Deploy

Everything (all servers, all clients)

colmena apply switch

All Clients

colmena apply switch --on@client

Append --on=HOSTNAME or --on=@TAG to target specific hosts.

Building disk image

You can build a ready to use disk image containing the whole system using the following command:

nix build .#images.<MACHINE_NAME>

Secret management

Secrets are encrypted using sops. Sops encrypts the secrets for all administrators and the target machines using the secret.

Prepare your system

You must derive an age key from your SSH key:

mkdir -p ~/.config/sops/age
read -s SSH_TO_AGE_PASSPHRASE
export SSH_TO_AGE_PASSPHRASE
ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
unset SSH_TO_AGE_PASSPHRASE

Edit/show secrets

Secrets are stored in secrets.yaml or in files in the secrets folder. To show or edit their content, use the sops command. I.e.:

sops machines/nfs/secrets.yaml

Update encryption after fresh deployment

The target machines ues the SSH host key of the target system to decryt the secrets required for that machine. Therefore the host keys spcified in sops-config.nix must be kept in sync with the actual host keys. These keys change after a fresh installation (a re-deployment, a changed disk, a lost filesystem). After the keys have been updates, the contrib/updatekeys.sh script must be executed.