Astro
fca9a7f859
this would need GatewayOnLink=yes for the route on the interface |
||
|---|---|---|
| ansible | ||
| hosts | ||
| kubernetes | ||
| lib | ||
| nixpkgs-overlay | ||
| overlay | ||
| secrets@0efb7df81d | ||
| .gitignore | ||
| .gitmodules | ||
| README.md | ||
| flake.lock | ||
| flake.nix | ||
| host-registry.nix | ||
| hq.nixops | ||
| install-host.sh | ||
| krops.nix | ||
| nix-maintenance.sh | ||
README.md
Setup
Flakes
Nix with flakes support is required. Run this in a shell…
# Enter a temporary shell with flakes support:
nix-shell --packages nixFlakes
# Set some configuration (do this only once):
echo 'experimental-features = nix-command flakes' >> ~/.config/nix/nix.conf
# Add this repository to your local flake registry:
nix registry add c3d2 git+https://gitea.c3d2.de/C3D2/nix-config
…or set this to your NixOS configuration:
{ pkgs, ... }: {
nix = {
package = pkgs.nixFlakes;
extraOptions = "experimental-features = nix-command flakes";
};
}
And add this repository to your local flake registry:
nix registry add c3d2 git+https://gitea.c3d2.de/C3D2/nix-config
Deployment
Beide failen bei Activation des neuen Profils. (TODO)
Mit flakes
Remote deployment
Use nix run with one of the deploy scripts exported by the flake,
for example: nix run c3d2#glotzbert-nixos-rebuild switch. Use nix flake show c3d2
to show what is available. Note that the deploy scripts only work if
the target machines already has flakes enabled.
Local deployment
Running nixos-rebuild --flake c3d2 switch on a machine should be sufficient
to update that machine to the current configuration and Nixpkgs revision.
Mit NixOps
The official way for deployment is through deployer.serv.zentralwerk.org
Deploy changes
Use deployer system:
ssh k-ot@172.20.73.9
cd nix-config/
nixops deploy -d hq --check --include=[hostname]
Creating new Container
This does not work yet, as the nixos-system-x86_64-linux.tar.xz image is broken.
- log into any proxmox server
- pct create [num] cephfs-iso:vztmpl/nixos-system-x86_64-linux.tar.xz -ostype unmanaged -net0 name=eth0,bridge=vmbr0,tag=[vlantag] -storage vms -hostname [hostname]
- adjustments through ui if necessary
- Adjust hq.nixops, add [hostname]
- Run
ssh k-ot@172.20.73.16 cd nix-config/ nixops deploy -d hq --check --include=[hostname]
Tarballs can be built for containers using config.system.build.tarball.
nix build c3d2#nixosConfigurations.dhcp.config.system.build.tarball
Mit nixos-switch rebuild
nixos-rebuild switch -I nixos-config=./hosts/containers/$HOST/configuration.nix --target-host "root@$HOST.hq.c3d2.de"
Secrets
Add your gpg-id to the .gpg-id file in secrets and let somebody reencrypt it for you. Maybe this works for you, maybe not. I did it somehow:
PASSWORD_STORE_DIR=`pwd` tr '\n' ' ' < .gpg-id | xargs -I{} pass init {}
Your gpg key has to have the Authenticate flag set. If not update it and push it to a keyserver and wait. This is necessary, so you can login to any machine with your gpg key.
Laptops / Desktops
This repository contains a NixOS module that can be used with personal machines
as well. This module appends /etc/ssh/ssh_known_hosts with the host keys of
registered HQ hosts, and optionally appends /etc/hosts with static IPv6
addresses local to HQ. Simply import the lib directory to use the module. As
an example:
# /etc/nixos/configuration.nix
{ config, pkgs, lib, ... }:
let
c3d2Config =
builtins.fetchGit { url = "https://gitea.c3d2.de/C3D2/nix-config.git"; };
in {
imports = [
# ...
"${c3d2Config}/lib"
];
c3d2 = {
isInHq = false; # not in HQ, this is the default.
mapHqHosts = true; # Make entries in /etc/hosts for *.hq internal addresses.
enableMotd = true; # Set the login shell message to the <<</>> logo.
};
# ...
}