2024-10-02 15:52:04 +02:00
|
|
|
# qo.is Infrastructure
|
|
|
|
|
2024-10-02 16:41:11 +02:00
|
|
|
[This repository](https://git.qo.is/qo.is/infrastructure) contains the infrastructure configuration and documentation sources.
|
2024-10-02 15:52:04 +02:00
|
|
|
|
2024-10-02 16:41:11 +02:00
|
|
|
Check out the current [rendered documentation](https://docs-ops.qo.is).
|
2024-10-02 15:52:04 +02:00
|
|
|
|
|
|
|
## Structure
|
|
|
|
|
|
|
|
`nixos-configurations`: Main nixos configuration for every host.
|
|
|
|
`defaults`: Configuration defaults
|
2024-10-02 16:41:11 +02:00
|
|
|
`nixos-modules`: Custom modules (e.g. for vpn and routers)
|
|
|
|
`private`: Private configuration values (like users, sops-encrypted secrets and keys)
|
2024-10-02 15:52:04 +02:00
|
|
|
|
|
|
|
## Building
|
|
|
|
|
|
|
|
This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes)
|
|
|
|
|
|
|
|
- `nix build`
|
|
|
|
Build all host configurations and docs
|
|
|
|
- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`
|
|
|
|
Build a single host configuration with
|
|
|
|
- `nix build .#docs`
|
|
|
|
Build the documentation website
|
|
|
|
|
|
|
|
## Development
|
|
|
|
|
|
|
|
- `nix develop`
|
|
|
|
Development environment
|
|
|
|
- `nix flake check`
|
|
|
|
Execute the project's checks
|
|
|
|
- `nix fmt`
|
|
|
|
Autofix formatting
|
|
|
|
|
|
|
|
### Working with the private submodule
|
|
|
|
|
2024-10-02 16:41:11 +02:00
|
|
|
To clone with submodules (if you have access):
|
|
|
|
|
|
|
|
```bash
|
|
|
|
git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
|
|
|
|
```
|
|
|
|
|
2024-10-02 15:52:04 +02:00
|
|
|
On changes:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
git add private
|
|
|
|
nix flake lock --update-input private
|
|
|
|
```
|
|
|
|
|
|
|
|
## Deployment
|
|
|
|
|
2024-10-02 16:41:11 +02:00
|
|
|
`nix run .#deploy-qois`
|
2024-10-02 15:52:04 +02:00
|
|
|
|
2024-10-02 16:41:11 +02:00
|
|
|
See [Deployment](deploy/README.md) for details.
|
2024-10-02 15:52:04 +02:00
|
|
|
|
|
|
|
## Secrets
|
|
|
|
|
|
|
|
Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix).
|
|
|
|
|
|
|
|
Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords),
|
|
|
|
`private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and
|
|
|
|
`private/nixos-configurations/<hostname>/secrets.sops.yaml` (host specific secrets).
|
|
|
|
|
|
|
|
Usage:
|
|
|
|
|
|
|
|
```bash
|
2024-10-02 16:41:11 +02:00
|
|
|
sops $file # To edit a file
|
|
|
|
sops-rekey # To rekey all secrets, e.g. after a key rollover or new host
|
2024-10-02 15:52:04 +02:00
|
|
|
```
|