Repository containing our nix infrastructure configuration. It's mainly based around Colmena.
Find a file
June ec64eebfd6
common: use pkgs.fetchgit and git commit hash for authorized keys repo
Do this to be in line with other places, where resources get fetched
using git and to hopefully avoid errors such as:
Cannot find Git revision 'da9d3ead9d97ce0fef7538638326264957e2f1b4' in ref 'trunk' of repository 'ssh://forgejo@git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git'! Please make sure that the rev exists on the ref you've specified or add allRefs = true; to fetchGit.
This issue was discovered while trying to make the new hydra work.
2024-10-29 23:17:31 +01:00
config common: use pkgs.fetchgit and git commit hash for authorized keys repo 2024-10-29 23:17:31 +01:00
modules/services/audio Make MPD be put into pause mode instead of start. playback after startup 2024-05-23 22:25:32 +02:00
.editorconfig Add .editorconfig for ensuring some consistency 2024-07-30 01:35:13 +02:00
.gitignore Initial commit. Add configuration for NixOS Proxmox image 2023-09-11 23:20:34 +02:00
.sops.yaml penpot: configure penpot host using oci-containers 2024-08-10 22:38:05 +02:00
deployment_configuration.json penpot: configure penpot host using oci-containers 2024-08-10 22:38:05 +02:00
flake.lock flake.lock: Update 2024-09-23 22:09:01 +02:00
flake.nix add hydraJobs for packages and nixosConfigurations 2024-10-29 21:30:16 +01:00
README.md Mark nix code blocks as containing nix code for syntax highlighting 2024-06-09 21:24:42 +02:00

nix-infra

nix infrastructure configuration for CCCHH.

For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild going, use the following command:

nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild

After that you can simply run the following to deploy e.g. the git and matrix hosts:

infra-rebuild switch git matrix

By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. However to override individual parts of the deployment target, a deployment_configuration.json can be used. This is exactly what we're doing to set the default deployment user to colmena-deploy and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.

Setting up secrets with sops-nix for a host

  1. Convert the hosts SSH host public key to an age public key. This can be done by connecting to the host and running:
    cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
    
  2. Add the resulting age public key to the .sops.yaml as a YAML anchor in keys. It should be named something like: host_age_hostname
  3. Add a new creation rule for the hosts config directory. It should probably have all admin keys and the hosts age key.
    You can use existing creation rules as a reference.
  4. Create a file containing the relevant secrets in the hosts config directory. This can be accomplished with a command similar to this:
    sops config/hosts/hostname/secrets.yaml
    
    Note: Nested keys don't seem to be compatible with sops-nix.
  5. Add the following entry to the modules of the hosts nixosConfiguration:
    sops-nix.nixosModules.sops
    
  6. Create a sops.nix in the hosts config directory containing the following content to include the secrets.yaml:
    { ... }:
    
    {
      sops = {
        defaultSopsFile = ./secrets.yaml;
      };
    }
    
  7. Make sure the sops.nix gets imported. For example in the default.nix.
  8. To use a secret stored under e.g. forgejo_git_smtp_password, you can then do something like the following:
    sops.secrets."forgejo_git_smtp_password" = {
      mode = "0440";
      owner = "forgejo";
      group = "forgejo";
      restartUnits = [ "forgejo.service" ];
    };
    
    This secret would then be available under /run/secrets/forgejo_git_smtp_password on the host.