NixOS deployment for LinuxLab
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

53 lines
1.4 KiB

4 weeks ago
  1. ## Deploy
  2. Everything (all servers, all clients)
  3. ```bash
  4. colmena apply switch
  5. ```
  6. All Clients
  7. ```bash
  8. colmena apply switch --on@client
  9. ```
  10. Append `--on=HOSTNAME` or `--on=@TAG` to target specific hosts.
  11. ### Building disk image
  12. You can build a ready to use disk image containing the whole system using the following command:
  13. ```bash
  14. nix build .#images.<MACHINE_NAME>
  15. ```
  16. ## Secret management
  17. Secrets are encrypted using sops.
  18. Sops encrypts the secrets for all administrators and the target machines using the secret.
  19. ### Prepare your system
  20. You must derive an age key from your SSH key:
  21. ```bash
  22. mkdir -p ~/.config/sops/age
  23. read -s SSH_TO_AGE_PASSPHRASE
  24. export SSH_TO_AGE_PASSPHRASE
  25. ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
  26. unset SSH_TO_AGE_PASSPHRASE
  27. ```
  28. ### Edit/show secrets
  29. Secrets are stored in `secrets.yaml` or in files in the `secrets` folder.
  30. To show or edit their content, use the `sops` command. I.e.:
  31. ```
  32. sops machines/nfs/secrets.yaml
  33. ```
  34. ### Update encryption after fresh deployment
  35. The target machines ues the SSH host key of the target system to decryt the secrets required for that machine.
  36. Therefore the host keys spcified in `sops-config.nix` must be kept in sync with the actual host keys.
  37. These keys change after a fresh installation (a re-deployment, a changed disk, a lost filesystem).
  38. After the keys have been updates, the `contrib/updatekeys.sh` script must be executed.