| modules | ||
| packages | ||
| secrets | ||
| systems | ||
| .envrc | ||
| .gitignore | ||
| .pre-commit-config.yaml | ||
| .sops.yaml | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| README.md | ||
| switch_remote.sh | ||
| treefmt.nix | ||
EH22 Noc-Nix
Known Machines
- Hypervisor
- CCCHH IPMI Address: http://172.31.201.56
- CCCHH Proxmox Address: https://10.31.210.248:8006/
Password & Secret Management
This repository contains a sops configuration that is used for password encryption as well as secret management for our nix machines.
Passwords
All relevant passwords should be stored in secrets/passwords.yaml which is a plain yaml document with no strict schema but which is sops encrypted.
It should contain all relevant passwords, a NOC admin needs.
Accessing Passwords
sops decrypt secrets/passwords.yaml
Adding/Updating Passwords
sops edit secrets/passwords.yaml
Authorizing new Users
Sops supports either GPG or age encryption. I (Lilly) personally prefer age since it skips all the openpgp cli weirdness and having to import keys from their IDs.
Adding a new age key works like this:
vim .sops.yamland enter the new key (preferably as a yaml anchor) underkeysas well as thecreation_rulefor the passwords file. Look at the existing file content and you'll figure it out.sops updatekeys secrets/passwords.yamlto reencrypt the password file with the newly added key.- Commit and push changes.
Machine-Secrets
See sops-nix
TODO
VM Installation Instructions
-
Create a new system configuration in the systems/ directory. The default configuration (defined in base_system.nix and user_account.nix), which is automatically included, defines a
nocuser, filesystem configuration and some locale and nix settings. For a basic installation, you should not need to actually add any relevant settings into your system config (see for reference test.eh22.intern config. -
Add the new system configuration as flake output by including it at the bottom of systems/default.nix.
-
Commit & Push your git changes.
-
Create a new VM in Proxmox. For our defaults to work, the system disk image should be added as scsi0 and BIOS-Boot should be used.
You should also add the
nixos-24.11-custom-installer.isoin the VM's CD/DVD drive. -
Boot the installer and install the sytem.
Once the installer is booted and assuming that defaults are used, enter the following command to install a systems NixOS definition into the VM:
sudo disko-install --disk system /dev/sda --flake "git+https://git.hamburg.ccc.de/EH22/nox.git#<your-system-name>" -
Reboot into the installed system after installation has finished.
The VM can now further be configured using
./switch_remote.sh. See VM Configuration for details about this.
VM Configuration
Any NixOS VM can be reconfigured remotely by calling:
./switch_remote.sh <action> <machine>`
-
<action>can be any of the standard nixos-rebuild actions, e.g.boot,switch, etc. -
<macine>should be the FQDN of the machine config to apply.The script uses this argument to know how to reach the machine in addition to choosing a nixos configuration from this flake as system source (see systems/). This also means that you should have a config entry in you SSH config resolving the system name to an IP address (during the event, we will probably have an internal DNS server which also resolves the hostname).