Noisebridge Wiki Infra

This repo manages the Noisebridge wiki hosts on NixOS.

Commands

Bootstrap a brand new Ubuntu 22.04 DigitalOcean VPS into NixOS:

nix run .#bootstrap-host -- <main-wiki|replica-wiki> <target-host> [ssh-identity-file]
nix run .#bootstrap-host -- <main-target-host> <replica-target-host> [ssh-identity-file]

Example:

nix run .#bootstrap-host -- main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap

What bootstrap does:

• copies a first-boot module to the host
• runs nixos-infect on the Ubuntu VPS
• converts the machine to NixOS with the jet admin user
• disables direct root SSH
• fixes the known bad IPv6 routes generated by nixos-infect

Deploy all already-bootstrapped hosts:

nix run .#deploy

Deploy one host only:

nix run .#deploy -- .#main-wiki
nix run .#deploy -- .#replica-wiki

Check the flake:

nix flake check 'path:.' --accept-flake-config

Secret Model

• admin keys stay in secrets/secrets.nix
• host recipients live in secrets/hosts/*.age.pub
• host private age keys stay local in .bootstrap/ and are gitignored
• hosts decrypt agenix secrets with /var/lib/agenix/host.age
• host SSH keys are separate and can rotate without breaking agenix

Normal Lifecycle

1. Create a raw VPS.
2. Run nix run .#bootstrap-host -- ... from the repo root on an admin laptop.
3. The machine installs NixOS and comes up over hardened public SSH as jet.
4. Future changes use nix run .#deploy.

GitHub Settings

To require pull requests and auto-deploy only from main, set branch protection or a ruleset on main with:

• require a pull request before merging
• do not allow direct pushes to main
• require status checks to pass before merging
• select the CI check job from this repo
• optionally require approvals before merging

This repo already deploys on pushes to main in .github/workflows/ci.yml.

That means the intended flow is:

1. open a PR
2. CI passes
3. merge into main
4. GitHub Actions runs nix run .#deploy