NixOS configuration for the chaos.jetzt project. They are very much work in progress
- mumble-web, possibly adding mumble-web-proxy on top
- Both need to be packaged for Nix
- Matrix synapse + element-web
- Data migration (synapse)
- Migrate away from SSO (synapse)
- maubot github
- Not packaged for nix
- Ditch it?
These nixfiles are built using nix flakes. See here for nix installation instructions and the nixos.wiki page on flakes. colmena is used for deployment, secret management is done using the sops based sops-nix.
The later two (colmena and sops) are available via a devShell
, defined in the flake, which can be invoked using nix develop
. nix-direnv can also be used in order to automatically create the respective shell upon entering these nixfiles.
colmena is used for deployment:
# Build all hosts
colmena build
# Build specific host(s)
colmena build --on host-a,host-b
# Deploy all dev hosts in test mode (activate config but do not add it to the bootloader menu)
colmena apply --on @dev test
# Deploy specific host (actiavte config and use it at the next boot (switch goal))
colmena apply --on host-a
# A VM of the host can be built using plain nix build
nix build .\#nixosConfigurations.host-a.config.system.build.vmWithBootLoader
Note on VMs: Since the secrets are decrypted for each servers ssh key, the secrets setup will fail.
Secrets are managed using sops-nix which is based on sops. All secrets are stored in the secrets/
folder. The .sops.yaml
configuration file contains information on who has (a) access to keys and (b) which servers can decrypt which keys.
A servers private key can be derived from it's ssh key using ssh-to-age, generated during initial installation:
# Only ed25519 keys can be converted using ssh-to-age
ssh-keyscan -t ed25519 shirley.net.chaos.jetzt | nix shell nixpkgs#ssh-to-age -c ssh-to-age
# Or from the host (using legacy nix-shell)
cat /etc/ssh/ssh_host_ed25519_key.pub | nix-shell -p ssh-to-age --run ssh-to-age
When users or servers get added or removed, the secret files need to be updated using sops updatekeys
. Since this can not be called on all files, find secrets -type f -exec sops updatekeys {} \;
may be used for convenience.