4.0 license.