CCCHH/nix-infra
CCCHH/nix-infra
2
3
Fork 3
Code Issues Pull requests 2 Projects Wiki Activity
nix-infra/README.md
June 877bd44764
license this repo under the MIT license 
All previous contributors are asked to sign off on licensing this repo
under the MIT license in PR 12
(#12). Once all
contributors signed-off, this commit will be merged into the main
branch and this repo will be licensed under the MIT license.

Don't track copyright years in the license, as that is cumbersome and
also not done in other projects anymore:
https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/
https://github.com/rails/rails/pull/47467

MIT License:
https://opensource.org/license/MIT
https://choosealicense.com/licenses/mit/
2024-11-10 18:14:42 +01:00

69 lines
2.6 KiB
Markdown
Raw Blame History

# nix-infra
nix infrastructure configuration for CCCHH.
For deployment we're using [infra-rebuild](https://git.hamburg.ccc.de/CCCHH/infra-rebuild). \
To easily get a shell with `infra-rebuild` going, use the following command:
```
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
```
After that you can simply run the following to deploy e.g. the git and matrix hosts:
```
infra-rebuild switch git matrix
```
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
## Setting up secrets with sops-nix for a host
1. Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
```
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
```
2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
It should be named something like: `host_age_hostname`
3. Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key. \
You can use existing creation rules as a reference.
4. Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
```
sops config/hosts/hostname/secrets.yaml
```
Note: Nested keys don't seem to be compatible with sops-nix.
5. Add the following entry to the modules of the hosts `nixosConfiguration`:
```nix
sops-nix.nixosModules.sops
```
6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
```nix
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}
```
7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
```nix
sops.secrets."forgejo_git_smtp_password" = {
mode = "0440";
owner = "forgejo";
group = "forgejo";
restartUnits = [ "forgejo.service" ];
};
```
This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
## License
This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
Reference in a new issue View git blame Copy permalink