nixos-configuration

The collection of publically visible nixos-configuration files used for my NixOS fleet.

Desktop

My personal desktop configuration is reflected in the top-level desktop directory. The only file not tracked is hardware-configuration.nix since this is auto-generated when installing NixOS.

The system-wide configuration is found in configuration.nix. User-specific configurations are grouped within a directory specific to each user. As of now, this is just jrpotter. The flake.nix file links the system and user configurations together.

Secrets

Secrets are managed via sops-nix containing keys generated by age from a pre-existing ed25519 SSH key. If you do not have an ed25519 key already, generate one via:

$ ssh-keygen -t ed25519 -C "<email>"

You can generate an age secret key from this SSH key like so:

$ mkdir -p ~/.config/sops/age
$ nix-shell -p ssh-to-age --run \
    "ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"

And find the corresponding public key (to be included in .sops.yaml) like so:

$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"

and include in the root .sop.yaml file to be used when creating new secret files.

Remotes

Remote machines are hosted on DigitalOcean. The custom image used by each droplet can be built using the top-level digital-ocean flake. This image disables a root password in favor of SSH. A droplet running this image will automatically pull in any enabled SSH keys from your DigitalOcean account at creation time.

Each machine must be registered using

Deployment is managed using colmena. To deploy, run the following:

$ cd infra
$ nix flake update  # If any machine changes were made.
$ colmena apply

Note that colmena requires non-interactivity. If you haven't done so already, you'll likely need to add the private Ed25519 SSH key corresponding to the public one uploaded to DigitalOcean to your SSH agent. Do so by running:

$ eval $(ssh-agent -s)
$ ssh-add ~/.ssh/id_ed25519