EH22/nox
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nox/README.md

3.8 KiB
Raw Blame History

EH22 Noc-Nix

The declarative configuration of all NOC-operated systems used during Easterhegg 2025 are contained hering.

For the best experience, NOC agents recommend installing nix on your local administrative unit and entering nix develop when using this repo (nix-direnv is also configured though) ^^.

Known Machines

Password & Secret Management

This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines.

Passwords

All relevant passwords should be stored in secrets/passwords.yaml which is a plain yaml document with no strict schema but which is sops encrypted. It should contain all relevant passwords, a NOC admin needs.

Accessing Passwords

sops decrypt secrets/passwords.yaml

Adding/Updating Passwords

sops edit secrets/passwords.yaml

Authorizing new Users

Sops supports either GPG or age encryption. I (Lilly) personally prefer age since it skips all the openpgp cli weirdness and having to import keys from their IDs.

Adding a new age key works like this:

  1. vim .sops.yaml and enter the new key (preferably as a yaml anchor) under keys as well as the creation_rule for the passwords file. Look at the existing file content and you'll figure it out.
  2. sops updatekeys secrets/passwords.yaml to reencrypt the password file with the newly added key.
  3. Commit and push changes.

Machine-Secrets

See sops-nix

TODO

VM Installation Instructions

  1. Create a new system configuration in the systems/ directory. The default configuration (defined in base_system.nix and user_account.nix), which is automatically included, defines a noc user, filesystem configuration and some locale and nix settings. For a basic installation, you should not need to actually add any relevant settings into your system config (see for reference test.eh22.intern config.

  2. Add the new system configuration as flake output by including it at the bottom of systems/default.nix.

  3. Commit & Push your git changes.

  4. Create a new VM in Proxmox. For our defaults to work, the system disk image should be added as scsi0 and BIOS-Boot should be used.

    You should also add the nixos-24.11-custom-installer.iso in the VM's CD/DVD drive.

  5. Boot the installer and install the sytem.

    Once the installer is booted and assuming that defaults are used, enter the following command to install a systems NixOS definition into the VM:

    sudo disko-install --disk system /dev/sda --flake "git+https://git.hamburg.ccc.de/EH22/nox.git#<your-system-name>"

  6. Reboot into the installed system after installation has finished.

    The VM can now further be configured using ./switch_remote.sh. See VM Configuration for details about this.

VM Configuration

Any NixOS VM can be reconfigured remotely by calling:

./switch_remote.sh <action> <machine>`

  • <action> can be any of the standard nixos-rebuild actions, e.g. boot, switch, etc.

  • <macine> should be the FQDN of the machine config to apply.

    The script uses this argument to know how to reach the machine in addition to choosing a nixos configuration from this flake as system source (see systems/). This also means that you should have a config entry in you SSH config resolving the system name to an IP address (during the event, we will probably have an internal DNS server which also resolves the hostname).