Wie Sie sehen, sehen sie nix! https://docs.hacc.space
Find a file
stuebinm f389de9c55 nftables: use networking.firewall.allowed{TCP,UDP}Port{s,Ranges}
This is a no-op as far as actual config is concerned, but allows using
the usual networking options again, which before this commit were just
old unused code lying around.

There are still many other networking options which we set that
currently do nothing (e.g. the network bridge to lxc).
2024-04-06 14:55:48 +02:00
common render nftables's ruleset 2024-02-18 13:39:54 +01:00
docs meta: new structure 2024-01-11 23:49:26 +01:00
modules bundle encboot 2024-02-17 00:04:51 +00:00
parsons nftables: use networking.firewall.allowed{TCP,UDP}Port{s,Ranges} 2024-04-06 14:55:48 +02:00
pkgs mattermost 9.5.2 → 9.5.3 2024-03-30 23:38:41 +01:00
websites websites: better watch scripts 2024-01-12 00:41:15 +01:00
.gitignore add deploy-rs gc roots to .gitignore 2022-11-19 15:18:32 +01:00
.rgignore add a .rgignore 2024-01-11 21:30:22 +01:00
.sops.yaml rotate octycs's ssh key 2023-05-04 00:40:44 +02:00
flake.lock update inputs 2024-03-31 00:20:51 +01:00
flake.nix mattermost: remove flake inputs, copy nixpkgs package 2024-03-11 00:13:18 +01:00
LICENSE add a LICENSE-file 2022-10-06 19:31:59 +02:00
README.md meta: new structure 2024-01-11 23:49:26 +01:00
secrets.yaml restic: move secrets into sops 2024-01-28 15:32:18 +01:00

hacc nixfiles

Welcome to the hacc nixfiles (haccfiles). This is how we configure (most of) our infrastructure.

General layout

  • flake.nix: Entrypoint & dependencies
  • modules/: home-grown modules for hacc-specific services
  • pkgs/: packages we need which aren't in nixpkgs
  • websites/: static websites hosted by us
  • common/: meta-level config, reusable across machines
  • parsons/: our sole server, its config & the services it runs

Right now, we only have a single host. We might add more again in the future.

Working with this repo

You will need a flake-enabled nix installation, and have your ssh config set up so that ssh parsons will connect to parsons.hacc.space.

Deploying remotely

It's recommended to use deploy_rs:

deploy .#parsons -k [--dry-activate]

Alternatively, using just nixos-rebuild:

nixos-rebuild --flake .#parsons --target-host parsons \
  --use-remote-sudo --use-substitutes [test|switch|dry-activate]

Re-deploying on parsons itself

Simply do:

nixos-rebuild --flake .#parsons [test|switch|dry-activate]

Working on websites

Websites are exposed as flake outputs: if you're working on a website & want to check it in a browser, do e.g.

nix run .#\"muc.hacc.earth\"

to start a local http server (note that some of our websites need a directory to be built in; these use /tmp/hacc-website).

To add a new website, add a new subdirectory to websites; nix will generate a vhost config based on that directory's name. Add a default.nix in your directory describing how to build the website, and give its derivation a watch attribute to make the nix run setup work.

I don't want to build this long dependency / want a cached version!

If it's still available on parsons from a previous deploy, do:

nix copy --from ssh://parsons /nix/store/...

Note: don't just copy the .drv file (which Nix complains about if it can't build something), that's just the description of how to build it! If you don't know the actual outpath, look in the .drv file (should start with Derive([("out","[the path you want]"...)

committing to haccfiles

  • Things on main should always reflect the config that's actually deployed on parsons, except during testing / debugging sessions
  • split up commits, every commit is one atomic change
  • follow the commit format: "place: $change"
    • place: e.g. modules/$module, services/$service ...
    • change: describe your change. Please wrap your lines sensibly (or configure your editor to do this for you)
  • Exception: autogenerated messages (merge commits, reverts, etc)
  • don't overuse merge commits, try to rebase things if possible with reasonable effort