NixOS deployment for LinuxLab
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
## Deploy
Everything (all servers, all clients)
```bashcolmena apply switch```
All Clients
```bashcolmena apply switch --on@client```
Append `--on=HOSTNAME` or `--on=@TAG` to target specific hosts.
### Building disk image
You can build a ready to use disk image containing the whole system using the following command:
```bashnix build .#images.<MACHINE_NAME>```
## Secret management
Secrets are encrypted using sops.Sops encrypts the secrets for all administrators and the target machines using the secret.
### Prepare your system
You must derive an age key from your SSH key:```bashmkdir -p ~/.config/sops/ageread -s SSH_TO_AGE_PASSPHRASEexport SSH_TO_AGE_PASSPHRASEssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txtunset SSH_TO_AGE_PASSPHRASE```
### Edit/show secrets
Secrets are stored in `secrets.yaml` or in files in the `secrets` folder.To show or edit their content, use the `sops` command. I.e.:
```sops machines/nfs/secrets.yaml```
### Update encryption after fresh deployment
The target machines ues the SSH host key of the target system to decryt the secrets required for that machine.Therefore the host keys spcified in `sops-config.nix` must be kept in sync with the actual host keys.These keys change after a fresh installation (a re-deployment, a changed disk, a lost filesystem).After the keys have been updates, the `contrib/updatekeys.sh` script must be executed.
|
