nix-config/README.md

# Setup

## Install Nix Flakes

A Nix environment with Nix Flakes support is required.

### (temporary) Shell with Nix Flakes 

<!-- deutschsprachig
Aufsetzen einer Umgebung (mit dem üblichen Kommando [nix-shell](https://nixos.org/manual/nix/unstable/command-ref/nix-shell.html) in der das Paket *nixFlakes* (für Nix Flakes) verfügbar ist
-->
Set up an environment (with the common command [nix-shell](https://nixos.org/manual/nix/unstable/command-ref/nix-shell.html)) in which the [package *nixFlakes*](https://search.nixos.org/packages?query=nixflakes) (for Nix Flakes) is available and jump into it

```bash
nix-shell --packages nixFlakes
```

Nix Flakes ist gegenwärtig bei Nix (Version 20.09) noch keine standardmäßige Funktionalität für Nix. Die Bereitstellung der Kommandos für Nix Flakes müssen als experimentelle Funktionalität für das Kommando ''nix'' festgelegt werden, um sie verfügbar zu machen.

<!-- deutschsprachig
(wenn das nicht bereits schon festgelegt wurde) Hinzufügen der Festlegung für die (noch) experimentelle Erweiterung für Nix Flakes als Funktionalität für das Kommando ''nix''
-->
Set some configuration (do this only once)

```bash
echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf
```

Add this repository to your local flake registry:
```bash
nix registry add c3d2 git+https://gitea.c3d2.de/C3D2/nix-config
```

### (permanent) System with Nix Flakes 

set this to your NixOS configuration:
```nix
{ pkgs, ... }: {
  nix = {
    package = pkgs.nixFlakes;
    extraOptions = "experimental-features = nix-command flakes";
  };
}
```

And add this repository to your local flake registry:
```bash
nix registry add c3d2 git+https://gitea.c3d2.de/C3D2/nix-config
```

# Deployment

Beide failen bei Activation des neuen Profils. (TODO)

## Mit Flakes

### Local deployment

Running `nixos-rebuild --flake c3d2 switch` on a machine should be sufficient
to update that machine to the current configuration and Nixpkgs revision.

### Remote deployment

Use `nix run` with one of the deploy scripts exported by the flake,
for example: `nix run c3d2#glotzbert-nixos-rebuild switch`. Use `nix flake show c3d2`
to show what is available. Note that the deploy scripts only work if
the target machines already has flakes enabled.

### Remote deployment from non-NixOS

A shell script that copies the current working tree, and runs
`nixos-rebuild switch` on the target:

```shell
./deploy-flake.sh hydra.hq.c3d2.de
```

It cannot not lookup hostnames in `host-registry.nix`.
It will not take extra care of the *secrets*.

## Mit NixOps

The official way for deployment is through `deployer.serv.zentralwerk.org`

### Deploy changes

Use deployer system:

```shell
ssh k-ot@172.20.73.9
cd nix-config/
nixops deploy -d hq --check --include=[hostname]
```

### Creating new Container

This does not work yet, as the nixos-system-x86_64-linux.tar.xz image is broken.

1. log into any proxmox server
2. pct create [num] cephfs-iso:vztmpl/nixos-system-x86_64-linux.tar.xz -ostype unmanaged -net0 name=eth0,bridge=vmbr0,tag=[vlantag] -storage vms -hostname [hostname]
3. adjustments through ui if necessary
4. Adjust hq.nixops, add  [hostname]
5. Run
    ```shell
    ssh k-ot@172.20.73.16
    cd nix-config/
    nixops deploy -d hq --check --include=[hostname]
    ```

Tarballs can be built for containers using `config.system.build.tarball`.
```
nix build c3d2#nixosConfigurations.dhcp.config.system.build.tarball
```

## Mit `nixos-switch rebuild`

```shell
nixos-rebuild switch -I nixos-config=./hosts/containers/$HOST/configuration.nix --target-host "root@$HOST.hq.c3d2.de"
```

## Checking for updates

```shell
nix run .#list-upgradable
```

Checks all hosts in the `hostRegistry.nix` that have a `system` defined.

# Secrets

Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
Maybe this works for you, maybe not. I did it somehow:

```
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
```

Your gpg key has to have the Authenticate flag set. If not update it and push it to a keyserver and wait.
This is necessary, so you can login to any machine with your gpg key.

# Laptops / Desktops

This repository contains a NixOS module that can be used with personal machines
as well. This module appends `/etc/ssh/ssh_known_hosts` with the host keys of
registered HQ hosts, and optionally appends `/etc/hosts` with static IPv6
addresses local to HQ. Simply import the `lib` directory to use the module. As
an example:

```nix
# /etc/nixos/configuration.nix
{ config, pkgs, lib, ... }:
let
  c3d2Config =
    builtins.fetchGit { url = "https://gitea.c3d2.de/C3D2/nix-config.git"; };
in {
  imports = [
    # ...
    "${c3d2Config}/lib"
  ];

  c3d2 = {
    isInHq = false; # not in HQ, this is the default.
    mapHqHosts = true; # Make entries in /etc/hosts for *.hq internal addresses.
    enableMotd = true; # Set the login shell message to the <<</>> logo.
  };

  # ...
}

```