diff --git a/README.md b/README.md index e92cfb9..a681c57 100644 --- a/README.md +++ b/README.md @@ -1,61 +1,79 @@ # nixos-configuration -The collection of publically visible nixos-configuration files used for my -NixOS fleet. +The collection of publically visible nixos-configuration files used for all of +my NixOS machines. Deployment (both local and remote) is managed using +[colmena](https://github.com/zhaofengli/colmena). All machines can be found in +the top-level `flake.nix` file. -## Desktop +## Local Machines -My personal desktop configuration is reflected in the top-level `desktop` -directory. The only file not tracked is `hardware-configuration.nix` since this -is auto-generated when installing NixOS. - -The system-wide configuration is found in `configuration.nix`. User-specific -configurations are grouped within a directory specific to each user. As of now, -this is just `jrpotter`. The `flake.nix` file links the system and user -configurations together. - -## Secrets - -Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix) containing -keys generated by [age](https://github.com/FiloSottile/age) from a pre-existing -ed25519 SSH key. If you do not have an ed25519 key already, generate one via: +My personal laptop configuration is reflected in the top-level `framework` +directory (named after the [framework](https://frame.work/) laptop I use). This +flake defines a [home-manager](https://nix-community.github.io/home-manager/) +configuration for a single user called `jrpotter`. We can apply a +`nixos-rebuild switch` by running: ```bash -$ ssh-keygen -t ed25519 -C "" +$ nix flake update # If any changes were made to local machines. +$ colmena apply-local [--sudo] ``` -You can generate an `age` secret key from this SSH key like so: -```bash -$ mkdir -p ~/.config/sops/age -$ nix-shell -p ssh-to-age --run \ - "ssh-to-age -private-key -i > ~/.config/sops/age/keys.txt" -``` -And find the corresponding public key (to be included in `.sops.yaml`) like so: -```bash -$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub" -``` -and include in the root `.sop.yaml` file to be used when creating new secret -files. -## Remotes +## Remote Machines Remote machines are hosted on [DigitalOcean](https://www.digitalocean.com/). The custom image used by each droplet can be built using the top-level `digital-ocean` flake. This image disables a root password in favor of SSH. A droplet running this image will automatically pull in any enabled SSH keys -from your DigitalOcean account at creation time. +from your DigitalOcean account at creation time (so make sure to include them +when creating a new droplet). -Each machine must be registered using +### Secrets -Deployment is managed using [colmena](https://github.com/zhaofengli/colmena). -To deploy, run the following: +Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix). The +top-level `.sops.yaml` configures the `age` keys used to encrypt all secrets. + +#### Admins + +To generate a new user-controlled key, you will need an ed25519 SSH key. +Generate one (if you do not already have one) by running: ```bash -$ cd infra -$ nix flake update # If any machine changes were made. -$ colmena apply +$ ssh-keygen -t ed25519 -C "" ``` -Note that `colmena` requires non-interactivity. If you haven't done so already, -you'll likely need to add the private Ed25519 SSH key corresponding to the -public one uploaded to DigitalOcean to your SSH agent. Do so by running: +You can then generate an `age` secret: +```bash +$ mkdir -p ~/.config/sops/age +$ nix-shell -p ssh-to-age --run \ + "ssh-to-age -private-key -i > ~/.config/sops/age/keys.txt" +``` +and find its corresponding public key: +```bash +$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub" +``` +This public key can then be written into the `.sops.yaml` file. + +#### Servers + +Each machine that needs to decrypt secret files will also need to be registered. +To do so, run: +```bash +$ nix-shell -p ssh-to-age --run 'ssh-keyscan | ssh-to-age' +``` +This will look for any SSH host ed25519 public keys and automatically run +through `ssh-to-age`. Include an appropriately top-level `keys` entry in +`.sops.yaml` before generating the secrets needed by the machine. Refer to +`phobos` for an example. + +### Deployment + +Like our local configurations, remote updates are managed by `colmena`. +`colmena` requires non-interactively connecting over the `ssh-ng` protocol +meaning you must add the appropriate private SSH key to an `ssh-agent` before +deploying: ```bash $ eval $(ssh-agent -s) $ ssh-add ~/.ssh/id_ed25519 ``` +Afterward you can run the following: +```bash +$ nix flake update # If any changes were made to remote machines. +$ colmena apply +```