ansible | ||
hosts | ||
kubernetes | ||
lib | ||
nixpkgs-overlay | ||
secrets@0efb7df81d | ||
.gitignore | ||
.gitmodules | ||
flake.lock | ||
flake.nix | ||
host-registry.nix | ||
hq.nixops | ||
install-host.sh | ||
krops.nix | ||
nix-maintenance.sh | ||
README.md |
Setup
Nix with flakes support is required. Run this in a shell…
# Enter a temporary shell with flakes support:
nix-shell --packages nixFlakes
# Set some configuration (do this only once):
echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf
# Add this repository to your local flake registry:
nix registry add c3d2 git+https://gitea.c3d2.de/C3D2/nix-config
…or set this to your NixOS configuration:
{ pkgs, ... }: {
nix = {
package = pkgs.nixFlakes;
extraOptions = "experimental-features = nix-command flakes";
};
}
Deployment
Beide failen bei Activation des neuen Profils. (TODO)
Mit flakes
Use nix run
with one of the deploy scripts exported by the flake,
for example: nix run c3d2#deploy-glotzbert switch
. Use nix flake show c3d2
to show what is available. Note that the deploy scripts only work if
the target machines already has flakes enabled.
Mit NixOps
The official way for deployment is through deployer.serv.zentralwerk.org
Deploy changes
Use deployer system:
ssh k-ot@172.20.73.9
cd nix-config/
nixops deploy -d hq --check --include=[hostname]
Creating new Container
This does not work yet, as the nixos-system-x86_64-linux.tar.xz image is broken.
- log into any proxmox server
- pct create [num] cephfs-iso:vztmpl/nixos-system-x86_64-linux.tar.xz -ostype unmanaged -net0 name=eth0,bridge=vmbr0,tag=[vlantag] -storage vms -hostname [hostname]
- adjustments through ui if necessary
- Adjust hq.nixops, add [hostname]
- Run
ssh k-ot@172.20.73.16 cd nix-config/ nixops deploy -d hq --check --include=[hostname]
Mit nixos-switch rebuild
nixos-rebuild switch -I nixos-config=./hosts/containers/$HOST/configuration.nix --target-host "root@$HOST.hq.c3d2.de"
Secrets
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you. Maybe this works for you, maybe not. I did it somehow:
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
Your gpg key has to have the Authenticate flag set. If not update it and push it to a keyserver and wait. This is necessary, so you can login to any machine with your gpg key.
Laptops / Desktops
This repository contains a NixOS module that can be used with personal machines
as well. This module appends /etc/ssh/ssh_known_hosts
with the host keys of
registered HQ hosts, and optionally appends /etc/hosts
with static IPv6
addresses local to HQ. Simply import the lib
directory to use the module. As
an example:
# /etc/nixos/configuration.nix
{ config, pkgs, lib, ... }:
let
c3d2Config =
builtins.fetchGit { url = "https://gitea.c3d2.de/C3D2/nix-config.git"; };
in {
imports = [
# ...
"${c3d2Config}/lib"
];
c3d2 = {
isInHq = false; # not in HQ, this is the default.
mapHqHosts = true; # Make entries in /etc/hosts for *.hq internal addresses.
enableMotd = true; # Set the login shell message to the <<</>> logo.
};
# ...
}
Custom packages
Additional packages can be added to [./nixpkgs-overlay]. These packages are available
during NixOS configuration as well as from the flake via nix shell c3d2#…
(see above
for adding this repository to your local nix registry).