stuebinm
72ca5b2888
in theory this might be ready to deploy. Potential hazards & things to know when actually doing so: 1. the mysql version used by mattermost was updated (the old uses an openssl which is marked insecure). Might have to migrate a database 2. lots of settings now use RFC 42-style settings, which might contain new typos 3. this updates uffd (& changes the patches we apply). Since version dependencies of uffd are basically "whatever debian has" we have never bothered to match them, but afaik have also never updated uffd since the initial deploy some years ago. No guarantee it still works. 4. tracktrain depends on haskellPackages.conferer-warp, which is currently marked broken. There is no reason for this (it builds fine). Until fixed upstream, build with NIXPKGS_ALLOW_BROKEN=1. cf. https://github.com/NixOS/nixpkgs/pull/234784; waiting for a merge of haskell-updates into 23.05 |
||
---|---|---|
common | ||
hosts/parsons | ||
modules | ||
pkgs | ||
services | ||
websites | ||
.gitignore | ||
.sops.yaml | ||
flake.lock | ||
flake.nix | ||
LICENSE | ||
README.md | ||
secrets.yaml |
hacc nixfiles
welcome to hacc nixfiles (haccfiles). this is the code describing our nix-based infrastructure.
structure
flake.nix
: Entrypoint & dependenciescommon/
: configuration common to all hostsmodules/
: home-grown modules for hacc-specific servicespkgs/
: packages we built and don't want to upstreamhosts/
: configuration.nix per host (currently there's only one of those)services/
: all services we run; imported in appropriate host configwebsites/
: static websites we deploy somewhere
working with the haccfiles
You will need a flake-enabled nix installation, and have your ssh config set up
so that ssh parsons
will connect to parsons.hacc.space
.
It's recommended to use deploy_rs:
deploy .#parsons -k [--dry-activate]
Alternatively, using just nixos-rebuild
:
nixos-rebuild --flake .#parsons --target-host parsons \
--use-remote-sudo --use-substitutes [test|switch|dry-activate]
If for some reason you have nix
but not nixos-rebuild
, you can still build the
system closure using:
nix build .#nixosConfigurations.parsons.config.system.build.toplevel
(but you might have trouble deploying it)
Secret management
We use sops-nix to manage secrets which we'd
like to have in Git but don't want to be public. Entires in secrets.yaml
are
encrypted for each of the age keys listed in .sops.yaml
, which are themselves
derived from ssh keys.
For the initial set up, please take a look at the sops-nix Readme file.
To edit the secrets file, just use sops secrets.yaml
, which will decrypt the
file & open it in your $EDITOR, then re-encrypt it when you're done.
To add a new key, use ssh-to-age
to convert your ssh key to age, and add it to
sops.yaml
. Then do sops updatekeys secrets.yaml
to re-encrypt the file for
the new set of keys.
Working on websites
Websites are exposed as flake outputs: if you're working on a website & want to check it in a browser, do e.g.
nix run .#\"muc.hacc.earth\"
to start a local http server (note that some of our websites need a directory
to be built in; these use /tmp/hacc-website
).
To add a new website, add a new subdirectory to websites
; nix will generate a
vhost config based on that directory's name. Add a default.nix
in your directory
describing how to build the website, and give its derivation a watch
attribute
to make the nix run
setup work.
I don't want to build this long dependency / want a cached version!
If it's still available on parsons from a previous deploy, do:
nix copy --from ssh://parsons /nix/store/...
Note: don't just copy the .drv file (which Nix complains about if it can't
build something), that's just the description of how to build it! If you
don't know the actual outpath, look in the .drv file (should start with
Derive([("out","[the path you want]"...
)
committing to haccfiles
- Things on
main
should always reflect the config that's actually deployed on parsons, except during testing / debugging sessions - split up commits, every commit is one atomic change
- follow the commit format: "place: $change"
- place: e.g.
modules/$module
,services/$service
... - change: describe your change. Please wrap your lines sensibly (or configure your editor to do this for you)
- place: e.g.
- Exception: autogenerated messages (merge commits, reverts, etc)
- don't overuse merge commits, try to rebase things if possible with reasonable effort