My NixOS configuration files
 
 
 
Go to file
Joshua Potter f7b1d0d6b0 bump(jrpotter): bootstrap version. 2023-12-13 09:16:11 -07:00
digital-ocean Point to correct configuration file. 2023-12-12 08:18:35 -07:00
hive framework: Install Chromium. 2023-12-12 14:46:59 -07:00
users/jrpotter bump(jrpotter): bootstrap version. 2023-12-13 09:16:11 -07:00
.envrc Add devShell and mullvad. 2023-12-12 09:07:30 -07:00
.gitignore Add devShell and mullvad. 2023-12-12 09:07:30 -07:00
.sops.yaml Re-enable phobos and point titan to new machine. 2023-12-12 06:44:45 -07:00
README.md Enable SSH and nix commands. 2023-12-11 05:19:23 -07:00
flake.lock Add swap partition to DO image. 2023-12-12 05:57:08 -07:00
flake.nix Add devShell and mullvad. 2023-12-12 09:07:30 -07:00

README.md

nixos-configuration

The collection of publically visible nixos-configuration files used for all of my NixOS machines. Deployment (both local and remote) is managed using colmena. All machines can be found in the flake.nix file.

Users

home-manager configurations are found in the top-level users directory. As of now, there exists settings for a single user called jrpotter.

Local Machines

My personal laptop configuration is stored in the hive/framework directory. To invoke the equivalent of a local nixos-rebuild switch using colmena, run:

$ colmena apply-local [--sudo]

Remote Machines

Remote machines are hosted on DigitalOcean. The custom images used by each droplet is built by running:

$ nix build .#digital-ocean.[stoat|tapir]

The above command produces an image with root password disabled in favor of SSH. A droplet running this image will automatically pull in any enabled SSH keys from your DigitalOcean account at creation time.

Deployment

Like our local configurations, remote updates are managed by colmena. colmena requires non-interactively connecting over the ssh-ng protocol meaning you must add the appropriate private SSH key to an ssh-agent before deploying:

$ eval $(ssh-agent -s)
$ ssh-add ~/.ssh/id_ed25519

Afterward you can run the following:

$ colmena apply [--on <hostname>]

Secrets

Secrets are managed via sops-nix. The top-level .sops.yaml configures the age keys used to encrypt all secrets. Once configured, you can create/edit a new secrets file using sops like so:

$ nix-shell -p sops --run "sops <filename>"

Keep in mind that sops-nix supports YAML, JSON, INI, dotenv and binary at the moment. What format is used is determined by <filename>'s extension.

Admins

To generate a new user-controlled key, you will need an ed25519 SSH key. Generate one (if you do not already have one) by running:

$ ssh-keygen -t ed25519 -C "<email>"

You can then generate an age secret:

$ mkdir -p ~/.config/sops/age
$ nix-shell -p ssh-to-age --run \
    "ssh-to-age -private-key -i <ssh-file> > ~/.config/sops/age/keys.txt"

and find its corresponding public key:

$ nix-shell -p ssh-to-age --run "ssh-to-age < ~/.ssh/id_ed25519.pub"

This public key can then be written into the .sops.yaml file.

Servers

Each machine that needs to decrypt secret files will also need to be registered. To do so, run:

$ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'

This will look for any SSH host ed25519 public keys and automatically run through ssh-to-age. Include an appropriately top-level keys entry in .sops.yaml before generating the secrets needed by the machine.