c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

README: cleanups, updates, sentences

This commit is contained in:
Astro 2022-01-07 00:28:59 +01:00
parent 365757073a
commit 3f1d190b76
1 changed files with 64 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
README.md
View File

@ -1,37 +1,37 @@
# Setup
## Working with this repo
If you checked out this git repository for working on the code,
replace `c3d2#` with `.#` and run commands from the repository root.
Don't forget to `git add` new files! Flakes require that.
## The secrets repo
Make sure you have access.
## Install Nix Flakes
> Nix Flakes ist gegenwärtig bei Nix (Version 20.09) noch keine standardmäßige Funktionalität für Nix. Die Bereitstellung der Kommandos für Nix Flakes müssen als experimentelle Funktionalität für das Kommando ''nix'' festgelegt werden, um sie verfügbar zu machen.
A Nix environment with Nix Flakes support is required.
### (temporary) Shell with Nix Flakes
### Temporary Shell with Nix Flakes
<!-- deutschsprachig
Aufsetzen einer Umgebung (mit dem üblichen Kommando [nix-shell](https://nixos.org/manual/nix/unstable/command-ref/nix-shell.html) in der das Paket *nixFlakes* (für Nix Flakes) verfügbar ist
-->
Set up an environment (with the common command [nix-shell](https://nixos.org/manual/nix/unstable/command-ref/nix-shell.html)) in which the [package *nixFlakes*](https://search.nixos.org/packages?query=nixflakes) (for Nix Flakes) is available and jump into it
```bash
nix-shell --packages nixFlakes
nix-shell -p nixFlakes
```
Nix Flakes ist gegenwärtig bei Nix (Version 20.09) noch keine standardmäßige Funktionalität für Nix. Die Bereitstellung der Kommandos für Nix Flakes müssen als experimentelle Funktionalität für das Kommando ''nix'' festgelegt werden, um sie verfügbar zu machen.
<!-- deutschsprachig
(wenn das nicht bereits schon festgelegt wurde) Hinzufügen der Festlegung für die (noch) experimentelle Erweiterung für Nix Flakes als Funktionalität für das Kommando ''nix''
-->
Set some configuration (do this only once)
Set some configuration (do this only once):
```bash
echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf
```
Add this repository to your local flake registry:
```bash
nix registry add c3d2 git+https://gitea.c3d2.de/C3D2/nix-config
```
### (permanent) System with Nix Flakes
### Permanent System with Nix Flakes
set this to your NixOS configuration:
```nix
@ -43,37 +43,37 @@ set this to your NixOS configuration:
}
```
And add this repository to your local flake registry:
```bash
nix registry add c3d2 git+https://gitea.c3d2.de/C3D2/nix-config
```
# Deployment
Beide failen bei Activation des neuen Profils. (TODO)
## Mit Flakes
### Local deployment
## Deploy a NixOS system from this Flake locally
Running `nixos-rebuild --flake c3d2 switch` on a machine should be sufficient
to update that machine to the current configuration and Nixpkgs revision.
### Remote deployment
## Deploy to a remote NixOS system with this Flake
Use `nix run` with one of the deploy scripts exported by the flake,
for example: `nix run c3d2#glotzbert-nixos-rebuild switch`. Use `nix flake show c3d2`
to show what is available. Note that the deploy scripts only work if
the target machines already has flakes enabled.
For every host that has a `nixosConfiguration` in our Flake, there are
two scripts that can be run for deployment via ssh.
Now that there is a `-local` variant that builds the system profile on
your machine (possibly reusing dependencies that were built for other
hosts), flakification of an existing NixOS host can be done using `nix
run c3d2#glotzbert-nixos-rebuild-local switch`
- `nix run c3d2#glotzbert-nixos-rebuild switch`
The must be an existing `nixosConfiguration.${host}` in `flake.nix`.
Copies the current state to build on the target system. This may
fail due to eg. container resource limits.
The target must already be a nixFlakes system.
### Remote deployment from non-NixOS
- `nix run c3d2#glotzbert-nixos-rebuild-local switch`
Builds locally, then uses `nix copy` to transfer the new NixOS
system to the target.
**Help!** It's needlessly rebuilding stuff that already runs on the
target? If so, use `nix copy` to transfer where
`/run/current-system` points to to your build machine.
Use `nix flake show c3d2` to show what is available.
## Remote deployment from non-NixOS
A shell script that copies the current working tree, and runs
`nixos-rebuild switch` on the target:
@ -82,48 +82,10 @@ A shell script that copies the current working tree, and runs
./deploy-flake.sh hydra.hq.c3d2.de
```
It cannot not lookup hostnames in `host-registry.nix`.
It will not take extra care of the *secrets*.
## Mit NixOps
The official way for deployment is through `deployer.serv.zentralwerk.org`
### Deploy changes
Use deployer system:
```shell
ssh k-ot@172.20.73.9
cd nix-config/
nixops deploy -d hq --check --include=[hostname]
```
### Creating new Container
This does not work yet, as the nixos-system-x86_64-linux.tar.xz image is broken.
1. log into any proxmox server
2. pct create [num] cephfs-iso:vztmpl/nixos-system-x86_64-linux.tar.xz -ostype unmanaged -net0 name=eth0,bridge=vmbr0,tag=[vlantag] -storage vms -hostname [hostname]
3. adjustments through ui if necessary
4. Adjust hq.nixops, add [hostname]
5. Run
```shell
ssh k-ot@172.20.73.16
cd nix-config/
nixops deploy -d hq --check --include=[hostname]
```
Tarballs can be built for containers using `config.system.build.tarball`.
```
nix build c3d2#nixosConfigurations.dhcp.config.system.build.tarball
```
## Mit `nixos-rebuild switch`
```shell
nixos-rebuild switch -I nixos-config=./hosts/containers/$HOST/configuration.nix --target-host "root@$HOST.hq.c3d2.de"
```
It cannot not lookup hostnames in `host-registry.nix`. To avoid
deploying the wrong container on the unrelated DNS records, the script
always uses the hostname that is already configured on the target
system.
## Checking for updates
@ -135,7 +97,14 @@ nix run .#list-upgradable
Checks all hosts with a `nixosConfiguration` in `flake.nix`.
# Secrets
## Creating a new Proxmox container
Use the `nixprox.sh` script that should be copied to
`/usr/local/sbin/nixprox.sh` on all of the Proxmox servers.
# Secrets management
## Secrets managment with PGP
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you.
Maybe this works for you, maybe not. I did it somehow:
@ -147,6 +116,20 @@ PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
Your gpg key has to have the Authenticate flag set. If not update it and push it to a keyserver and wait.
This is necessary, so you can login to any machine with your gpg key.
## Secrets Management Using `sops-nix`
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
```
cd secrets
nix develop
sops hosts/.../secrets.yaml
git commit -a -m YOLO
git push origin HEAD:master
cd ..
nix flake lock . --update-input secrets
```
# Laptops / Desktops
This repository contains a NixOS module that can be used with personal machines
@ -177,17 +160,3 @@ in {
}
```
# Secret Management Using `sops-nix`
Edit `secrets/.sops.yaml` to add files for a new host and its SSH pubkey.
```
cd secrets
nix develop
sops hosts/.../secrets.yaml
git commit -a -m YOLO
git push origin HEAD:master
cd ..
nix flake lock . --update-input secrets
```