# Noisebridge Wiki Infra This repo manages the Noisebridge wiki hosts on NixOS. ## Commands Bootstrap a brand new Ubuntu 22.04 DigitalOcean VPS into NixOS: ```sh nix run .#bootstrap-host -- [ssh-identity-file] nix run .#bootstrap-host -- [ssh-identity-file] ``` Example: ```sh nix run .#bootstrap-host -- main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap ``` What bootstrap does: - copies a first-boot module to the host - runs `nixos-infect` on the Ubuntu VPS - converts the machine to NixOS with the `jet` admin user - disables direct root SSH - fixes the known bad IPv6 routes generated by `nixos-infect` Deploy all already-bootstrapped hosts: ```sh nix run .#deploy ``` Deploy one host only: ```sh nix run .#deploy -- .#main-wiki nix run .#deploy -- .#replica-wiki ``` Check the flake: ```sh nix flake check 'path:.' --accept-flake-config ``` ## Secret Model - admin keys stay in `secrets/secrets.nix` - host recipients live in `secrets/hosts/*.age.pub` - host private age keys stay local in `.bootstrap/` and are gitignored - hosts decrypt agenix secrets with `/var/lib/agenix/host.age` - host SSH keys are separate and can rotate without breaking agenix ## Normal Lifecycle 1. Create a raw VPS. 2. Run `nix run .#bootstrap-host -- ...` from the repo root on an admin laptop. 3. The machine installs NixOS and comes up over hardened public SSH as `jet`. 4. Future changes use `nix run .#deploy`. ## GitHub Settings To require pull requests and auto-deploy only from `main`, set branch protection or a ruleset on `main` with: - require a pull request before merging - do not allow direct pushes to `main` - require status checks to pass before merging - select the CI check job from this repo - optionally require approvals before merging This repo already deploys on pushes to `main` in `.github/workflows/ci.yml`. That means the intended flow is: 1. open a PR 2. CI passes 3. merge into `main` 4. GitHub Actions runs `nix run .#deploy`