EH22/nox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix config of noc machines
57 commits 1 branch 0 tags 301 KiB
Nix 88.7%
Python 8.2%
Lua 2.2%
Shell 0.9%
Find a file
c6ristian 80509191ae
more monitoring
2025-03-19 23:13:43 +01:00
data/zones use real event ip space 2025-03-18 17:50:44 +01:00
modules more monitoring 2025-03-19 23:13:43 +01:00
packages use real event ip space 2025-03-18 17:50:44 +01:00
secrets pve-exporter 2025-03-19 20:08:39 +01:00
systems more monitoring 2025-03-19 23:13:43 +01:00
.envrc fix pre-commit config and run formatter 2025-02-10 17:30:20 +01:00
.gitignore gitignore result/ folder 2025-02-10 17:50:24 +01:00
.pre-commit-config.yaml fix pre-commit config and run formatter 2025-02-10 17:30:20 +01:00
.sops.yaml pve-exporter 2025-03-19 20:08:39 +01:00
flake.lock update cookied input 2025-03-14 21:46:01 +01:00
flake.nix add cookied to cookies vm 2025-03-14 21:31:35 +01:00
LICENSE setup repo structure (& test system config) 2025-01-25 22:24:37 +01:00
README.md update documentation regarding ccchh-pass age key 2025-02-23 11:42:19 +01:00
switch_remote.sh configure jool a bit more 2025-03-18 18:14:36 +01:00
treefmt.nix setup repo structure (& test system config) 2025-01-25 22:24:37 +01:00

README.md

EH22 Noc-Nix

The declarative configuration of all NOC-operated systems used during Easterhegg 2025 are contained hering.

For the best experience, NOC agents recommend installing nix on your local administrative unit and entering nix develop when using this repo (nix-direnv is also configured though) ^^.

Please also keep our Service & Responsibility Page up-to-date.

Known Machines

How-To CCCHH Staging

  1. Connect to CCCHH WiFi and boot up the server via IPMI. This takes a minute or two, wait until the boot process has completed (visible via the IPMI Virtual Console).
  2. Connect to eh22-mgmt WiFi. You should get an IP-Address via DHCP. If not, the router VM has not finished booting.

Password & Secret Management

This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines.

Using CCCHH Password-Store Key

For convenience, a sops key has been added to the CCCHH Password-Store which is able to encrypt all secrets of this repository. Sops can be told to use it like this:

export SOPS_AGE_KEY=$(pass noc/events/eh22/nox-sops-key)

If you don't have access to that, ask someone (@lilly for example) to authorize your personal key.

Passwords

All relevant passwords should be stored in secrets/passwords.yaml which is a plain yaml document with no strict schema but which is sops encrypted. It should contain all relevant passwords, a NOC admin needs.

Accessing Passwords

sops decrypt secrets/passwords.yaml

Adding/Updating Passwords

sops edit secrets/passwords.yaml

Authorizing new Users

Sops supports either GPG or age encryption. I (Lilly) personally prefer age since it skips all the openpgp cli weirdness and having to import keys from their IDs.

Adding a new age key works like this:

  1. Run age-keygen -o ~/.config/sops/age/keys.txt and copy the public key from the generated file.
  2. Edit .sops.yaml and enter the new key (preferably as a yaml anchor) under keys as well as the creation_rule for the passwords file. Look at the existing file content and you'll figure it out.
  3. Commit and push changes.
  4. Ask someone with existing access to run sops updatekeys secrets/passwords.yaml to reencrypt the password file with the newly added key. They should, of course, also commit and push the changes.

Machine-Secrets

See sops-nix

TODO

VM Installation Instructions

  1. Create a new system configuration in the systems/ directory. The default configuration (defined in base_system.nix and user_account.nix), which is automatically included, defines a noc user, filesystem configuration and some locale and nix settings. For a basic installation, you should not need to actually add any relevant settings into your system config (see for reference test.eh22.intern config.

  2. Add the new system configuration as flake output by including it at the bottom of systems/default.nix.

  3. Commit & Push your git changes.

  4. Create a new VM in Proxmox. For our defaults to work, the system disk image should be added as scsi0 and BIOS-Boot should be used.

    You should also add the nixos-24.11-custom-installer.iso in the VM's CD/DVD drive.

  5. Boot the installer and install the sytem.

    Once the installer is booted and assuming that defaults are used, enter the following command to install a systems NixOS definition into the VM:

    sudo disko-install --disk system /dev/sda --flake "git+https://git.hamburg.ccc.de/EH22/nox.git#<your-system-name>"

  6. Reboot into the installed system after installation has finished.

    The VM can now further be configured using ./switch_remote.sh. See VM Configuration for details about this.

VM Configuration

Any NixOS VM can be reconfigured remotely by calling:

./switch_remote.sh <action> <host> <system-name>
  • <action> can be any of the standard nixos-rebuild actions, e.g. boot, switch, etc.
  • <host> is an ssh connection string (e.g. noc@10.20.25.2) and specifies where to deploy the configuration to.
  • <system-name> should be the hostname of the system configuration to apply. Any one of the systems defined in systems/ ending in noc.eh22.intern works.