2024-10-02 19:12:12 +02:00
4 changed files with 33 additions and 38 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -2,7 +2,6 @@ name: CI

 on:
  push:
-  pull_request:

 env:
  ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}
--- a/README.md
+++ b/README.md
@ -1,14 +1,15 @@
 # qo.is Infrastructure

-[This repository](https://gitlab.com/qo.is/infrastructure) contains the infrastructure configuration and documentation sources.
+[This repository](https://git.qo.is/qo.is/infrastructure) contains the infrastructure configuration and documentation sources.

-Check out the current [rendered documentation on the deployed gitlab page](https://docs-ops.qo.is).
+Check out the current [rendered documentation](https://docs-ops.qo.is).

 ## Structure

 `nixos-configurations`: Main nixos configuration for every host.  
 `defaults`: Configuration defaults  
-`modules`: Custom modules (e.g. for vpn and routers)
+`nixos-modules`: Custom modules (e.g. for vpn and routers)  
+`private`: Private configuration values (like users, sops-encrypted secrets and keys)

 ## Building

@ -32,6 +33,12 @@ This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes)

 ### Working with the private submodule

+To clone with submodules (if you have access):
+
+```bash
+git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
+```
+
 On changes:

 ```bash
@ -41,9 +48,9 @@ nix flake lock --update-input private

 ## Deployment 

-`nix run .#deploy`
+`nix run .#deploy-qois`

-See [Deployment](deployment.md) for details.
+See [Deployment](deploy/README.md) for details.

 ## Secrets

@ -56,6 +63,6 @@ Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords),
 Usage:

 ```bash
-sops
-sops-rekey
+sops $file # To edit a file
+sops-rekey # To rekey all secrets, e.g. after a key rollover or new host
 ```
--- a/deploy/README.md
+++ b/deploy/README.md
@ -5,25 +5,14 @@ Note that you have to be connected to the `vpn.qo.is`
 and that you need to have SSH root access to the target machines.


-
-#### Deploy to all hosts
+## Deploy to selected target hosts

 ```bash
-nix run .#deploy-qois
+nix run .#deploy-qois .#<hostname>.system .#<hostname2>.system
 ```

-
-#### Deploy to selected target hosts
+## Deploy with extended timeouts (sometimes required for slow APU devices)

 ```bash
-nix run .#deploy-qois .#<hostname> .#<hostname2>
-
-# e.g.
-nix run .#deploy-qois .#fulberg
-```
-
-#### Deploy with extended timeouts (sometimes required for slow APU devices)
-
-```bash
-nix run .#deploy-qois  .#calanda -- --confirm-timeout 600 --activation-timeout 600
+nix run .#deploy-qois  .#calanda.system -- --confirm-timeout 600 --activation-timeout 600
 ```
--- a/flake.lock
+++ b/flake.lock
@ -50,11 +50,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1718194053,
-        "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
+        "lastModified": 1727447169,
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
        "type": "github"
      },
      "original": {
@ -70,11 +70,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1726396892,
-        "narHash": "sha256-KRGuT5nGRAOT3heigRWg41tbYpTpapGhsWc+XjnIx0w=",
+        "lastModified": 1727872461,
+        "narHash": "sha256-4Pw3fVhN6xey5+2gUBm9nQJAjBqivffr+a5ZsXYjzJ8=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "51e3a7e51279fedfb6669a00d21dc5936c78a6ce",
+        "rev": "568727a884ae7cd9f266bd19aea655def8cafd78",
        "type": "github"
      },
      "original": {
@ -154,11 +154,11 @@
    },
    "nixpkgs-nixos-stable": {
      "locked": {
-        "lastModified": 1726320982,
-        "narHash": "sha256-RuVXUwcYwaUeks6h3OLrEmg14z9aFXdWppTWPMTwdQw=",
+        "lastModified": 1727672256,
+        "narHash": "sha256-9/79hjQc9+xyH+QxeMcRsA6hDyw6Z9Eo1/oxjvwirLk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "8f7492cce28977fbf8bd12c72af08b1f6c7c3e49",
+        "rev": "1719f27dd95fd4206afb9cec9f415b539978827e",
        "type": "github"
      },
      "original": {
@ -170,11 +170,11 @@
    },
    "nixpkgs-nixos-unstable": {
      "locked": {
-        "lastModified": 1726243404,
-        "narHash": "sha256-sjiGsMh+1cWXb53Tecsm4skyFNag33GPbVgCdfj3n9I=",
+        "lastModified": 1727634051,
+        "narHash": "sha256-S5kVU7U82LfpEukbn/ihcyNt2+EvG7Z5unsKW9H/yFA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "345c263f2f53a3710abe117f28a5cb86d0ba4059",
+        "rev": "06cf0e1da4208d3766d898b7fdab6513366d45b9",
        "type": "github"
      },
      "original": {
@ -257,11 +257,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1726218807,
-        "narHash": "sha256-z7CoWbSOtsOz8TmRKDnobURkKfv6nPZCo3ayolNuQGc=",
+        "lastModified": 1727734513,
+        "narHash": "sha256-i47LQwoGCVQq4upV2YHV0OudkauHNuFsv306ualB/Sw=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "f30b1bac192e2dc252107ac8a59a03ad25e1b96e",
+        "rev": "3198a242e547939c5e659353551b0668ec150268",
        "type": "github"
      },
      "original": {