⚙️ Configuration and Deployment of qo.is infrastructure. https://docs-ops.qo.is

Find a file

Fabian Hauser 177cca2c53 All checks were successful CI / build (push) Successful in 1m50s Details Set dev-shell nixVersions to latest		2025-03-31 14:46:41 +03:00
.github/workflows	Update build process ci and docs	2025-03-25 15:04:59 +02:00
.vscode	Apply treefmt	2025-03-25 14:10:54 +02:00
checks	Disable backup and outgoing mail in module test	2025-03-25 23:59:22 +02:00
defaults	Apply treefmt	2025-03-25 14:10:54 +02:00
deploy	Apply treefmt	2025-03-25 14:10:54 +02:00
dev-shells	Set dev-shell nixVersions to latest	2025-03-31 14:46:41 +03:00
lib	Apply treefmt	2025-03-25 14:10:54 +02:00
nixos-configurations	Clean up module imports for future tests	2025-03-25 16:00:48 +02:00
nixos-modules	Set dev-shell nixVersions to latest	2025-03-31 14:46:41 +03:00
packages	Update build process ci and docs	2025-03-25 15:04:59 +02:00
private@80b04cd406	Move sops default file configuration to private submodule	2025-03-25 16:26:59 +02:00
.envrc	Commit files for public release	2024-10-02 16:57:36 +03:00
.gitignore	Add pre-commit-hook with formatting	2025-03-25 14:32:57 +02:00
.gitmodules	Commit files for public release	2024-10-02 16:57:36 +03:00
.nixd.json	Apply treefmt	2025-03-25 14:10:54 +02:00
backups.md	Commit files for public release	2024-10-02 16:57:36 +03:00
book.toml	Commit files for public release	2024-10-02 16:57:36 +03:00
email.md	Apply treefmt	2025-03-25 14:10:54 +02:00
flake.lock	chore(deps): lock file maintenance	2025-03-31 00:00:49 +02:00
flake.nix	Add pre-commit-hook with formatting	2025-03-25 14:32:57 +02:00
README.md	Move shared secrets definition to private submodule	2025-03-25 16:22:02 +02:00
renovate.json	Apply treefmt	2025-03-25 14:10:54 +02:00
robots.txt	Commit files for public release	2024-10-02 16:57:36 +03:00
SUMMARY.md	Apply treefmt	2025-03-25 14:10:54 +02:00
treefmt.nix	Add treefmt configuration	2025-03-25 14:09:20 +02:00
updates.md	Apply treefmt	2025-03-25 14:10:54 +02:00

README.md

qo.is Infrastructure

This repository contains the infrastructure configuration and documentation sources.

Check out the current rendered documentation.

Structure

nixos-configurations: Main nixos configuration for every host.
defaults: Configuration defaults
nixos-modules: Custom modules (e.g. for vpn and routers)
private: Private configuration values (like users, sops-encrypted secrets and keys)

Development

This repository requires nix flakes

nix flake check
Execute the project's checks, which includes building all configurations and packages. See Tests.
nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel
Build a single host configuration.
nix build .#docs
Build the documentation website.
nix develop
Development environment
nix fmt
Autofix formatting

Secrets and `private` Submodule

Secret management is done with nix-sops and a git submodule in private.
Make sure you have the submodule correctly available. To clone with submodules (if you have access):

git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
# See below for how to commit changes.

Secrets are stored in private/passwords.sops.yaml (sysadmin passwords), private/nixos-modules/shared-secrets/default.sops.yaml (shared secrets for all hosts) and private/nixos-configurations/<hostname>/secrets.sops.yaml (host specific secrets).

To modify secrets:

sops $file # To edit a file
sops-rekey # To rekey all secrets, e.g. after a key rollover or new host

After changing secrets:

# Commit changes in subrepo
pushd private
  git commit
  git push
  nix flake prefetch . # Make subrepo available in nix store. Required until nix 2.27.
popd

git add private
nix flake lock --update-input private

Deployment

See Deployment for details.