Dustin Frisch
c1c96f2624
|
4 weeks ago | |
---|---|---|
client | 1 month ago | |
contrib | 4 weeks ago | |
machines | 1 month ago | |
shared | 4 weeks ago | |
.gitignore | 1 month ago | |
README.md | 4 weeks ago | |
TODO.md | 4 weeks ago | |
clients.nix | 1 month ago | |
flake.lock | 1 month ago | |
flake.nix | 1 month ago | |
installer.nix | 1 month ago | |
sops-config.nix | 1 month ago |
README.md
Deploy
Everything (all servers, all clients)
colmena apply switch
All Clients
colmena apply switch --on@client
Append --on=HOSTNAME
or --on=@TAG
to target specific hosts.
Building disk image
You can build a ready to use disk image containing the whole system using the following command:
nix build .#images.<MACHINE_NAME>
Secret management
Secrets are encrypted using sops. Sops encrypts the secrets for all administrators and the target machines using the secret.
Prepare your system
You must derive an age key from your SSH key:
mkdir -p ~/.config/sops/age
read -s SSH_TO_AGE_PASSPHRASE
export SSH_TO_AGE_PASSPHRASE
ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
unset SSH_TO_AGE_PASSPHRASE
Edit/show secrets
Secrets are stored in secrets.yaml
or in files in the secrets
folder.
To show or edit their content, use the sops
command. I.e.:
sops machines/nfs/secrets.yaml
Update encryption after fresh deployment
The target machines ues the SSH host key of the target system to decryt the secrets required for that machine.
Therefore the host keys spcified in sops-config.nix
must be kept in sync with the actual host keys.
These keys change after a fresh installation (a re-deployment, a changed disk, a lost filesystem).
After the keys have been updates, the contrib/updatekeys.sh
script must be executed.