Update README to new structure.
parent
ea9d99b2a9
commit
fb8f0f6ef6
100
README.md
100
README.md
|
@ -1,61 +1,79 @@
|
|||
# nixos-configuration
|
||||
|
||||
The collection of publically visible nixos-configuration files used for my
|
||||
NixOS fleet.
|
||||
The collection of publically visible nixos-configuration files used for all of
|
||||
my NixOS machines. Deployment (both local and remote) is managed using
|
||||
[colmena](https://github.com/zhaofengli/colmena). All machines can be found in
|
||||
the top-level `flake.nix` file.
|
||||
|
||||
## Desktop
|
||||
## Local Machines
|
||||
|
||||
My personal desktop configuration is reflected in the top-level `desktop`
|
||||
directory. The only file not tracked is `hardware-configuration.nix` since this
|
||||
is auto-generated when installing NixOS.
|
||||
|
||||
The system-wide configuration is found in `configuration.nix`. User-specific
|
||||
configurations are grouped within a directory specific to each user. As of now,
|
||||
this is just `jrpotter`. The `flake.nix` file links the system and user
|
||||
configurations together.
|
||||
|
||||
## Secrets
|
||||
|
||||
Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix) containing
|
||||
keys generated by [age](https://github.com/FiloSottile/age) from a pre-existing
|
||||
ed25519 SSH key. If you do not have an ed25519 key already, generate one via:
|
||||
My personal laptop configuration is reflected in the top-level `framework`
|
||||
directory (named after the [framework](https://frame.work/) laptop I use). This
|
||||
flake defines a [home-manager](https://nix-community.github.io/home-manager/)
|
||||
configuration for a single user called `jrpotter`. We can apply a
|
||||
`nixos-rebuild switch` by running:
|
||||
```bash
|
||||
$ ssh-keygen -t ed25519 -C "<email>"
|
||||
$ nix flake update # If any changes were made to local machines.
|
||||
$ colmena apply-local [--sudo]
|
||||
```
|
||||
You can generate an `age` secret key from this SSH key like so:
|
||||
```bash
|
||||
$ mkdir -p ~/.config/sops/age
|
||||
$ nix-shell -p ssh-to-age --run \
|
||||
"ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
|
||||
```
|
||||
And find the corresponding public key (to be included in `.sops.yaml`) like so:
|
||||
```bash
|
||||
$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
|
||||
```
|
||||
and include in the root `.sop.yaml` file to be used when creating new secret
|
||||
files.
|
||||
|
||||
## Remotes
|
||||
## Remote Machines
|
||||
|
||||
Remote machines are hosted on [DigitalOcean](https://www.digitalocean.com/).
|
||||
The custom image used by each droplet can be built using the top-level
|
||||
`digital-ocean` flake. This image disables a root password in favor of SSH.
|
||||
A droplet running this image will automatically pull in any enabled SSH keys
|
||||
from your DigitalOcean account at creation time.
|
||||
from your DigitalOcean account at creation time (so make sure to include them
|
||||
when creating a new droplet).
|
||||
|
||||
Each machine must be registered using
|
||||
### Secrets
|
||||
|
||||
Deployment is managed using [colmena](https://github.com/zhaofengli/colmena).
|
||||
To deploy, run the following:
|
||||
Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix). The
|
||||
top-level `.sops.yaml` configures the `age` keys used to encrypt all secrets.
|
||||
|
||||
#### Admins
|
||||
|
||||
To generate a new user-controlled key, you will need an ed25519 SSH key.
|
||||
Generate one (if you do not already have one) by running:
|
||||
```bash
|
||||
$ cd infra
|
||||
$ nix flake update # If any machine changes were made.
|
||||
$ colmena apply
|
||||
$ ssh-keygen -t ed25519 -C "<email>"
|
||||
```
|
||||
Note that `colmena` requires non-interactivity. If you haven't done so already,
|
||||
you'll likely need to add the private Ed25519 SSH key corresponding to the
|
||||
public one uploaded to DigitalOcean to your SSH agent. Do so by running:
|
||||
You can then generate an `age` secret:
|
||||
```bash
|
||||
$ mkdir -p ~/.config/sops/age
|
||||
$ nix-shell -p ssh-to-age --run \
|
||||
"ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
|
||||
```
|
||||
and find its corresponding public key:
|
||||
```bash
|
||||
$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
|
||||
```
|
||||
This public key can then be written into the `.sops.yaml` file.
|
||||
|
||||
#### Servers
|
||||
|
||||
Each machine that needs to decrypt secret files will also need to be registered.
|
||||
To do so, run:
|
||||
```bash
|
||||
$ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'
|
||||
```
|
||||
This will look for any SSH host ed25519 public keys and automatically run
|
||||
through `ssh-to-age`. Include an appropriately top-level `keys` entry in
|
||||
`.sops.yaml` before generating the secrets needed by the machine. Refer to
|
||||
`phobos` for an example.
|
||||
|
||||
### Deployment
|
||||
|
||||
Like our local configurations, remote updates are managed by `colmena`.
|
||||
`colmena` requires non-interactively connecting over the `ssh-ng` protocol
|
||||
meaning you must add the appropriate private SSH key to an `ssh-agent` before
|
||||
deploying:
|
||||
```bash
|
||||
$ eval $(ssh-agent -s)
|
||||
$ ssh-add ~/.ssh/id_ed25519
|
||||
```
|
||||
Afterward you can run the following:
|
||||
```bash
|
||||
$ nix flake update # If any changes were made to remote machines.
|
||||
$ colmena apply
|
||||
```
|
||||
|
|
Loading…
Reference in New Issue