jet/noisebridge-wiki
jet/noisebridge-wiki
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
noisebridge-wiki/README.md

80 lines
2.1 KiB
Markdown
Raw Blame History

# Noisebridge Wiki Infra
This repo manages the Noisebridge wiki hosts on NixOS.
## Commands
Bootstrap a brand new Ubuntu 22.04 DigitalOcean VPS into NixOS:
```sh
nix run .#bootstrap-host -- <main-wiki|replica-wiki> <target-host> [ssh-identity-file]
nix run .#bootstrap-host -- <main-target-host> <replica-target-host> [ssh-identity-file]
```
Example:
```sh
nix run .#bootstrap-host -- main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap
```
What bootstrap does:
- copies a first-boot module to the host
- runs `nixos-infect` on the Ubuntu VPS
- converts the machine to NixOS with the `jet` admin user
- disables direct root SSH
- fixes the known bad IPv6 routes generated by `nixos-infect`
Deploy all already-bootstrapped hosts:
```sh
nix run .#deploy
```
Deploy one host only:
```sh
nix run .#deploy -- .#main-wiki
nix run .#deploy -- .#replica-wiki
```
Check the flake:
```sh
nix flake check 'path:.' --accept-flake-config
```
## Secret Model
- admin keys stay in `secrets/secrets.nix`
- host recipients live in `secrets/hosts/*.age.pub`
- host private age keys stay local in `.bootstrap/` and are gitignored
- hosts decrypt agenix secrets with `/var/lib/agenix/host.age`
- host SSH keys are separate and can rotate without breaking agenix
## Normal Lifecycle
1. Create a raw VPS.
2. Run `nix run .#bootstrap-host -- ...` from the repo root on an admin laptop.
3. The machine installs NixOS and comes up over hardened public SSH as `jet`.
4. Future changes use `nix run .#deploy`.
## GitHub Settings
To require pull requests and auto-deploy only from `main`, set branch protection or a ruleset on `main` with:
- require a pull request before merging
- do not allow direct pushes to `main`
- require status checks to pass before merging
- select the CI check job from this repo
- optionally require approvals before merging
This repo already deploys on pushes to `main` in `.github/workflows/ci.yml`.
That means the intended flow is:
1. open a PR
2. CI passes
3. merge into `main`
4. GitHub Actions runs `nix run .#deploy`
Reference in a new issue View git blame Copy permalink