2023-11-17 11:58:33 +00:00
|
|
|
# nixos-configuration
|
|
|
|
|
2023-12-08 20:33:53 +00:00
|
|
|
The collection of publically visible nixos-configuration files used for all of
|
|
|
|
my NixOS machines. Deployment (both local and remote) is managed using
|
|
|
|
[colmena](https://github.com/zhaofengli/colmena). All machines can be found in
|
2023-12-10 17:23:26 +00:00
|
|
|
the `hive/flake.nix` file.
|
2023-12-07 18:29:20 +00:00
|
|
|
|
2023-12-08 20:33:53 +00:00
|
|
|
## Local Machines
|
2023-12-07 18:29:20 +00:00
|
|
|
|
2023-12-10 17:23:26 +00:00
|
|
|
My personal laptop configuration is reflected in the `hive/framework` directory
|
|
|
|
(named after the [framework](https://frame.work/) laptop I use). This flake
|
|
|
|
defines a [home-manager](https://nix-community.github.io/home-manager/)
|
2023-12-08 20:33:53 +00:00
|
|
|
configuration for a single user called `jrpotter`. We can apply a
|
|
|
|
`nixos-rebuild switch` by running:
|
|
|
|
```bash
|
2023-12-10 17:23:26 +00:00
|
|
|
$ cd hive
|
2023-12-08 20:33:53 +00:00
|
|
|
$ nix flake update # If any changes were made to local machines.
|
|
|
|
$ colmena apply-local [--sudo]
|
|
|
|
```
|
2023-12-07 20:12:58 +00:00
|
|
|
|
2023-12-08 20:33:53 +00:00
|
|
|
## Remote Machines
|
2023-12-07 20:12:58 +00:00
|
|
|
|
2023-12-08 20:33:53 +00:00
|
|
|
Remote machines are hosted on [DigitalOcean](https://www.digitalocean.com/).
|
|
|
|
The custom image used by each droplet can be built using the top-level
|
2023-12-10 17:23:26 +00:00
|
|
|
`digital-ocean/23.11pre-git` flake. This image disables a root password
|
2023-12-10 13:06:03 +00:00
|
|
|
in favor of SSH. A droplet running this image will automatically pull in any
|
|
|
|
enabled SSH keys from your DigitalOcean account at creation time (so make sure
|
|
|
|
to include them when creating a new droplet).
|
2023-12-08 16:39:14 +00:00
|
|
|
|
2023-12-08 20:33:53 +00:00
|
|
|
### Secrets
|
|
|
|
|
|
|
|
Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix). The
|
|
|
|
top-level `.sops.yaml` configures the `age` keys used to encrypt all secrets.
|
2023-12-08 21:11:32 +00:00
|
|
|
Once configured, you can create/edit a new secrets file using `sops` like so:
|
|
|
|
```bash
|
|
|
|
$ nix-shell -p sops --run "sops <filename>"
|
|
|
|
```
|
|
|
|
Keep in mind that `sops-nix` supports YAML, JSON, INI, dotenv and binary at the
|
|
|
|
moment. What format is used is determined by `<filename>`'s extension.
|
2023-12-08 20:33:53 +00:00
|
|
|
|
|
|
|
#### Admins
|
|
|
|
|
|
|
|
To generate a new user-controlled key, you will need an ed25519 SSH key.
|
|
|
|
Generate one (if you do not already have one) by running:
|
2023-12-08 16:39:14 +00:00
|
|
|
```bash
|
|
|
|
$ ssh-keygen -t ed25519 -C "<email>"
|
|
|
|
```
|
2023-12-08 20:33:53 +00:00
|
|
|
You can then generate an `age` secret:
|
2023-12-08 16:39:14 +00:00
|
|
|
```bash
|
|
|
|
$ mkdir -p ~/.config/sops/age
|
|
|
|
$ nix-shell -p ssh-to-age --run \
|
|
|
|
"ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
|
|
|
|
```
|
2023-12-08 20:33:53 +00:00
|
|
|
and find its corresponding public key:
|
2023-12-08 16:39:14 +00:00
|
|
|
```bash
|
|
|
|
$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
|
|
|
|
```
|
2023-12-08 20:33:53 +00:00
|
|
|
This public key can then be written into the `.sops.yaml` file.
|
2023-12-08 16:39:14 +00:00
|
|
|
|
2023-12-08 20:33:53 +00:00
|
|
|
#### Servers
|
2023-12-07 20:12:58 +00:00
|
|
|
|
2023-12-08 20:33:53 +00:00
|
|
|
Each machine that needs to decrypt secret files will also need to be registered.
|
|
|
|
To do so, run:
|
2023-12-07 21:40:44 +00:00
|
|
|
```bash
|
2023-12-08 20:33:53 +00:00
|
|
|
$ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'
|
2023-12-07 21:40:44 +00:00
|
|
|
```
|
2023-12-08 20:33:53 +00:00
|
|
|
This will look for any SSH host ed25519 public keys and automatically run
|
|
|
|
through `ssh-to-age`. Include an appropriately top-level `keys` entry in
|
|
|
|
`.sops.yaml` before generating the secrets needed by the machine. Refer to
|
|
|
|
`phobos` for an example.
|
|
|
|
|
|
|
|
### Deployment
|
|
|
|
|
|
|
|
Like our local configurations, remote updates are managed by `colmena`.
|
|
|
|
`colmena` requires non-interactively connecting over the `ssh-ng` protocol
|
|
|
|
meaning you must add the appropriate private SSH key to an `ssh-agent` before
|
|
|
|
deploying:
|
2023-12-07 21:40:44 +00:00
|
|
|
```bash
|
|
|
|
$ eval $(ssh-agent -s)
|
2023-12-08 16:39:14 +00:00
|
|
|
$ ssh-add ~/.ssh/id_ed25519
|
2023-12-07 21:40:44 +00:00
|
|
|
```
|
2023-12-08 20:33:53 +00:00
|
|
|
Afterward you can run the following:
|
|
|
|
```bash
|
2023-12-10 17:23:26 +00:00
|
|
|
$ cd hive
|
2023-12-08 20:33:53 +00:00
|
|
|
$ nix flake update # If any changes were made to remote machines.
|
|
|
|
$ colmena apply
|
|
|
|
```
|