jet/noisebridge-wiki
jet/noisebridge-wiki
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
1 commit 1 branch 0 tags 115 KiB
Find a file
Jet 642869ce9b
Some checks failed
CI / check (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details
init
2026-03-21 02:27:44 -07:00
.github/workflows init 2026-03-21 02:27:44 -07:00
hosts init 2026-03-21 02:27:44 -07:00
modules init 2026-03-21 02:27:44 -07:00
secrets init 2026-03-21 02:27:44 -07:00
.envrc init 2026-03-21 02:27:44 -07:00
.gitignore init 2026-03-21 02:27:44 -07:00
disk-config.nix init 2026-03-21 02:27:44 -07:00
flake.lock init 2026-03-21 02:27:44 -07:00
flake.nix init 2026-03-21 02:27:44 -07:00
README.md init 2026-03-21 02:27:44 -07:00
secrets.nix init 2026-03-21 02:27:44 -07:00

README.md

Noisebridge Wiki Infra

This repo manages the Noisebridge MediaWiki primary and replica on NixOS.

Commands

Bootstrap a brand new VPS into NixOS and seed its stable agenix host key:

nix run .#bootstrap-host -- <main-wiki|replica-wiki> <target-host> [ssh-identity-file]
nix run .#bootstrap-host -- <main-target-host> <replica-target-host> [ssh-identity-file]

Example:

nix run .#bootstrap-host -- main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap

What bootstrap does:

  • generates or reuses .bootstrap/<host>/host.age
  • writes the matching public recipient to secrets/hosts/<host>.age.pub
  • rekeys the agenix secrets with agenix -r
  • runs nixos-anywhere against one or both raw VPS targets
  • installs /var/lib/agenix/host.age onto the new machine
  • lets the machine decrypt its Tailscale auth secret and come up on Tailscale with its configured hostname

Deploy all already-bootstrapped hosts:

nix run .#deploy

Deploy one host only:

nix run .#deploy -- .#main-wiki
nix run .#deploy -- .#replica-wiki

Check the flake:

nix flake check 'path:.' --accept-flake-config

Secret Model

  • admin keys stay in secrets/secrets.nix
  • host recipients live in secrets/hosts/*.age.pub
  • host private age keys stay local in .bootstrap/ and are gitignored
  • hosts decrypt agenix secrets with /var/lib/agenix/host.age
  • host SSH keys are separate and can rotate without breaking agenix

Normal Lifecycle

  1. Create a raw VPS.
  2. Run nix run .#bootstrap-host -- ... from the repo root on an admin laptop.
  3. The machine installs NixOS, gets its host agenix key, and joins Tailscale.
  4. Future changes use nix run .#deploy.

GitHub Settings

To require pull requests and auto-deploy only from main, set branch protection or a ruleset on main with:

  • require a pull request before merging
  • do not allow direct pushes to main
  • require status checks to pass before merging
  • select the CI check job from this repo
  • optionally require approvals before merging

This repo already deploys on pushes to main in .github/workflows/ci.yml.

That means the intended flow is:

  1. open a PR
  2. CI passes
  3. merge into main
  4. GitHub Actions runs nix run .#deploy