Repository containing our nix infrastructure configuration. It's mainly based around Colmena.
Find a file
June 67ab856b82
flake.lock: Update
Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    '686a6af22f.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
  → '686a6af22f.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101?narHash=sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8%2BErehqI%3D' (2024-11-14)
  → 'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e?narHash=sha256-bNXO%2BOGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8%3D' (2024-12-05)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a?narHash=sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg%3D' (2024-11-10)
  → 'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e?narHash=sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8%3D' (2024-12-01)
• Updated input 'nixos-generators/nixpkgs':
    'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f?narHash=sha256-vmLS8%2Bx%2BgHRv1yzj3n%2BGTAEObwmhxmkkukB2DwtJRdU%3D' (2024-11-10)
  → 'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a?narHash=sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw%3D' (2024-12-02)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682?narHash=sha256-aNc8irVBH7sM5cGDvqdOueg8S%2BfGakf0rEMRGfGwWZw%3D' (2024-11-17)
  → 'github:nixos/nixpkgs/65d98ad2a50103eee5f72335bf69b7bae9d92612?narHash=sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII%3D' (2024-12-08)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978?narHash=sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM%3D' (2024-11-17)
  → 'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856?narHash=sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc%3D' (2024-12-02)
2024-12-08 18:57:36 +01:00
config Set WOODPECKER_LIMIT_MEM to 6 GB for woodpecker 2024-11-17 22:43:51 +01:00
modules/services/audio Remove version lock for shairport-sync 2024-11-04 23:35:22 +01:00
.editorconfig Add .editorconfig for ensuring some consistency 2024-07-30 01:35:13 +02:00
.gitignore Initial commit. Add configuration for NixOS Proxmox image 2023-09-11 23:20:34 +02:00
.sops.yaml penpot: configure penpot host using oci-containers 2024-08-10 22:38:05 +02:00
deployment_configuration.json hydra: configure hydra host 2024-10-30 01:44:12 +01:00
flake.lock flake.lock: Update 2024-12-08 18:57:36 +01:00
flake.nix fix: use tar file 2024-11-17 21:15:05 +01:00
LICENSE license this repo under the MIT license 2024-11-14 22:56:50 +01:00
README.md license this repo under the MIT license 2024-11-14 22:56:50 +01:00

nix-infra

nix infrastructure configuration for CCCHH.

For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild going, use the following command:

nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild

After that you can simply run the following to deploy e.g. the git and matrix hosts:

infra-rebuild switch git matrix

By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. However to override individual parts of the deployment target, a deployment_configuration.json can be used. This is exactly what we're doing to set the default deployment user to colmena-deploy and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.

Setting up secrets with sops-nix for a host

  1. Convert the hosts SSH host public key to an age public key. This can be done by connecting to the host and running:
    cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
    
  2. Add the resulting age public key to the .sops.yaml as a YAML anchor in keys. It should be named something like: host_age_hostname
  3. Add a new creation rule for the hosts config directory. It should probably have all admin keys and the hosts age key.
    You can use existing creation rules as a reference.
  4. Create a file containing the relevant secrets in the hosts config directory. This can be accomplished with a command similar to this:
    sops config/hosts/hostname/secrets.yaml
    
    Note: Nested keys don't seem to be compatible with sops-nix.
  5. Add the following entry to the modules of the hosts nixosConfiguration:
    sops-nix.nixosModules.sops
    
  6. Create a sops.nix in the hosts config directory containing the following content to include the secrets.yaml:
    { ... }:
    
    {
      sops = {
        defaultSopsFile = ./secrets.yaml;
      };
    }
    
  7. Make sure the sops.nix gets imported. For example in the default.nix.
  8. To use a secret stored under e.g. forgejo_git_smtp_password, you can then do something like the following:
    sops.secrets."forgejo_git_smtp_password" = {
      mode = "0440";
      owner = "forgejo";
      group = "forgejo";
      restartUnits = [ "forgejo.service" ];
    };
    
    This secret would then be available under /run/secrets/forgejo_git_smtp_password on the host.

Build NixOS Proxmox VE Template

Build a new NixOS Proxmox VE Template for the thinkcccore's:

nix build .#proxmox-nixos-template

Build a new NixOS Proxmox VE Template for the chaosknoten:

nix build .#proxmox-chaosknoten-nixos-template

License

This CCCHH nix-infra repository is licensed under the MIT License.