2.2 KiB
nixos-configuration
The collection of publically visible nixos-configuration files used for my NixOS fleet.
Desktop
My personal desktop configuration is reflected in the top-level desktop
directory. The only file not tracked is hardware-configuration.nix since this
is auto-generated when installing NixOS.
The system-wide configuration is found in configuration.nix. User-specific
configurations are grouped within a directory specific to each user. As of now,
this is just jrpotter. The flake.nix file links the system and user
configurations together.
Secrets
Secrets are managed via sops-nix containing keys generated by age from a pre-existing ed25519 SSH key. If you do not have an ed25519 key already, generate one via:
$ ssh-keygen -t ed25519 -C "<email>"
You can generate an age secret key from this SSH key like so:
$ mkdir -p ~/.config/sops/age
$ nix-shell -p ssh-to-age --run \
"ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
And find the corresponding public key (to be included in .sops.yaml) like so:
$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
and include in the root .sop.yaml file to be used when creating new secret
files.
Remotes
Remote machines are hosted on DigitalOcean.
The custom image used by each droplet can be built using the top-level
digital-ocean flake. This image disables a root password in favor of SSH.
A droplet running this image will automatically pull in any enabled SSH keys
from your DigitalOcean account at creation time.
Each machine must be registered using
Deployment is managed using colmena. To deploy, run the following:
$ cd infra
$ nix flake update # If any machine changes were made.
$ colmena apply
Note that colmena requires non-interactivity. If you haven't done so already,
you'll likely need to add the private Ed25519 SSH key corresponding to the
public one uploaded to DigitalOcean to your SSH agent. Do so by running:
$ eval $(ssh-agent -s)
$ ssh-add ~/.ssh/id_ed25519