forked from CCCHH/nix-infra
Repository containing our nix infrastructure configuration. It's mainly based around Colmena.
June
0395484ea9
Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/d6c5d29f58acc10ea82afff1de2b28f038f572bd?narHash=sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk%3D' (2024-08-08) → 'github:nix-community/nixos-generators/5fd22603892e4ec5ac6085058ed658243143aacd?narHash=sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y%3D' (2024-08-19) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/8bebd4c74f368aacb047f0141db09ec6b339733c?narHash=sha256-do2Mfm3T6SR7a5A804RhjQ%2BJTsF5hk4JTPGjCTRM/m8%3D' (2024-08-04) → 'github:nix-community/nixpkgs.lib/531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251?narHash=sha256-QdSArN0xKESEOTcv%2B3kE6yu4B4WX9lupZ4%2BHtx3RXGg%3D' (2024-08-18) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/c306d09c1dc6492442ae4af0d1ba575869c41fc3?narHash=sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o%3D' (2024-08-10) → 'github:nixos/nixpkgs/3f38e71a8e23a27569acbbfee0e83b76c86fa569?narHash=sha256-vAq%2BI0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY%3D' (2024-08-18) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/bef98989a27429e1cb9e3d9c25701ba2da742af2?narHash=sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y%3D' (2024-08-10) → 'github:nixos/nixpkgs/ed434d7889eddb68002d81bc25212f26ff8f2862?narHash=sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI%3D' (2024-08-19) • Updated input 'sops-nix': 'github:Mic92/sops-nix/8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9?narHash=sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb%2BN4Ap4%3D' (2024-08-05) → 'github:Mic92/sops-nix/be0eec2d27563590194a9206f551a6f73d52fa34?narHash=sha256-N9IcHgj/p1%2B2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE%3D' (2024-08-12) |
||
---|---|---|
config | ||
modules/services/audio | ||
.editorconfig | ||
.gitignore | ||
.sops.yaml | ||
deployment_configuration.json | ||
flake.lock | ||
flake.nix | ||
README.md |
nix-infra
nix infrastructure configuration for CCCHH.
For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild
going, use the following command:
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
After that you can simply run the following to deploy e.g. the git and matrix hosts:
infra-rebuild switch git matrix
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a deployment_configuration.json
can be used.
This is exactly what we're doing to set the default deployment user to colmena-deploy
and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
Setting up secrets with sops-nix for a host
- Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
- Add the resulting age public key to the
.sops.yaml
as a YAML anchor in keys. It should be named something like:host_age_hostname
- Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key.
You can use existing creation rules as a reference. - Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
Note: Nested keys don't seem to be compatible with sops-nix.sops config/hosts/hostname/secrets.yaml
- Add the following entry to the modules of the hosts
nixosConfiguration
:sops-nix.nixosModules.sops
- Create a
sops.nix
in the hosts config directory containing the following content to include thesecrets.yaml
:{ ... }: { sops = { defaultSopsFile = ./secrets.yaml; }; }
- Make sure the
sops.nix
gets imported. For example in thedefault.nix
. - To use a secret stored under e.g.
forgejo_git_smtp_password
, you can then do something like the following:
This secret would then be available undersops.secrets."forgejo_git_smtp_password" = { mode = "0440"; owner = "forgejo"; group = "forgejo"; restartUnits = [ "forgejo.service" ]; };
/run/secrets/forgejo_git_smtp_password
on the host.