Joshua Potter f7a592c094 | ||
---|---|---|
digital-ocean/23.11pre-git | ||
hive | ||
users/jrpotter | ||
.gitignore | ||
.sops.yaml | ||
README.md | ||
flake.lock | ||
flake.nix |
README.md
nixos-configuration
The collection of publically visible nixos-configuration files used for all of
my NixOS machines. Deployment (both local and remote) is managed using
colmena. All machines can be found in
the hive/flake.nix
file.
Local Machines
My personal laptop configuration is reflected in the hive/framework
directory
(named after the framework laptop I use). This flake
defines a home-manager
configuration for a single user called jrpotter
. We can apply a
nixos-rebuild switch
by running:
$ cd hive
$ nix flake update # If any changes were made to local machines.
$ colmena apply-local [--sudo]
Remote Machines
Remote machines are hosted on DigitalOcean.
The custom image used by each droplet can be built using the top-level
digital-ocean/23.11pre-git
flake. This image disables a root password
in favor of SSH. A droplet running this image will automatically pull in any
enabled SSH keys from your DigitalOcean account at creation time (so make sure
to include them when creating a new droplet).
Secrets
Secrets are managed via sops-nix. The
top-level .sops.yaml
configures the age
keys used to encrypt all secrets.
Once configured, you can create/edit a new secrets file using sops
like so:
$ nix-shell -p sops --run "sops <filename>"
Keep in mind that sops-nix
supports YAML, JSON, INI, dotenv and binary at the
moment. What format is used is determined by <filename>
's extension.
Admins
To generate a new user-controlled key, you will need an ed25519 SSH key. Generate one (if you do not already have one) by running:
$ ssh-keygen -t ed25519 -C "<email>"
You can then generate an age
secret:
$ mkdir -p ~/.config/sops/age
$ nix-shell -p ssh-to-age --run \
"ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"
and find its corresponding public key:
$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"
This public key can then be written into the .sops.yaml
file.
Servers
Each machine that needs to decrypt secret files will also need to be registered. To do so, run:
$ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'
This will look for any SSH host ed25519 public keys and automatically run
through ssh-to-age
. Include an appropriately top-level keys
entry in
.sops.yaml
before generating the secrets needed by the machine. Refer to
phobos
for an example.
Deployment
Like our local configurations, remote updates are managed by colmena
.
colmena
requires non-interactively connecting over the ssh-ng
protocol
meaning you must add the appropriate private SSH key to an ssh-agent
before
deploying:
$ eval $(ssh-agent -s)
$ ssh-add ~/.ssh/id_ed25519
Afterward you can run the following:
$ cd hive
$ nix flake update # If any changes were made to remote machines.
$ colmena apply