forked from CCCHH/nix-infra
Repository containing our nix infrastructure configuration. It's mainly based around Colmena.
June
33599951ef
Also bump the default state version to 24.05. See the release notes of the 24.05 release for more information: https://nixos.org/manual/nixos/stable/release-notes#sec-release-24.05 |
||
---|---|---|
config | ||
modules/services/audio | ||
.gitignore | ||
.sops.yaml | ||
deployment_configuration.json | ||
flake.lock | ||
flake.nix | ||
README.md |
nix-infra
nix infrastructure configuration for CCCHH.
For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild
going, use the following command:
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
After that you can simply run the following to deploy e.g. the git and matrix hosts:
infra-rebuild switch git matrix
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a deployment_configuration.json
can be used.
This is exactly what we're doing to set the default deployment user to colmena-deploy
and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
Setting up secrets with sops-nix for a host
- Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
- Add the resulting age public key to the
.sops.yaml
as a YAML anchor in keys. It should be named something like:host_age_hostname
- Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key.
You can use existing creation rules as a reference. - Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
Note: Nested keys don't seem to be compatible with sops-nix.sops config/hosts/hostname/secrets.yaml
- Add the following entry to the modules of the hosts
nixosConfiguration
:sops-nix.nixosModules.sops
- Create a
sops.nix
in the hosts config directory containing the following content to include thesecrets.yaml
:{ ... }: { sops = { defaultSopsFile = ./secrets.yaml; }; }
- Make sure the
sops.nix
gets imported. For example in thedefault.nix
. - To use a secret stored under e.g.
forgejo_git_smtp_password
, you can then do something like the following:
This secret would then be available undersops.secrets."forgejo_git_smtp_password" = { mode = "0440"; owner = "forgejo"; group = "forgejo"; restartUnits = [ "forgejo.service" ]; };
/run/secrets/forgejo_git_smtp_password
on the host.