# EH22 Noc-Nix

The declarative configuration of all NOC-operated systems used during Easterhegg 2025 are contained hering.

For the best experience, NOC agents recommend [installing nix](https://nixos.org/download/) on your local administrative unit and entering `nix develop` when using this repo ([nix-direnv](https://github.com/nix-community/nix-direnv) is also configured though) ^^.

Please also keep our [Service & Responsibility Page](https://eh22.easterhegg.eu/intern:teams:noc) up-to-date.

## Known Machines

- Hypervisor
  - CCCHH IPMI Address: http://172.31.201.56
  - eh22-mgmt Proxmox Access: https://94.45.255.2:8006/

## How-To CCCHH Staging

1. Connect to *CCCHH* WiFi and boot up the server via IPMI.
   This takes a minute or two, wait until the boot process has completed (visible via the IPMI Virtual Console).
2. Connect to *eh22-mgmt* WiFi.
   You should get an IP-Address via DHCP.
   If not, the router VM has not finished booting.

## Password & Secret Management

This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines.

### Using CCCHH Password-Store Key

For convenience, a sops key has been added to the [CCCHH Password-Store](https://git.hamburg.ccc.de/CCCHH/password-store) which is able to encrypt all secrets of this repository.
Sops can be told to use it like this:

```bash
export SOPS_AGE_KEY=$(pass noc/events/eh22/nox-sops-key)
```

If you don't have access to that, ask someone (@lilly for example) to authorize your personal key.

### Passwords

All relevant passwords should be stored in `secrets/passwords.yaml` which is a plain yaml document with no strict schema but which is sops encrypted.
It should contain all relevant passwords, a NOC admin needs.


#### Accessing Passwords

```bash
sops decrypt secrets/passwords.yaml
```

#### Adding/Updating Passwords

```bash
sops edit secrets/passwords.yaml
```

#### Authorizing new Users

Sops supports either GPG or age encryption.
I (Lilly) personally prefer age since it skips all the openpgp cli weirdness and having to import keys from their IDs.

Adding a new age key works like this:

1. Run `age-keygen -o ~/.config/sops/age/keys.txt` and copy the public key from the generated file.
2. Edit [.sops.yaml](./.sops.yaml) and enter the new key (preferably as a yaml anchor) under `keys` as well as the `creation_rule` for the passwords file.
   Look at the existing file content and you'll figure it out.
3. Commit and push changes.
4. Ask someone with existing access to run `sops updatekeys secrets/passwords.yaml` to reencrypt the password file with the newly added key.
   They should, of course, also commit and push the changes.

### Machine-Secrets

See [sops-nix](https://github.com/Mic92/sops-nix)

**TODO**


## VM Installation Instructions

1. Create a new system configuration in the [systems/](./systems/) directory.
   The default configuration (defined in [base_system.nix](./modules/base_system.nix) and [user_account.nix](./modules/user_account.nix)), which is automatically included, defines a `noc` user, filesystem configuration and some locale and nix settings.
   For a basic installation, you should not need to actually add any relevant settings into your system config (see for reference [test.eh22.intern config](./systems/test.eh22.intern.nix).

2. Add the new system configuration as flake output by including it at the bottom of [systems/default.nix](./systems/default.nix).

3. Commit & Push your git changes.

4. Create a new VM in Proxmox.
   For our defaults to work, the system disk image should be added as scsi0 and BIOS-Boot should be used.

   You should also add the `nixos-24.11-custom-installer.iso` in the VM's CD/DVD drive.

5. Boot the installer and install the sytem.

   Once the installer is booted and assuming that defaults are used, enter the following command to install a systems NixOS definition into the VM:

   ```bash
   sudo disko-install --disk system /dev/sda --flake "git+https://git.hamburg.ccc.de/EH22/nox.git#<your-system-name>"
   ```

6. Reboot into the installed system after installation has finished.

   The VM can now further be configured using `./switch_remote.sh`.
   See [VM Configuration](#vm-configuration) for details about this.


## VM Configuration

Any NixOS VM can be reconfigured remotely by calling:

```bash
./switch_remote.sh <action> <host> <system-name>
```

- `<action>` can be any of the [standard nixos-rebuild actions](https://wiki.nixos.org/wiki/Nixos-rebuild), e.g. `boot`, `switch`, etc.
- `<host>` is an ssh connection string (e.g. `noc@10.20.25.2`) and specifies where to deploy the configuration to.
- `<system-name>` should be the hostname of the system configuration to apply.
  Any one of the systems defined in [systems/](./systems/) ending in `noc.eh22.intern` works.