Dustin Frisch
c1c96f2624
|
19 hours ago | |
|---|---|---|
| client | 7 days ago | |
| contrib | 19 hours ago | |
| machines | 4 days ago | |
| shared | 20 hours ago | |
| .gitignore | 2 weeks ago | |
| README.md | 19 hours ago | |
| TODO.md | 20 hours ago | |
| clients.nix | 7 days ago | |
| flake.lock | 7 days ago | |
| flake.nix | 1 week ago | |
| installer.nix | 1 week ago | |
| sops-config.nix | 1 week ago | |
README.md
Deploy
Everything (all servers, all clients)
colmena apply switch
All Clients
colmena apply switch --on@client
Append --on=HOSTNAME or --on=@TAG to target specific hosts.
Building disk image
You can build a ready to use disk image containing the whole system using the following command:
nix build .#images.<MACHINE_NAME>
Secret management
Secrets are encrypted using sops. Sops encrypts the secrets for all administrators and the target machines using the secret.
Prepare your system
You must derive an age key from your SSH key:
mkdir -p ~/.config/sops/age
read -s SSH_TO_AGE_PASSPHRASE
export SSH_TO_AGE_PASSPHRASE
ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
unset SSH_TO_AGE_PASSPHRASE
Edit/show secrets
Secrets are stored in secrets.yaml or in files in the secrets folder.
To show or edit their content, use the sops command. I.e.:
sops machines/nfs/secrets.yaml
Update encryption after fresh deployment
The target machines ues the SSH host key of the target system to decryt the secrets required for that machine.
Therefore the host keys spcified in sops-config.nix must be kept in sync with the actual host keys.
These keys change after a fresh installation (a re-deployment, a changed disk, a lost filesystem).
After the keys have been updates, the contrib/updatekeys.sh script must be executed.