jet/extremist-software
jet/extremist-software
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: migrate to agenix for secret management

Browse source
This commit is contained in:
Jet Pham 2026-03-05 15:10:30 -08:00
parent e7e8d154aa
commit 8e174ba500
No known key found for this signature in database
23 changed files with 234 additions and 120 deletions
Download patch file Download diff file Expand all files Collapse all files

47
README.md
View file

@ -16,42 +16,47 @@ services:
## Deployment
This repository uses **untracked secrets**, so you must build the system locally before deploying.
Secrets are managed with [agenix](https://github.com/ryantm/agenix) — encrypted in git, decrypted on the server at runtime.
### 1. Setup Secrets
1. `cp secrets/secrets.nix.example secrets/secrets.nix`
2. Fill in the values (generate random keys, etc).
- `openssl rand -base64 32` is a good way to make a new key
- `tailscaleKey` must be a **Reusable** key from the Tailscale admin console.
### 2. Verify Configuration Locally
Because `secrets/secrets.nix` is untracked by git, standard `nix flake check` will fail.
To build the server configuration locally and ensure there are no syntax or evaluation errors before pushing to the server, run:
Key mapping is in `agenix.nix`. The `agenix` CLI and `RULES` env var are provided by the devShell via direnv.
```bash
nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --dry-run
direnv allow
agenix -e secrets/forgejo-db.age
agenix -e secrets/stalwart-admin.age
agenix -e secrets/searx-env.age # SEARXNG_SECRET=<value>
agenix -e secrets/tailscale-key.age
agenix -e secrets/grafana-secret.age
agenix -e secrets/matrix-macaroon.age # macaroon_secret_key: "<value>"
agenix -e secrets/ntfy-admin-hash.age
agenix -e secrets/mymx-webhook.age
```
To edit an existing secret, run the same command again.
### 2. Verify Configuration
```bash
nix flake check
```
### 3. Initial Install (Wipe & Install)
Run this command to build and deploy. **Warning: Wipes the server disk.**
**Warning: Wipes the server disk.**
```bash
# Replace <TARGET_IP> with your server's IP
nix run github:nix-community/nixos-anywhere -- --store-paths \
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --impure --print-out-paths --no-link) \
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --impure --print-out-paths --no-link) \
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.diskoScript --print-out-paths --no-link) \
$(nix build path:.#nixosConfigurations.extremist-software.config.system.build.toplevel --print-out-paths --no-link) \
root@<TARGET_IP> | tee install.log
```
### 4. Update Existing Server (No Wipe)
Once the server is running NixOS, use the `nhs` script to push updates. This repository provides `nhs` and `nh` via `direnv` (loaded from `flake.nix` devShell), so just run `direnv allow` first.
### 4. Update Existing Server
`nhs` and `nh` are provided via direnv.
```bash
# Update via Tailscale (uses nhs convenience script)
nhs
# Or manually via IP
nh os switch --hostname extremist-software --target-host root@<TARGET_IP> --impure path:.
```
repo uses `impure` build to load `secrets/secrets.nix` directly. no encrypted secrets in git.