# Noisebridge Wiki Infra This repo manages the Noisebridge MediaWiki primary and replica on NixOS. ## Commands Bootstrap a brand new VPS into NixOS and seed its stable agenix host key: ```sh nix run .#bootstrap-host -- [ssh-identity-file] nix run .#bootstrap-host -- [ssh-identity-file] ``` Example: ```sh nix run .#bootstrap-host -- main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap ``` What bootstrap does: - generates or reuses `.bootstrap//host.age` - writes the matching public recipient to `secrets/hosts/.age.pub` - rekeys the agenix secrets with `agenix -r` - runs `nixos-anywhere` against one or both raw VPS targets - installs `/var/lib/agenix/host.age` onto the new machine - lets the machine decrypt its Tailscale auth secret and come up on Tailscale with its configured hostname Deploy all already-bootstrapped hosts: ```sh nix run .#deploy ``` Deploy one host only: ```sh nix run .#deploy -- .#main-wiki nix run .#deploy -- .#replica-wiki ``` Check the flake: ```sh nix flake check 'path:.' --accept-flake-config ``` ## Secret Model - admin keys stay in `secrets/secrets.nix` - host recipients live in `secrets/hosts/*.age.pub` - host private age keys stay local in `.bootstrap/` and are gitignored - hosts decrypt agenix secrets with `/var/lib/agenix/host.age` - host SSH keys are separate and can rotate without breaking agenix ## Normal Lifecycle 1. Create a raw VPS. 2. Run `nix run .#bootstrap-host -- ...` from the repo root on an admin laptop. 3. The machine installs NixOS, gets its host agenix key, and joins Tailscale. 4. Future changes use `nix run .#deploy`. ## GitHub Settings To require pull requests and auto-deploy only from `main`, set branch protection or a ruleset on `main` with: - require a pull request before merging - do not allow direct pushes to `main` - require status checks to pass before merging - select the CI check job from this repo - optionally require approvals before merging This repo already deploys on pushes to `main` in `.github/workflows/ci.yml`. That means the intended flow is: 1. open a PR 2. CI passes 3. merge into `main` 4. GitHub Actions runs `nix run .#deploy`