NixOS deployment for LinuxLab
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Dustin Frisch c1c96f2624
Add readme
4 weeks ago
client nfs: the the jumphost 1 month ago
contrib Add readme 4 weeks ago
machines nfs: add client host entries to nfs 1 month ago
shared Add more admin ssh keys 4 weeks ago
.gitignore More progress 1 month ago
README.md Add readme 4 weeks ago
TODO.md Add more admin ssh keys 4 weeks ago
clients.nix nfs: prevent clients from going AWOL 1 month ago
flake.lock ldap: add some indices 1 month ago
flake.nix all: update 1 month ago
installer.nix Make desktop work 1 month ago
sops-config.nix Installer works 1 month ago

README.md

Deploy

Everything (all servers, all clients)

colmena apply switch

All Clients

colmena apply switch --on@client

Append --on=HOSTNAME or --on=@TAG to target specific hosts.

Building disk image

You can build a ready to use disk image containing the whole system using the following command:

nix build .#images.<MACHINE_NAME>

Secret management

Secrets are encrypted using sops. Sops encrypts the secrets for all administrators and the target machines using the secret.

Prepare your system

You must derive an age key from your SSH key:

mkdir -p ~/.config/sops/age
read -s SSH_TO_AGE_PASSPHRASE
export SSH_TO_AGE_PASSPHRASE
ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
unset SSH_TO_AGE_PASSPHRASE

Edit/show secrets

Secrets are stored in secrets.yaml or in files in the secrets folder. To show or edit their content, use the sops command. I.e.:

sops machines/nfs/secrets.yaml

Update encryption after fresh deployment

The target machines ues the SSH host key of the target system to decryt the secrets required for that machine. Therefore the host keys spcified in sops-config.nix must be kept in sync with the actual host keys. These keys change after a fresh installation (a re-deployment, a changed disk, a lost filesystem). After the keys have been updates, the contrib/updatekeys.sh script must be executed.