June
785881da39
Flake lock file updates:
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/3bcc93c5f7a4b30335d31f21e2f1281cba68c318?narHash=sha256-YWo57PL7mGZU7D4WeKFMiW4ex/O6ZolUS6UNBHTZfkI%3D' (2025-10-04)
→ 'github:nixos/nixpkgs/c8aa8cc00a5cb57fada0851a038d35c08a36a2bb?narHash=sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE%3D' (2025-10-22)
• Updated input 'nixpkgs-unstable':
'github:nixos/nixpkgs/cb82756ecc37fa623f8cf3e88854f9bf7f64af93?narHash=sha256-0JDOal5P7xzzAibvD0yTE3ptyvoVOAL0rcELmDdtSKg%3D' (2025-10-20)
→ 'github:nixos/nixpkgs/02f2cb8e0feb4596d20cc52fda73ccee960e3538?narHash=sha256-tH3wHnOJms%2BU4k/rK2Nn1RfBrhffX92jLP/2VndSn0w%3D' (2025-10-24)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/6e5a38e08a2c31ae687504196a230ae00ea95133?narHash=sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk%3D' (2025-10-05)
→ 'github:Mic92/sops-nix/5a7d18b5c55642df5c432aadb757140edfeb70b3?narHash=sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY%3D' (2025-10-20)
|
||
|---|---|---|
| config | ||
| modules/services/audio | ||
| patches | ||
| .editorconfig | ||
| .gitignore | ||
| .sops.yaml | ||
| deployment_configuration.json | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| README.md | ||
nix-infra
nix infrastructure configuration for CCCHH.
For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild going, use the following command:
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
After that you can simply run the following to deploy e.g. the git and matrix hosts:
infra-rebuild switch git matrix
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a deployment_configuration.json can be used.
This is exactly what we're doing to set the default deployment user to colmena-deploy and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
Setting up secrets with sops-nix for a host
- Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age - Add the resulting age public key to the
.sops.yamlas a YAML anchor in keys. It should be named something like:host_age_hostname - Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key.
You can use existing creation rules as a reference. - Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
Note: Nested keys don't seem to be compatible with sops-nix.sops config/hosts/hostname/secrets.yaml - Add the following entry to the modules of the hosts
nixosConfiguration:sops-nix.nixosModules.sops - Create a
sops.nixin the hosts config directory containing the following content to include thesecrets.yaml:{ ... }: { sops = { defaultSopsFile = ./secrets.yaml; }; } - Make sure the
sops.nixgets imported. For example in thedefault.nix. - To use a secret stored under e.g.
forgejo_git_smtp_password, you can then do something like the following:
This secret would then be available undersops.secrets."forgejo_git_smtp_password" = { mode = "0440"; owner = "forgejo"; group = "forgejo"; restartUnits = [ "forgejo.service" ]; };/run/secrets/forgejo_git_smtp_passwordon the host.
Build NixOS Proxmox VE Template
Build a new NixOS Proxmox VE Template for the thinkcccore's:
nix build .#proxmox-nixos-template
Build a new NixOS Proxmox VE Template for the chaosknoten:
nix build .#proxmox-chaosknoten-nixos-template
License
This CCCHH nix-infra repository is licensed under the MIT License.
librespot_PR1528_conflicts_resolved.patch is a modified version of librespot PR 1528 and is licensed under the MIT license.