jet/noisebridge-wiki
jet/noisebridge-wiki
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init
Some checks failed
CI / check (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details

Browse source
This commit is contained in:
Jet 2026-03-20 21:31:50 -07:00
commit 642869ce9b
No known key found for this signature in database
27 changed files with 1414 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

81
README.md Normal file
View file

@ -0,0 +1,81 @@
# Noisebridge Wiki Infra
This repo manages the Noisebridge MediaWiki primary and replica on NixOS.
## Commands
Bootstrap a brand new VPS into NixOS and seed its stable agenix host key:
```sh
nix run .#bootstrap-host -- <main-wiki|replica-wiki> <target-host> [ssh-identity-file]
nix run .#bootstrap-host -- <main-target-host> <replica-target-host> [ssh-identity-file]
```
Example:
```sh
nix run .#bootstrap-host -- main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap
```
What bootstrap does:
- generates or reuses `.bootstrap/<host>/host.age`
- writes the matching public recipient to `secrets/hosts/<host>.age.pub`
- rekeys the agenix secrets with `agenix -r`
- runs `nixos-anywhere` against one or both raw VPS targets
- installs `/var/lib/agenix/host.age` onto the new machine
- lets the machine decrypt its Tailscale auth secret and come up on Tailscale with its configured hostname
Deploy all already-bootstrapped hosts:
```sh
nix run .#deploy
```
Deploy one host only:
```sh
nix run .#deploy -- .#main-wiki
nix run .#deploy -- .#replica-wiki
```
Check the flake:
```sh
nix flake check 'path:.' --accept-flake-config
```
## Secret Model
- admin keys stay in `secrets/secrets.nix`
- host recipients live in `secrets/hosts/*.age.pub`
- host private age keys stay local in `.bootstrap/` and are gitignored
- hosts decrypt agenix secrets with `/var/lib/agenix/host.age`
- host SSH keys are separate and can rotate without breaking agenix
## Normal Lifecycle
1. Create a raw VPS.
2. Run `nix run .#bootstrap-host -- ...` from the repo root on an admin laptop.
3. The machine installs NixOS, gets its host agenix key, and joins Tailscale.
4. Future changes use `nix run .#deploy`.
## GitHub Settings
To require pull requests and auto-deploy only from `main`, set branch protection or a ruleset on `main` with:
- require a pull request before merging
- do not allow direct pushes to `main`
- require status checks to pass before merging
- select the CI check job from this repo
- optionally require approvals before merging
This repo already deploys on pushes to `main` in `.github/workflows/ci.yml`.
That means the intended flow is:
1. open a PR
2. CI passes
3. merge into `main`
4. GitHub Actions runs `nix run .#deploy`