Repository containing our nix infrastructure configuration. It simply provides nixosConfigurations for each host and can be easily deployed using tools like infra-rebuild, bij or even nixos-rebuild.

infrastructure nix nixos

Find a file

christian 4aa9b3d6a1 fix typo		2024-06-22 15:56:13 +02:00
config	Bump element-web to 1.11.68	2024-06-09 22:51:42 +02:00
modules/services/audio	Make MPD be put into pause mode instead of start. playback after startup	2024-05-23 22:25:32 +02:00
.gitignore	Initial commit. Add configuration for NixOS Proxmox image	2023-09-11 23:20:34 +02:00
.sops.yaml	Switch the public-web-static hosts secret mngmt from colmena to sops-nix	2024-05-26 03:49:43 +02:00
deployment_configuration.json	Add deployment_configuration to make deployment using infra-rebuild work	2024-06-08 19:57:40 +02:00
flake.lock	Introduce sops and sops-nix for secret management	2024-05-25 16:47:34 +02:00
flake.nix	Configure basic yate host	2024-06-08 20:18:59 +02:00
README.md	fix typo	2024-06-22 15:56:13 +02:00

README.md

nix-infra

nix infrastructure configuration for CCCHH.

For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild going, use the following command:

nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild

After that you can simply run the following to deploy e.g. the git and matrix hosts:

infra-rebuild switch git matrix

By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. However to override individual parts of the deployment target, a deployment_configuration.json can be used. This is exactly what we're doing to set the default deployment user to colmena-deploy and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.

Setting up secrets with sops-nix for a host

Convert the hosts SSH host public key to an age public key. This can be done by connecting to the host and running:
```
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
```
Add the resulting age public key to the .sops.yaml as a YAML anchor in keys. It should be named something like: host_age_hostname
Add a new creation rule for the hosts config directory. It should probably have all admin keys and the hosts age key.
You can use existing creation rules as a reference.
Create a file containing the relevant secrets in the hosts config directory. This can be accomplished with a command similar to this:
```
sops config/hosts/hostname/secrets.yaml
```
Note: Nested keys don't seem to be compatible with sops-nix.
Add the following entry to the modules of the hosts nixosConfiguration:
```
sops-nix.nixosModules.sops
```
Create a sops.nix in the hosts config directory containing the following content to include the secrets.yaml:
```
{ ... }:

{
  sops = {
    defaultSopsFile = ./secrets.yaml;
  };
}
```
Make sure the sops.nix gets imported. For example in the default.nix.
To use a secret stored under e.g. forgejo_git_smtp_password, you can then do something like the following:
```
sops.secrets."forgejo_git_smtp_password" = {
  mode = "0440";
  owner = "forgejo";
  group = "forgejo";
  restartUnits = [ "forgejo.service" ];
};
```
This secret would then be available under /run/secrets/forgejo_git_smtp_password on the host.

Build NixOS Proxmox VE Template

Build a new NixOS Proxmox VE Template for the thinkcccore's

nix build .#proxmox-nixos-template

Build a new NixOS Proxmox VE Template for the chaosknoten

nix build .#proxmox-chaosknoten-nixos-template