Skip to content

Latest commit

 

History

History
65 lines (47 loc) · 2.93 KB

README.md

File metadata and controls

65 lines (47 loc) · 2.93 KB

chaos-jetzt nixfiles

NixOS configuration for the chaos.jetzt project. They are very much work in progress

(Migration) TODOs

Development setup

These nixfiles are built using nix flakes. See here for nix installation instructions and the nixos.wiki page on flakes. colmena is used for deployment, secret management is done using the sops based sops-nix. The later two (colmena and sops) are available via a devShell, defined in the flake, which can be invoked using nix develop. nix-direnv can also be used in order to automatically create the respective shell upon entering these nixfiles.

Deployment

colmena is used for deployment:

# Build all hosts
colmena build
# Build specific host(s)
colmena build --on host-a,host-b

# Deploy all dev hosts in test mode (activate config but do not add it to the bootloader menu)
colmena apply --on @dev test

# Deploy specific host (actiavte config and use it at the next boot (switch goal))
colmena apply --on host-a

# A VM of the host can be built using plain nix build
nix build .\#nixosConfigurations.host-a.config.system.build.vmWithBootLoader

Note on VMs: Since the secrets are decrypted for each servers ssh key, the secrets setup will fail.

Secrets

Secrets are managed using sops-nix which is based on sops. All secrets are stored in the secrets/ folder. The .sops.yaml configuration file contains information on who has (a) access to keys and (b) which servers can decrypt which keys.

A servers private key can be derived from it's ssh key using ssh-to-age, generated during initial installation:

# Only ed25519 keys can be converted using ssh-to-age
ssh-keyscan -t ed25519 shirley.net.chaos.jetzt | nix shell nixpkgs#ssh-to-age -c ssh-to-age
# Or from the host (using legacy nix-shell)
cat /etc/ssh/ssh_host_ed25519_key.pub | nix-shell -p ssh-to-age --run ssh-to-age

When users or servers get added or removed, the secret files need to be updated using sops updatekeys. Since this can not be called on all files, find secrets -type f -exec sops updatekeys {} \; may be used for convenience.