2023-11-17 11:58:33 +00:00
|
|
|
# nixos-configuration
|
|
|
|
|
|
|
|
The collection of publically visible nixos-configuration files used for my
|
2023-12-07 20:12:58 +00:00
|
|
|
NixOS fleet.
|
2023-12-07 18:29:20 +00:00
|
|
|
|
2023-12-07 20:12:58 +00:00
|
|
|
## Desktop
|
2023-12-07 18:29:20 +00:00
|
|
|
|
2023-12-07 20:12:58 +00:00
|
|
|
My personal desktop configuration is reflected in the top-level `desktop`
|
|
|
|
directory. The only file not tracked is `hardware-configuration.nix` since this
|
|
|
|
is auto-generated when installing NixOS.
|
|
|
|
|
|
|
|
The system-wide configuration is found in `configuration.nix`. User-specific
|
|
|
|
configurations are grouped within a directory specific to each user. As of now,
|
|
|
|
this is just `jrpotter`. The `flake.nix` file links the system and user
|
|
|
|
configurations together.
|
|
|
|
|
2023-12-08 16:39:14 +00:00
|
|
|
## Secrets
|
|
|
|
|
|
|
|
Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix) containing
|
|
|
|
keys generated by [age](https://github.com/FiloSottile/age) from a pre-existing
|
|
|
|
ed25519 SSH key. If you do not have an ed25519 key already, generate one via:
|
|
|
|
```bash
|
|
|
|
$ ssh-keygen -t ed25519 -C "<email>"
|
|
|
|
```
|
|
|
|
You can generate an `age` secret key from this SSH key like so:
|
|
|
|
```bash
|
|
|
|
$ mkdir -p ~/.config/sops/age
|
|
|
|
$ nix-shell -p ssh-to-age --run \
|
|
|
|
"ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
|
|
|
|
```
|
|
|
|
And find the corresponding public key (to be included in `.sops.yaml`) like so:
|
|
|
|
```bash
|
|
|
|
$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
|
|
|
|
```
|
|
|
|
and include in the root `.sop.yaml` file to be used when creating new secret
|
|
|
|
files.
|
|
|
|
|
2023-12-07 20:12:58 +00:00
|
|
|
## Remotes
|
|
|
|
|
2023-12-07 21:40:44 +00:00
|
|
|
Remote machines are hosted on [DigitalOcean](https://www.digitalocean.com/).
|
|
|
|
The custom image used by each droplet can be built using the top-level
|
|
|
|
`digital-ocean` flake. This image disables a root password in favor of SSH.
|
|
|
|
A droplet running this image will automatically pull in any enabled SSH keys
|
|
|
|
from your DigitalOcean account at creation time.
|
|
|
|
|
2023-12-08 16:39:14 +00:00
|
|
|
Each machine must be registered using
|
|
|
|
|
2023-12-07 21:40:44 +00:00
|
|
|
Deployment is managed using [colmena](https://github.com/zhaofengli/colmena).
|
|
|
|
To deploy, run the following:
|
|
|
|
```bash
|
2023-12-08 15:52:59 +00:00
|
|
|
$ cd infra
|
|
|
|
$ nix flake update # If any machine changes were made.
|
2023-12-07 21:40:44 +00:00
|
|
|
$ colmena apply
|
|
|
|
```
|
2023-12-08 16:39:14 +00:00
|
|
|
Note that `colmena` requires non-interactivity. If you haven't done so already,
|
|
|
|
you'll likely need to add the private Ed25519 SSH key corresponding to the
|
|
|
|
public one uploaded to DigitalOcean to your SSH agent. Do so by running:
|
2023-12-07 21:40:44 +00:00
|
|
|
```bash
|
|
|
|
$ eval $(ssh-agent -s)
|
2023-12-08 16:39:14 +00:00
|
|
|
$ ssh-add ~/.ssh/id_ed25519
|
2023-12-07 21:40:44 +00:00
|
|
|
```
|