qo.is Infrastructure

This repository contains the infrastructure configuration and documentation sources.

Check out the current rendered documentation.

Structure

nixos-configurations: Main nixos configuration for every host.
defaults: Static/Meta configurations, e.g. list of host and keys
nixos-modules: Custom modules (all configurations that are not host specific live here)
private: Private configuration values (like users, sops-encrypted secrets and keys)

Development

This repository requires nix flakes

• nix flake check
  Execute the project's checks, which includes building all configurations and packages. See Tests.

• nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
  Build a single host configuration.

• nix build .#docs
  Build the documentation website.

• nix develop
  Development environment

• nix fmt
  Autofix formatting

Secrets and private Submodule

Secret management is done with nix-sops and a git submodule in private.
Make sure you have the submodule correctly available. To clone with submodules (if you have access):

git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
# See below for how to commit changes.

Secrets are stored in private/passwords.sops.yaml (sysadmin passwords), private/nixos-modules/shared-secrets/default.sops.yaml (shared secrets for all hosts) and private/nixos-configurations/<hostname>/secrets.sops.yaml (host specific secrets).

To modify secrets:

sops $file # To edit a file
sops-rekey # To rekey all secrets, e.g. after a key rollover or new host

After changing secrets:

# Commit changes in subrepo
pushd private
  git commit
  git push
  nix flake prefetch . # Make subrepo available in nix store. Required until nix 2.27.
popd

git add private
nix flake lock --update-input private

Deployment

See Deployment for details.

Deployments are triggered automatically via CI on git.qo.is. Open a pull request to trigger the pipeline; merging to main deploys to all hosts.