Repository containing our nix infrastructure configuration. It simply provides nixosConfigurations for each host and can be easily deployed using tools like infra-rebuild, bij or even nixos-rebuild.

infrastructure nix nixos

Find a file

June ec64eebfd6 common: use pkgs.fetchgit and git commit hash for authorized keys repo Do this to be in line with other places, where resources get fetched using git and to hopefully avoid errors such as: Cannot find Git revision 'da9d3ead9d97ce0fef7538638326264957e2f1b4' in ref 'trunk' of repository 'ssh://forgejo@git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git'! Please make sure that the rev exists on the ref you've specified or add allRefs = true; to fetchGit. This issue was discovered while trying to make the new hydra work.		2024-10-29 23:17:31 +01:00
config	common: use pkgs.fetchgit and git commit hash for authorized keys repo	2024-10-29 23:17:31 +01:00
modules/services/audio	Make MPD be put into pause mode instead of start. playback after startup	2024-05-23 22:25:32 +02:00
.editorconfig	Add .editorconfig for ensuring some consistency	2024-07-30 01:35:13 +02:00
.gitignore	Initial commit. Add configuration for NixOS Proxmox image	2023-09-11 23:20:34 +02:00
.sops.yaml	penpot: configure penpot host using oci-containers	2024-08-10 22:38:05 +02:00
deployment_configuration.json	penpot: configure penpot host using oci-containers	2024-08-10 22:38:05 +02:00
flake.lock	flake.lock: Update	2024-09-23 22:09:01 +02:00
flake.nix	add hydraJobs for packages and nixosConfigurations	2024-10-29 21:30:16 +01:00
README.md	Mark nix code blocks as containing nix code for syntax highlighting	2024-06-09 21:24:42 +02:00

README.md

nix-infra

nix infrastructure configuration for CCCHH.

For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild going, use the following command:

nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild

After that you can simply run the following to deploy e.g. the git and matrix hosts:

infra-rebuild switch git matrix

By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. However to override individual parts of the deployment target, a deployment_configuration.json can be used. This is exactly what we're doing to set the default deployment user to colmena-deploy and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.

Setting up secrets with sops-nix for a host

Convert the hosts SSH host public key to an age public key. This can be done by connecting to the host and running:
```
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
```
Add the resulting age public key to the .sops.yaml as a YAML anchor in keys. It should be named something like: host_age_hostname
Add a new creation rule for the hosts config directory. It should probably have all admin keys and the hosts age key.
You can use existing creation rules as a reference.
Create a file containing the relevant secrets in the hosts config directory. This can be accomplished with a command similar to this:
```
sops config/hosts/hostname/secrets.yaml
```
Note: Nested keys don't seem to be compatible with sops-nix.
Add the following entry to the modules of the hosts nixosConfiguration:
```
sops-nix.nixosModules.sops
```
Create a sops.nix in the hosts config directory containing the following content to include the secrets.yaml:
```
{ ... }:

{
  sops = {
    defaultSopsFile = ./secrets.yaml;
  };
}
```
Make sure the sops.nix gets imported. For example in the default.nix.
To use a secret stored under e.g. forgejo_git_smtp_password, you can then do something like the following:
```
sops.secrets."forgejo_git_smtp_password" = {
  mode = "0440";
  owner = "forgejo";
  group = "forgejo";
  restartUnits = [ "forgejo.service" ];
};
```
This secret would then be available under /run/secrets/forgejo_git_smtp_password on the host.