Repository containing our nix infrastructure configuration. It simply provides nixosConfigurations for each host and can be easily deployed using tools like infra-rebuild, bij or even nixos-rebuild.

infrastructure nix nixos

Find a file

djerun 9d9b8ede02 flake.lock: Update Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/e8c1cd886cc17e31e424f915efd32e84d8af0ce9?narHash=sha256-t/%2Bz1Tf7hSaStU1pBYkY7i0/GkG%2BYIPSmfeRrK8eYUw%3D' (2024-09-23) → 'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565?narHash=sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg%3D' (2024-10-21) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/575704ff85d3a41dc5bfef7b55380cbc7b87f3c2?narHash=sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k%3D' (2024-09-22) → 'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e?narHash=sha256-hUP9oxmnOmNnKcDOf5Y55HQ%2BNnoT0%2BbLWHLQWLLw9Ks%3D' (2024-10-20) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/7ca0f93c530406c1610defff0b9bf643333cf992?narHash=sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I%3D' (2024-09-23) → 'github:nixos/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f?narHash=sha256-fLLUd2dO/Vnf96UDr8YPzerYi%2Bn99l3S5yIUDnmcPBE%3D' (2024-11-01) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/d266adc5a77ec8c10ed941c7251b2673004dbd62?narHash=sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4%3D' (2024-09-23) → 'github:nixos/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88?narHash=sha256-Hlv3rTPxnO%2BDpKRXw9yjzERLdk05h7%2BfEbZxWM2taCw%3D' (2024-11-01) • Updated input 'sops-nix': 'github:Mic92/sops-nix/e2d404a7ea599a013189aa42947f66cede0645c8?narHash=sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4%3D' (2024-09-16) → 'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56?narHash=sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN%2BompyW4GIJruLuw%3D' (2024-10-27) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/dc454045f5b5d814e5862a6d057e7bb5c29edc05?narHash=sha256-vNv%2BaJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8%3D' (2024-09-08) → 'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950?narHash=sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk%3D' (2024-10-26)		2024-11-02 00:12:24 +01:00
config	hydra: configure hydra host	2024-10-30 01:44:12 +01:00
modules/services/audio	Make MPD be put into pause mode instead of start. playback after startup	2024-05-23 22:25:32 +02:00
.editorconfig	Add .editorconfig for ensuring some consistency	2024-07-30 01:35:13 +02:00
.gitignore	Initial commit. Add configuration for NixOS Proxmox image	2023-09-11 23:20:34 +02:00
.sops.yaml	penpot: configure penpot host using oci-containers	2024-08-10 22:38:05 +02:00
deployment_configuration.json	hydra: configure hydra host	2024-10-30 01:44:12 +01:00
flake.lock	flake.lock: Update	2024-11-02 00:12:24 +01:00
flake.nix	hydra: configure hydra host	2024-10-30 01:44:12 +01:00
README.md	Mark nix code blocks as containing nix code for syntax highlighting	2024-06-09 21:24:42 +02:00

README.md

nix-infra

nix infrastructure configuration for CCCHH.

For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild going, use the following command:

nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild

After that you can simply run the following to deploy e.g. the git and matrix hosts:

infra-rebuild switch git matrix

By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. However to override individual parts of the deployment target, a deployment_configuration.json can be used. This is exactly what we're doing to set the default deployment user to colmena-deploy and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.

Setting up secrets with sops-nix for a host

Convert the hosts SSH host public key to an age public key. This can be done by connecting to the host and running:
```
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
```
Add the resulting age public key to the .sops.yaml as a YAML anchor in keys. It should be named something like: host_age_hostname
Add a new creation rule for the hosts config directory. It should probably have all admin keys and the hosts age key.
You can use existing creation rules as a reference.
Create a file containing the relevant secrets in the hosts config directory. This can be accomplished with a command similar to this:
```
sops config/hosts/hostname/secrets.yaml
```
Note: Nested keys don't seem to be compatible with sops-nix.
Add the following entry to the modules of the hosts nixosConfiguration:
```
sops-nix.nixosModules.sops
```
Create a sops.nix in the hosts config directory containing the following content to include the secrets.yaml:
```
{ ... }:

{
  sops = {
    defaultSopsFile = ./secrets.yaml;
  };
}
```
Make sure the sops.nix gets imported. For example in the default.nix.
To use a secret stored under e.g. forgejo_git_smtp_password, you can then do something like the following:
```
sops.secrets."forgejo_git_smtp_password" = {
  mode = "0440";
  owner = "forgejo";
  group = "forgejo";
  restartUnits = [ "forgejo.service" ];
};
```
This secret would then be available under /run/secrets/forgejo_git_smtp_password on the host.