r
/
nixos-configuration
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update README to new structure.

main
Joshua Potter 2023-12-08 13:33:53 -07:00
parent ea9d99b2a9
commit fb8f0f6ef6
1 changed files with 59 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
README.md
View File

@ -1,61 +1,79 @@
# nixos-configuration
The collection of publically visible nixos-configuration files used for my
NixOS fleet.
The collection of publically visible nixos-configuration files used for all of
my NixOS machines. Deployment (both local and remote) is managed using
[colmena](https://github.com/zhaofengli/colmena). All machines can be found in
the top-level `flake.nix` file.
## Desktop
## Local Machines
My personal desktop configuration is reflected in the top-level `desktop`
directory. The only file not tracked is `hardware-configuration.nix` since this
is auto-generated when installing NixOS.
The system-wide configuration is found in `configuration.nix`. User-specific
configurations are grouped within a directory specific to each user. As of now,
this is just `jrpotter`. The `flake.nix` file links the system and user
configurations together.
## Secrets
Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix) containing
keys generated by [age](https://github.com/FiloSottile/age) from a pre-existing
ed25519 SSH key. If you do not have an ed25519 key already, generate one via:
My personal laptop configuration is reflected in the top-level `framework`
directory (named after the [framework](https://frame.work/) laptop I use). This
flake defines a [home-manager](https://nix-community.github.io/home-manager/)
configuration for a single user called `jrpotter`. We can apply a
`nixos-rebuild switch` by running:
```bash
$ ssh-keygen -t ed25519 -C "<email>"
$ nix flake update # If any changes were made to local machines.
$ colmena apply-local [--sudo]
```
You can generate an `age` secret key from this SSH key like so:
```bash
$ mkdir -p ~/.config/sops/age
$ nix-shell -p ssh-to-age --run \
"ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
```
And find the corresponding public key (to be included in `.sops.yaml`) like so:
```bash
$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
```
and include in the root `.sop.yaml` file to be used when creating new secret
files.
## Remotes
## Remote Machines
Remote machines are hosted on [DigitalOcean](https://www.digitalocean.com/).
The custom image used by each droplet can be built using the top-level
`digital-ocean` flake. This image disables a root password in favor of SSH.
A droplet running this image will automatically pull in any enabled SSH keys
from your DigitalOcean account at creation time.
from your DigitalOcean account at creation time (so make sure to include them
when creating a new droplet).
Each machine must be registered using
### Secrets
Deployment is managed using [colmena](https://github.com/zhaofengli/colmena).
To deploy, run the following:
Secrets are managed via [sops-nix](https://github.com/Mic92/sops-nix). The
top-level `.sops.yaml` configures the `age` keys used to encrypt all secrets.
#### Admins
To generate a new user-controlled key, you will need an ed25519 SSH key.
Generate one (if you do not already have one) by running:
```bash
$ cd infra
$ nix flake update # If any machine changes were made.
$ colmena apply
$ ssh-keygen -t ed25519 -C "<email>"
```
Note that `colmena` requires non-interactivity. If you haven't done so already,
you'll likely need to add the private Ed25519 SSH key corresponding to the
public one uploaded to DigitalOcean to your SSH agent. Do so by running:
You can then generate an `age` secret:
```bash
$ mkdir -p ~/.config/sops/age
$ nix-shell -p ssh-to-age --run \
"ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
```
and find its corresponding public key:
```bash
$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
```
This public key can then be written into the `.sops.yaml` file.
#### Servers
Each machine that needs to decrypt secret files will also need to be registered.
To do so, run:
```bash
$ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'
```
This will look for any SSH host ed25519 public keys and automatically run
through `ssh-to-age`. Include an appropriately top-level `keys` entry in
`.sops.yaml` before generating the secrets needed by the machine. Refer to
`phobos` for an example.
### Deployment
Like our local configurations, remote updates are managed by `colmena`.
`colmena` requires non-interactively connecting over the `ssh-ng` protocol
meaning you must add the appropriate private SSH key to an `ssh-agent` before
deploying:
```bash
$ eval $(ssh-agent -s)
$ ssh-add ~/.ssh/id_ed25519
```
Afterward you can run the following:
```bash
$ nix flake update # If any changes were made to remote machines.
$ colmena apply
```