Wie Sie sehen, sehen sie nix! https://docs.hacc.space
Find a file
stuebinm 72ca5b2888 initial work for 23.05
in theory this might be ready to deploy. Potential hazards & things to
know when actually doing so:

 1. the mysql version used by mattermost was updated (the old uses an
    openssl which is marked insecure). Might have to migrate a database
 2. lots of settings now use RFC 42-style settings, which might contain
    new typos
 3. this updates uffd (& changes the patches we apply). Since version
    dependencies of uffd are basically "whatever debian has" we have
    never bothered to match them, but afaik have also never updated uffd
    since the initial deploy some years ago. No guarantee it still
    works.
 4. tracktrain depends on haskellPackages.conferer-warp, which is
    currently marked broken. There is no reason for this (it builds
    fine). Until fixed upstream, build with NIXPKGS_ALLOW_BROKEN=1.
    cf. https://github.com/NixOS/nixpkgs/pull/234784; waiting for a
    merge of haskell-updates into 23.05
2023-09-28 01:11:02 +02:00
common initial work for 23.05 2023-09-28 01:11:02 +02:00
hosts/parsons initial work for 23.05 2023-09-28 01:11:02 +02:00
modules make working on websites nicer 2023-02-24 17:33:48 +01:00
pkgs initial work for 23.05 2023-09-28 01:11:02 +02:00
services initial work for 23.05 2023-09-28 01:11:02 +02:00
websites websites: rooms on libera → hackint.org 2023-09-25 17:28:18 +02:00
.gitignore add deploy-rs gc roots to .gitignore 2022-11-19 15:18:32 +01:00
.sops.yaml rotate octycs's ssh key 2023-05-04 00:40:44 +02:00
flake.lock initial work for 23.05 2023-09-28 01:11:02 +02:00
flake.nix initial work for 23.05 2023-09-28 01:11:02 +02:00
LICENSE add a LICENSE-file 2022-10-06 19:31:59 +02:00
README.md move all on-disk secrets into sops 2023-05-03 23:04:13 +02:00
secrets.yaml rotate octycs's ssh key 2023-05-04 00:40:44 +02:00

hacc nixfiles

welcome to hacc nixfiles (haccfiles). this is the code describing our nix-based infrastructure.

structure

  • flake.nix: Entrypoint & dependencies
  • common/: configuration common to all hosts
  • modules/: home-grown modules for hacc-specific services
  • pkgs/: packages we built and don't want to upstream
  • hosts/: configuration.nix per host (currently there's only one of those)
  • services/: all services we run; imported in appropriate host config
  • websites/: static websites we deploy somewhere

working with the haccfiles

You will need a flake-enabled nix installation, and have your ssh config set up so that ssh parsons will connect to parsons.hacc.space.

It's recommended to use deploy_rs:

deploy .#parsons -k [--dry-activate]

Alternatively, using just nixos-rebuild:

nixos-rebuild --flake .#parsons --target-host parsons \
  --use-remote-sudo --use-substitutes [test|switch|dry-activate]

If for some reason you have nix but not nixos-rebuild, you can still build the system closure using:

nix build .#nixosConfigurations.parsons.config.system.build.toplevel

(but you might have trouble deploying it)

Secret management

We use sops-nix to manage secrets which we'd like to have in Git but don't want to be public. Entires in secrets.yaml are encrypted for each of the age keys listed in .sops.yaml, which are themselves derived from ssh keys.

For the initial set up, please take a look at the sops-nix Readme file.

To edit the secrets file, just use sops secrets.yaml, which will decrypt the file & open it in your $EDITOR, then re-encrypt it when you're done.

To add a new key, use ssh-to-age to convert your ssh key to age, and add it to sops.yaml. Then do sops updatekeys secrets.yaml to re-encrypt the file for the new set of keys.

Working on websites

Websites are exposed as flake outputs: if you're working on a website & want to check it in a browser, do e.g.

nix run .#\"muc.hacc.earth\"

to start a local http server (note that some of our websites need a directory to be built in; these use /tmp/hacc-website).

To add a new website, add a new subdirectory to websites; nix will generate a vhost config based on that directory's name. Add a default.nix in your directory describing how to build the website, and give its derivation a watch attribute to make the nix run setup work.

I don't want to build this long dependency / want a cached version!

If it's still available on parsons from a previous deploy, do:

nix copy --from ssh://parsons /nix/store/...

Note: don't just copy the .drv file (which Nix complains about if it can't build something), that's just the description of how to build it! If you don't know the actual outpath, look in the .drv file (should start with Derive([("out","[the path you want]"...)

committing to haccfiles

  • Things on main should always reflect the config that's actually deployed on parsons, except during testing / debugging sessions
  • split up commits, every commit is one atomic change
  • follow the commit format: "place: $change"
    • place: e.g. modules/$module, services/$service ...
    • change: describe your change. Please wrap your lines sensibly (or configure your editor to do this for you)
  • Exception: autogenerated messages (merge commits, reverts, etc)
  • don't overuse merge commits, try to rebase things if possible with reasonable effort