EH22/nox
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nox/README.md

117 lines
4.7 KiB
Markdown
Raw Permalink Blame History

# EH22 Noc-Nix
The declarative configuration of all NOC-operated systems used during Easterhegg 2025 are contained hering.
For the best experience, NOC agents recommend [installing nix](https://nixos.org/download/) on your local administrative unit and entering `nix develop` when using this repo ([nix-direnv](https://github.com/nix-community/nix-direnv) is also configured though) ^^.
Please also keep our [Service & Responsibility Page](https://eh22.easterhegg.eu/intern:teams:noc) up-to-date.
## Known Machines
- Hypervisor
- CCCHH IPMI Address: http://172.31.201.56
- eh22-mgmt Proxmox Access: https://94.45.255.2:8006/
## How-To CCCHH Staging
1. Connect to *CCCHH* WiFi and boot up the server via IPMI.
This takes a minute or two, wait until the boot process has completed (visible via the IPMI Virtual Console).
2. Connect to *eh22-mgmt* WiFi.
You should get an IP-Address via DHCP.
If not, the router VM has not finished booting.
## Password & Secret Management
This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines.
### Using CCCHH Password-Store Key
For convenience, a sops key has been added to the [CCCHH Password-Store](https://git.hamburg.ccc.de/CCCHH/password-store) which is able to encrypt all secrets of this repository.
Sops can be told to use it like this:
```bash
export SOPS_AGE_KEY=$(pass noc/events/eh22/nox-sops-key)
```
If you don't have access to that, ask someone (@lilly for example) to authorize your personal key.
### Passwords
All relevant passwords should be stored in `secrets/passwords.yaml` which is a plain yaml document with no strict schema but which is sops encrypted.
It should contain all relevant passwords, a NOC admin needs.
#### Accessing Passwords
```bash
sops decrypt secrets/passwords.yaml
```
#### Adding/Updating Passwords
```bash
sops edit secrets/passwords.yaml
```
#### Authorizing new Users
Sops supports either GPG or age encryption.
I (Lilly) personally prefer age since it skips all the openpgp cli weirdness and having to import keys from their IDs.
Adding a new age key works like this:
1. Run `age-keygen -o ~/.config/sops/age/keys.txt` and copy the public key from the generated file.
2. Edit [.sops.yaml](./.sops.yaml) and enter the new key (preferably as a yaml anchor) under `keys` as well as the `creation_rule` for the passwords file.
Look at the existing file content and you'll figure it out.
3. Commit and push changes.
4. Ask someone with existing access to run `sops updatekeys secrets/passwords.yaml` to reencrypt the password file with the newly added key.
They should, of course, also commit and push the changes.
### Machine-Secrets
See [sops-nix](https://github.com/Mic92/sops-nix)
**TODO**
## VM Installation Instructions
1. Create a new system configuration in the [systems/](./systems/) directory.
The default configuration (defined in [base_system.nix](./modules/base_system.nix) and [user_account.nix](./modules/user_account.nix)), which is automatically included, defines a `noc` user, filesystem configuration and some locale and nix settings.
For a basic installation, you should not need to actually add any relevant settings into your system config (see for reference [test.eh22.intern config](./systems/test.eh22.intern.nix).
2. Add the new system configuration as flake output by including it at the bottom of [systems/default.nix](./systems/default.nix).
3. Commit & Push your git changes.
4. Create a new VM in Proxmox.
For our defaults to work, the system disk image should be added as scsi0 and BIOS-Boot should be used.
You should also add the `nixos-24.11-custom-installer.iso` in the VM's CD/DVD drive.
5. Boot the installer and install the sytem.
Once the installer is booted and assuming that defaults are used, enter the following command to install a systems NixOS definition into the VM:
```bash
sudo disko-install --disk system /dev/sda --flake "git+https://git.hamburg.ccc.de/EH22/nox.git#<your-system-name>"
```
6. Reboot into the installed system after installation has finished.
The VM can now further be configured using `./switch_remote.sh`.
See [VM Configuration](#vm-configuration) for details about this.
## VM Configuration
Any NixOS VM can be reconfigured remotely by calling:
```bash
./switch_remote.sh <action> <host> <system-name>
```
- `<action>` can be any of the [standard nixos-rebuild actions](https://wiki.nixos.org/wiki/Nixos-rebuild), e.g. `boot`, `switch`, etc.
- `<host>` is an ssh connection string (e.g. `noc@10.20.25.2`) and specifies where to deploy the configuration to.
- `<system-name>` should be the hostname of the system configuration to apply.
Any one of the systems defined in [systems/](./systems/) ending in `noc.eh22.intern` works.
Reference in a new issue View git blame Copy permalink