2.1 KiB
2.1 KiB
Noisebridge Wiki Infra
This repo manages the Noisebridge wiki hosts on NixOS.
Commands
Bootstrap a brand new Ubuntu 22.04 DigitalOcean VPS into NixOS:
nix run .#bootstrap-host -- <main-wiki|replica-wiki> <target-host> [ssh-identity-file]
nix run .#bootstrap-host -- <main-target-host> <replica-target-host> [ssh-identity-file]
Example:
nix run .#bootstrap-host -- main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap
What bootstrap does:
- copies a first-boot module to the host
- runs
nixos-infecton the Ubuntu VPS - converts the machine to NixOS with the
jetadmin user - disables direct root SSH
- fixes the known bad IPv6 routes generated by
nixos-infect
Deploy all already-bootstrapped hosts:
nix run .#deploy
Deploy one host only:
nix run .#deploy -- .#main-wiki
nix run .#deploy -- .#replica-wiki
Check the flake:
nix flake check 'path:.' --accept-flake-config
Secret Model
- admin keys stay in
secrets/secrets.nix - host recipients live in
secrets/hosts/*.age.pub - host private age keys stay local in
.bootstrap/and are gitignored - hosts decrypt agenix secrets with
/var/lib/agenix/host.age - host SSH keys are separate and can rotate without breaking agenix
Normal Lifecycle
- Create a raw VPS.
- Run
nix run .#bootstrap-host -- ...from the repo root on an admin laptop. - The machine installs NixOS and comes up over hardened public SSH as
jet. - Future changes use
nix run .#deploy.
GitHub Settings
To require pull requests and auto-deploy only from main, set branch protection or a ruleset on main with:
- require a pull request before merging
- do not allow direct pushes to
main - require status checks to pass before merging
- select the CI check job from this repo
- optionally require approvals before merging
This repo already deploys on pushes to main in .github/workflows/ci.yml.
That means the intended flow is:
- open a PR
- CI passes
- merge into
main - GitHub Actions runs
nix run .#deploy