bendodroid/nix-infra
0
0
Fork 0
forked from CCCHH/nix-infra
Code Pull requests Activity
Repository containing our nix infrastructure configuration. It's mainly based around Colmena.
196 commits 1 branch 0 tags 348 KiB
Find a file
c6ristian fa9c8e7ac1
 flake.lock: Update 
Flake lock file updates:

• Updated input 'authorizedKeysRepo':
    'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
  → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e' (2024-12-05)
  → 'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e' (2024-12-01)
  → 'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15)
• Updated input 'nixos-generators/nixpkgs':
    'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a' (2024-12-02)
  → 'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0' (2024-12-08)
  → 'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856' (2024-12-02)
  → 'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12)
2024-12-16 22:50:00 +01:00
config update nixpkgs to 24.11 (small) 2024-12-08 22:21:15 +01:00
modules/services/audio shairport-sync: use airplay2 variant instead of custome overlay 2024-12-09 21:21:17 +01:00
.editorconfig Add .editorconfig for ensuring some consistency 2024-07-30 01:35:13 +02:00
.gitignore Initial commit. Add configuration for NixOS Proxmox image 2023-09-11 23:20:34 +02:00
.sops.yaml penpot: configure penpot host using oci-containers 2024-08-10 22:38:05 +02:00
deployment_configuration.json hydra: configure hydra host 2024-10-30 01:44:12 +01:00
flake.lock flake.lock: Update 2024-12-16 22:50:00 +01:00
flake.nix shairport-sync: use airplay2 variant instead of custome overlay 2024-12-09 21:21:17 +01:00
LICENSE license this repo under the MIT license 2024-11-14 22:56:50 +01:00
README.md license this repo under the MIT license 2024-11-14 22:56:50 +01:00

README.md

nix-infra

nix infrastructure configuration for CCCHH.

For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild going, use the following command:

nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild

After that you can simply run the following to deploy e.g. the git and matrix hosts:

infra-rebuild switch git matrix

By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. However to override individual parts of the deployment target, a deployment_configuration.json can be used. This is exactly what we're doing to set the default deployment user to colmena-deploy and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.

Setting up secrets with sops-nix for a host

  1. Convert the hosts SSH host public key to an age public key. This can be done by connecting to the host and running: 
    cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
  2. Add the resulting age public key to the .sops.yaml as a YAML anchor in keys. It should be named something like: host_age_hostname
  3. Add a new creation rule for the hosts config directory. It should probably have all admin keys and the hosts age key.
    You can use existing creation rules as a reference.
  4. Create a file containing the relevant secrets in the hosts config directory. This can be accomplished with a command similar to this: 
    sops config/hosts/hostname/secrets.yaml
    Note: Nested keys don't seem to be compatible with sops-nix.
  5. Add the following entry to the modules of the hosts nixosConfiguration: 
    sops-nix.nixosModules.sops
  6. Create a sops.nix in the hosts config directory containing the following content to include the secrets.yaml: 
    { ... }:

{
  sops = {
    defaultSopsFile = ./secrets.yaml;
  };
}
  7. Make sure the sops.nix gets imported. For example in the default.nix.
  8. To use a secret stored under e.g. forgejo_git_smtp_password, you can then do something like the following: 
    sops.secrets."forgejo_git_smtp_password" = {
  mode = "0440";
  owner = "forgejo";
  group = "forgejo";
  restartUnits = [ "forgejo.service" ];
};
    This secret would then be available under /run/secrets/forgejo_git_smtp_password on the host.

Build NixOS Proxmox VE Template

Build a new NixOS Proxmox VE Template for the thinkcccore's:

nix build .#proxmox-nixos-template

Build a new NixOS Proxmox VE Template for the chaosknoten:

nix build .#proxmox-chaosknoten-nixos-template

License

This CCCHH nix-infra repository is licensed under the MIT License.