Update README to new structure.
parent
ea9d99b2a9
commit
fb8f0f6ef6
100
README.md
100
README.md
|
@ -1,61 +1,79 @@
|
||||||
# nixos-configuration
|
# nixos-configuration
|
||||||
|
|
||||||
The collection of publically visible nixos-configuration files used for my
|
The collection of publically visible nixos-configuration files used for all of
|
||||||
NixOS fleet.
|
my NixOS machines. Deployment (both local and remote) is managed using
|
||||||
|
[colmena](https://github.com/zhaofengli/colmena). All machines can be found in
|
||||||
|
the top-level `flake.nix` file.
|
||||||
|
|
||||||
## Desktop
|
## Local Machines
|
||||||
|
|
||||||
My personal desktop configuration is reflected in the top-level `desktop`
|
My personal laptop configuration is reflected in the top-level `framework`
|
||||||
directory. The only file not tracked is `hardware-configuration.nix` since this
|
directory (named after the [framework](https://frame.work/) laptop I use). This
|
||||||
is auto-generated when installing NixOS.
|
flake defines a [home-manager](https://nix-community.github.io/home-manager/)
|
||||||
|
configuration for a single user called `jrpotter`. We can apply a
|
||||||
The system-wide configuration is found in `configuration.nix`. User-specific
|
`nixos-rebuild switch` by running:
|
||||||
configurations are grouped within a directory specific to each user. As of now,
|
|
||||||
this is just `jrpotter`. The `flake.nix` file links the system and user
|
|
||||||
configurations together.
|
|
||||||
|
|
||||||
## Secrets
|
|
||||||
|
|
||||||
Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix) containing
|
|
||||||
keys generated by [age](https://github.com/FiloSottile/age) from a pre-existing
|
|
||||||
ed25519 SSH key. If you do not have an ed25519 key already, generate one via:
|
|
||||||
```bash
|
```bash
|
||||||
$ ssh-keygen -t ed25519 -C "<email>"
|
$ nix flake update # If any changes were made to local machines.
|
||||||
|
$ colmena apply-local [--sudo]
|
||||||
```
|
```
|
||||||
You can generate an `age` secret key from this SSH key like so:
|
|
||||||
```bash
|
|
||||||
$ mkdir -p ~/.config/sops/age
|
|
||||||
$ nix-shell -p ssh-to-age --run \
|
|
||||||
"ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
|
|
||||||
```
|
|
||||||
And find the corresponding public key (to be included in `.sops.yaml`) like so:
|
|
||||||
```bash
|
|
||||||
$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
|
|
||||||
```
|
|
||||||
and include in the root `.sop.yaml` file to be used when creating new secret
|
|
||||||
files.
|
|
||||||
|
|
||||||
## Remotes
|
## Remote Machines
|
||||||
|
|
||||||
Remote machines are hosted on [DigitalOcean](https://www.digitalocean.com/).
|
Remote machines are hosted on [DigitalOcean](https://www.digitalocean.com/).
|
||||||
The custom image used by each droplet can be built using the top-level
|
The custom image used by each droplet can be built using the top-level
|
||||||
`digital-ocean` flake. This image disables a root password in favor of SSH.
|
`digital-ocean` flake. This image disables a root password in favor of SSH.
|
||||||
A droplet running this image will automatically pull in any enabled SSH keys
|
A droplet running this image will automatically pull in any enabled SSH keys
|
||||||
from your DigitalOcean account at creation time.
|
from your DigitalOcean account at creation time (so make sure to include them
|
||||||
|
when creating a new droplet).
|
||||||
|
|
||||||
Each machine must be registered using
|
### Secrets
|
||||||
|
|
||||||
Deployment is managed using [colmena](https://github.com/zhaofengli/colmena).
|
Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix). The
|
||||||
To deploy, run the following:
|
top-level `.sops.yaml` configures the `age` keys used to encrypt all secrets.
|
||||||
|
|
||||||
|
#### Admins
|
||||||
|
|
||||||
|
To generate a new user-controlled key, you will need an ed25519 SSH key.
|
||||||
|
Generate one (if you do not already have one) by running:
|
||||||
```bash
|
```bash
|
||||||
$ cd infra
|
$ ssh-keygen -t ed25519 -C "<email>"
|
||||||
$ nix flake update # If any machine changes were made.
|
|
||||||
$ colmena apply
|
|
||||||
```
|
```
|
||||||
Note that `colmena` requires non-interactivity. If you haven't done so already,
|
You can then generate an `age` secret:
|
||||||
you'll likely need to add the private Ed25519 SSH key corresponding to the
|
```bash
|
||||||
public one uploaded to DigitalOcean to your SSH agent. Do so by running:
|
$ mkdir -p ~/.config/sops/age
|
||||||
|
$ nix-shell -p ssh-to-age --run \
|
||||||
|
"ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
|
||||||
|
```
|
||||||
|
and find its corresponding public key:
|
||||||
|
```bash
|
||||||
|
$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
|
||||||
|
```
|
||||||
|
This public key can then be written into the `.sops.yaml` file.
|
||||||
|
|
||||||
|
#### Servers
|
||||||
|
|
||||||
|
Each machine that needs to decrypt secret files will also need to be registered.
|
||||||
|
To do so, run:
|
||||||
|
```bash
|
||||||
|
$ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'
|
||||||
|
```
|
||||||
|
This will look for any SSH host ed25519 public keys and automatically run
|
||||||
|
through `ssh-to-age`. Include an appropriately top-level `keys` entry in
|
||||||
|
`.sops.yaml` before generating the secrets needed by the machine. Refer to
|
||||||
|
`phobos` for an example.
|
||||||
|
|
||||||
|
### Deployment
|
||||||
|
|
||||||
|
Like our local configurations, remote updates are managed by `colmena`.
|
||||||
|
`colmena` requires non-interactively connecting over the `ssh-ng` protocol
|
||||||
|
meaning you must add the appropriate private SSH key to an `ssh-agent` before
|
||||||
|
deploying:
|
||||||
```bash
|
```bash
|
||||||
$ eval $(ssh-agent -s)
|
$ eval $(ssh-agent -s)
|
||||||
$ ssh-add ~/.ssh/id_ed25519
|
$ ssh-add ~/.ssh/id_ed25519
|
||||||
```
|
```
|
||||||
|
Afterward you can run the following:
|
||||||
|
```bash
|
||||||
|
$ nix flake update # If any changes were made to remote machines.
|
||||||
|
$ colmena apply
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in New Issue