r
/
nixos-configuration
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
My NixOS configuration files
215 Commits
1 Branch
0 Tags
459 KiB
Nix 56.8%
Lua 24.9%
Shell 18.3%
 
 
 
Go to file
Joshua Potter 975c01e546 bump: `notebook` to `a0c7a4e` 2024-08-24 19:08:38 -06:00
digital-ocean Point to correct configuration file. 2023-12-12 08:18:35 -07:00
hive mullvad and vscode. 2024-06-15 12:27:09 -06:00
services bump: `notebook` to `a0c7a4e` 2024-08-24 19:08:38 -06:00
users/jrpotter mullvad and vscode. 2024-06-15 12:27:09 -06:00
.envrc Add devShell and mullvad. 2023-12-12 09:07:30 -07:00
.gitignore Add devShell and mullvad. 2023-12-12 09:07:30 -07:00
.sops.yaml Migrate portfolio to Phoenix server. 2024-05-18 12:05:38 -06:00
README.md Add plausible service. 2024-01-10 11:37:08 -07:00
flake.lock framework: Upgrade to 23.11. 2023-12-23 14:17:45 -07:00
flake.nix Disable phobos deployment. 2024-04-12 12:28:36 -06:00

README.md

nixos-configuration

The collection of publically visible nixos-configuration files used for all of my NixOS machines. Deployment (both local and remote) is managed using colmena. All machines can be found in the flake.nix file.

Users

home-manager configurations are found in the top-level users directory. As of now, there exists settings for a single user called jrpotter.

Local Machines

My personal laptop configuration is stored in the hive/framework directory. To invoke the equivalent of a local nixos-rebuild switch using colmena, run:

$ colmena apply-local [--sudo]

Remote Machines

Remote machines are hosted on DigitalOcean. The custom images used by each droplet is built by running:

$ nix build .#digital-ocean.[stoat|tapir]

The above command produces an image with root password disabled in favor of SSH. A droplet running this image will automatically pull in any enabled SSH keys from your DigitalOcean account at creation time.

Deployment

Like our local configurations, remote updates are managed by colmena. colmena requires non-interactively connecting over the ssh-ng protocol meaning you must add the appropriate private SSH key to an ssh-agent before deploying:

$ eval $(ssh-agent -s)
$ ssh-add ~/.ssh/id_ed25519

Afterward you can run the following:

$ colmena apply [--on <hostname>]

Secrets

Secrets are managed via sops-nix. The top-level .sops.yaml configures the age keys used to encrypt all secrets. Once configured, you can create/edit a new secrets file using sops like so:

$ nix-shell -p sops --run "sops <filename>"

Keep in mind that sops-nix supports YAML, JSON, INI, dotenv and binary at the moment. What format is used is determined by <filename>'s extension.

Admins

To generate a new user-controlled key, you will need an ed25519 SSH key. Generate one (if you do not already have one) by running:

$ ssh-keygen -t ed25519 -C "<email>"

You can then generate an age secret:

$ mkdir -p ~/.config/sops/age
$ nix-shell -p ssh-to-age --run \
    "ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"

and find its corresponding public key:

$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"

This public key can then be written into the .sops.yaml file.

Servers

Each machine that needs to decrypt secret files will also need to be registered. To do so, run:

$ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'

This will look for any SSH host ed25519 public keys and automatically run through ssh-to-age. Include a new top-level keys entry in .sops.yaml so that newly created secrets file automatically apply the age keys. For existing secret files, rotate and add the new age key to them:

$ sops --in-place --rotate --add-age <value> <secrets-file>