CCCHH/nix-infra
CCCHH/nix-infra
2
3
Fork 2
Code Issues1 Pull requests1 Wiki Activity
Repository containing our nix infrastructure configuration. It simply provides nixosConfigurations for each host and can be easily deployed using tools like infra-rebuild, bij or even nixos-rebuild.
217 commits 10 branches 0 tags 676 KiB
Find a file
c6ristian be351c6ded
flake.lock: Update 
Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    '686a6af22f.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → '686a6af22f.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453' (2025-01-16)
  → 'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565' (2025-03-02)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c618e28f70257593de75a7044438efc1c1fc0791' (2025-02-17)
  → 'github:nixos/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4' (2025-03-14)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975' (2025-02-11)
  → 'github:Mic92/sops-nix/d016ce0365b87d848a57c12ffcfdc71da7a2b55f' (2025-03-13)
2025-03-14 20:25:19 +01:00
config Update to new IPv6 prefix 2025-03-02 22:00:19 +01:00
modules/services/audio shairport-sync: use airplay2 variant instead of custome overlay 2024-12-09 21:21:17 +01:00
.editorconfig Add .editorconfig for ensuring some consistency 2024-07-30 01:35:13 +02:00
.gitignore Initial commit. Add configuration for NixOS Proxmox image 2023-09-11 23:20:34 +02:00
.sops.yaml netbox: remove because of migration to ansible-infra 2025-02-18 00:02:31 +01:00
deployment_configuration.json nix-box-june: remove nix-box-june as its being decommissioned 2025-02-18 00:04:58 +01:00
flake.lock flake.lock: Update 2025-03-14 20:25:19 +01:00
flake.nix nix-box-june: remove nix-box-june as its being decommissioned 2025-02-18 00:04:58 +01:00
LICENSE license this repo under the MIT license 2024-11-14 22:56:50 +01:00
README.md netbox: configure and patch NetBox for OIDC group and role mapping 2025-01-14 20:49:14 +01:00

README.md

nix-infra

nix infrastructure configuration for CCCHH.

For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild going, use the following command:

nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild

After that you can simply run the following to deploy e.g. the git and matrix hosts:

infra-rebuild switch git matrix

By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. However to override individual parts of the deployment target, a deployment_configuration.json can be used. This is exactly what we're doing to set the default deployment user to colmena-deploy and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.

Setting up secrets with sops-nix for a host

  1. Convert the hosts SSH host public key to an age public key. This can be done by connecting to the host and running: 
    cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
  2. Add the resulting age public key to the .sops.yaml as a YAML anchor in keys. It should be named something like: host_age_hostname
  3. Add a new creation rule for the hosts config directory. It should probably have all admin keys and the hosts age key.
    You can use existing creation rules as a reference.
  4. Create a file containing the relevant secrets in the hosts config directory. This can be accomplished with a command similar to this: 
    sops config/hosts/hostname/secrets.yaml
    Note: Nested keys don't seem to be compatible with sops-nix.
  5. Add the following entry to the modules of the hosts nixosConfiguration: 
    sops-nix.nixosModules.sops
  6. Create a sops.nix in the hosts config directory containing the following content to include the secrets.yaml: 
    { ... }:

{
  sops = {
    defaultSopsFile = ./secrets.yaml;
  };
}
  7. Make sure the sops.nix gets imported. For example in the default.nix.
  8. To use a secret stored under e.g. forgejo_git_smtp_password, you can then do something like the following: 
    sops.secrets."forgejo_git_smtp_password" = {
  mode = "0440";
  owner = "forgejo";
  group = "forgejo";
  restartUnits = [ "forgejo.service" ];
};
    This secret would then be available under /run/secrets/forgejo_git_smtp_password on the host.

Build NixOS Proxmox VE Template

Build a new NixOS Proxmox VE Template for the thinkcccore's:

nix build .#proxmox-nixos-template

Build a new NixOS Proxmox VE Template for the chaosknoten:

nix build .#proxmox-chaosknoten-nixos-template

License

This CCCHH nix-infra repository is licensed under the MIT License.
0001_oidc_group_and_role_mapping_custom_pipeline.patch is licensed under the Creative Commons: CC BY-SA 4.0 license.