# EH22 Noc-Nix

The declarative configuration of all NOC-operated systems used during Easterhegg 2025 are contained hering.

For the best experience, NOC agents recommend [installing nix](https://nixos.org/download/) on your local administrative unit and entering `nix develop` when using this repo ([nix-direnv](https://github.com/nix-community/nix-direnv) is also configured though) ^^.

Please also keep our [Service & Responsibility Page](https://eh22.easterhegg.eu/intern:teams:noc) up-to-date.

## Known Machines

- Hypervisor
  - CCCHH IPMI Address: http://172.31.201.56
  - eh22-mgmt Proxmox Access: https://10.20.25.1:8006/


## Password & Secret Management

This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines.

### Passwords

All relevant passwords should be stored in `secrets/passwords.yaml` which is a plain yaml document with no strict schema but which is sops encrypted.
It should contain all relevant passwords, a NOC admin needs.

#### Accessing Passwords

```bash
sops decrypt secrets/passwords.yaml
```

#### Adding/Updating Passwords

```bash
sops edit secrets/passwords.yaml
```

#### Authorizing new Users

Sops supports either GPG or age encryption.
I (Lilly) personally prefer age since it skips all the openpgp cli weirdness and having to import keys from their IDs.

Adding a new age key works like this:

1. `vim .sops.yaml` and enter the new key (preferably as a yaml anchor) under `keys` as well as the `creation_rule` for the passwords file.
   Look at the existing file content and you'll figure it out.
2. `sops updatekeys secrets/passwords.yaml` to reencrypt the password file with the newly added key.
3. Commit and push changes.

### Machine-Secrets

See [sops-nix](https://github.com/Mic92/sops-nix)

**TODO**


## VM Installation Instructions

1. Create a new system configuration in the [systems/](./systems/) directory.
   The default configuration (defined in [base_system.nix](./modules/base_system.nix) and [user_account.nix](./modules/user_account.nix)), which is automatically included, defines a `noc` user, filesystem configuration and some locale and nix settings.
   For a basic installation, you should not need to actually add any relevant settings into your system config (see for reference [test.eh22.intern config](./systems/test.eh22.intern.nix).

2. Add the new system configuration as flake output by including it at the bottom of [systems/default.nix](./systems/default.nix).

3. Commit & Push your git changes.

4. Create a new VM in Proxmox.
   For our defaults to work, the system disk image should be added as scsi0 and BIOS-Boot should be used.

   You should also add the `nixos-24.11-custom-installer.iso` in the VM's CD/DVD drive.

5. Boot the installer and install the sytem.

   Once the installer is booted and assuming that defaults are used, enter the following command to install a systems NixOS definition into the VM:

   ```bash
   sudo disko-install --disk system /dev/sda --flake "git+https://git.hamburg.ccc.de/EH22/nox.git#<your-system-name>"
   ```

6. Reboot into the installed system after installation has finished.

   The VM can now further be configured using `./switch_remote.sh`.
   See [VM Configuration](#vm-configuration) for details about this.


## VM Configuration

Any NixOS VM can be reconfigured remotely by calling:

```bash
./switch_remote.sh <action> <machine>`
```

- `<action>` can be any of the [standard nixos-rebuild actions](https://wiki.nixos.org/wiki/Nixos-rebuild), e.g. `boot`, `switch`, etc.
- `<macine>` should be the FQDN of the machine config to apply.

  The script uses this argument to know how to reach the machine in addition to choosing a nixos configuration from this flake as system source (see [systems/](./systems/)).
  This also means that you should have a config entry in you SSH config resolving the system name to an IP address (during the event, we will probably have an internal DNS server which also resolves the hostname).