This commit is contained in:
parent
cad4f35ee9
commit
172e4c37a3
5 changed files with 57 additions and 88 deletions
63
README.md
63
README.md
|
|
@ -11,61 +11,60 @@ Check out the current [rendered documentation](https://docs-ops.qo.is).
|
|||
`nixos-modules`: Custom modules (e.g. for vpn and routers)\
|
||||
`private`: Private configuration values (like users, sops-encrypted secrets and keys)
|
||||
|
||||
## Building
|
||||
## Development
|
||||
|
||||
This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes)
|
||||
|
||||
- `nix build`\
|
||||
Build all host configurations and docs
|
||||
- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`\
|
||||
Build a single host configuration with
|
||||
- `nix build .#docs`\
|
||||
Build the documentation website
|
||||
- `nix flake check`\
|
||||
Execute the project's checks, which includes building all configurations and packages. See [Tests](./checks/README.md).
|
||||
|
||||
## Development
|
||||
- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`\
|
||||
Build a single host configuration.
|
||||
|
||||
- `nix build .#docs`\
|
||||
Build the documentation website.
|
||||
|
||||
- `nix develop`\
|
||||
Development environment
|
||||
- `nix flake check`\
|
||||
Execute the project's checks
|
||||
|
||||
- `nix fmt`\
|
||||
Autofix formatting
|
||||
|
||||
### Working with the private submodule
|
||||
### Secrets and `private` Submodule
|
||||
|
||||
To clone with submodules (if you have access):
|
||||
Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix) and a git submodule in `private`.\
|
||||
Make sure you have the submodule correctly available. To clone with submodules (if you have access):
|
||||
|
||||
```bash
|
||||
git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
|
||||
# See below for how to commit changes.
|
||||
```
|
||||
|
||||
On changes:
|
||||
|
||||
```bash
|
||||
git add private
|
||||
nix flake lock --update-input private
|
||||
```
|
||||
|
||||
## Deployment
|
||||
|
||||
`nix run .#deploy-qois`
|
||||
|
||||
See [Deployment](deploy/README.md) for details.
|
||||
|
||||
## Secrets
|
||||
|
||||
Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix).
|
||||
|
||||
Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords),
|
||||
`private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and
|
||||
`private/nixos-configurations/<hostname>/secrets.sops.yaml` (host specific secrets).
|
||||
|
||||
Usage:
|
||||
To modify secrets:
|
||||
|
||||
```bash
|
||||
sops $file # To edit a file
|
||||
sops-rekey # To rekey all secrets, e.g. after a key rollover or new host
|
||||
```
|
||||
|
||||
After changing secrets, don't forget to push the sub-repository and run
|
||||
`nix flake update private` in the infrastructure repository to use the changes in builds.
|
||||
After changing secrets:
|
||||
|
||||
```bash
|
||||
# Commit changes in subrepo
|
||||
pushd private
|
||||
git commit
|
||||
git push
|
||||
nix flake prefetch . # Make subrepo available in nix store. Required until nix 2.27.
|
||||
popd
|
||||
|
||||
git add private
|
||||
nix flake lock --update-input private
|
||||
```
|
||||
|
||||
## Deployment
|
||||
|
||||
See [Deployment](deploy/README.md) for details.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue