|stuebinm 17149be4bd||1 week ago|
|common||2 months ago|
|hosts/parsons||2 months ago|
|modules||9 months ago|
|pkgs||2 weeks ago|
|services||2 months ago|
|websites||4 weeks ago|
|.gitignore||1 year ago|
|.sops.yaml||7 months ago|
|LICENSE||1 year ago|
|README.md||7 months ago|
|flake.lock||1 week ago|
|flake.nix||2 weeks ago|
|secrets.yaml||7 months ago|
welcome to hacc nixfiles (haccfiles). this is the code describing our nix-based infrastructure.
flake.nix: Entrypoint & dependencies
common/: configuration common to all hosts
modules/: home-grown modules for hacc-specific services
pkgs/: packages we built and don't want to upstream
hosts/: configuration.nix per host (currently there's only one of those)
services/: all services we run; imported in appropriate host config
websites/: static websites we deploy somewhere
working with the haccfiles
You will need a flake-enabled nix installation, and have your ssh config set up
ssh parsons will connect to
It's recommended to use deploy_rs:
deploy .#parsons -k [--dry-activate]
Alternatively, using just
nixos-rebuild --flake .#parsons --target-host parsons \ --use-remote-sudo --use-substitutes [test|switch|dry-activate]
If for some reason you have
nix but not
nixos-rebuild, you can still build the
system closure using:
nix build .#nixosConfigurations.parsons.config.system.build.toplevel
(but you might have trouble deploying it)
We use sops-nix to manage secrets which we'd
like to have in Git but don't want to be public. Entires in
encrypted for each of the age keys listed in
.sops.yaml, which are themselves
derived from ssh keys.
For the initial set up, please take a look at the sops-nix Readme file.
To edit the secrets file, just use
sops secrets.yaml, which will decrypt the
file & open it in your $EDITOR, then re-encrypt it when you're done.
To add a new key, use
ssh-to-age to convert your ssh key to age, and add it to
sops.yaml. Then do
sops updatekeys secrets.yaml to re-encrypt the file for
the new set of keys.
Working on websites
Websites are exposed as flake outputs: if you're working on a website & want to check it in a browser, do e.g.
nix run .#\"muc.hacc.earth\"
to start a local http server (note that some of our websites need a directory
to be built in; these use
To add a new website, add a new subdirectory to
websites; nix will generate a
vhost config based on that directory's name. Add a
default.nix in your directory
describing how to build the website, and give its derivation a
to make the
nix run setup work.
I don't want to build this long dependency / want a cached version!
If it's still available on parsons from a previous deploy, do:
nix copy --from ssh://parsons /nix/store/...
Note: don't just copy the .drv file (which Nix complains about if it can't
build something), that's just the description of how to build it! If you
don't know the actual outpath, look in the .drv file (should start with
Derive([("out","[the path you want]"...)
committing to haccfiles
- Things on
mainshould always reflect the config that's actually deployed on parsons, except during testing / debugging sessions
- split up commits, every commit is one atomic change
- follow the commit format: "place: $change"
- place: e.g.
- change: describe your change. Please wrap your lines sensibly (or configure your editor to do this for you)
- place: e.g.
- Exception: autogenerated messages (merge commits, reverts, etc)
- don't overuse merge commits, try to rebase things if possible with reasonable effort