jet/noisebridge-wiki
jet/noisebridge-wiki
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
3 commits 1 branch 0 tags 115 KiB
Find a file
Jet f9afc7285f
feat: update readme to be about prototype
2026-03-25 22:15:22 -07:00
.github/workflows feat: get to a solid bootstrap on public ssh 2026-03-22 21:39:35 -07:00
hosts feat: get to a solid bootstrap on public ssh 2026-03-22 21:39:35 -07:00
modules feat: get to a solid bootstrap on public ssh 2026-03-22 21:39:35 -07:00
scripts feat: get to a solid bootstrap on public ssh 2026-03-22 21:39:35 -07:00
secrets feat: get to a solid bootstrap on public ssh 2026-03-22 21:39:35 -07:00
.envrc init 2026-03-21 02:27:44 -07:00
.gitignore init 2026-03-21 02:27:44 -07:00
flake.lock feat: get to a solid bootstrap on public ssh 2026-03-22 21:39:35 -07:00
flake.nix feat: get to a solid bootstrap on public ssh 2026-03-22 21:39:35 -07:00
README.md feat: update readme to be about prototype 2026-03-25 22:15:22 -07:00
secrets.nix init 2026-03-21 02:27:44 -07:00

README.md

Noisebridge Wiki 2.0 Prototype

This repo manages the Noisebridge wiki. It is currently for the Noisebridge Wiki 2.0 Prototype that is planned to eventually replace the current Noisebridge wiki infrastructure.

Development Hosts

  • primary wiki: main-wiki.extremist.software
  • read-only replica: replica-wiki.extremist.software
  • deployment/admin SSH user: jet this is hoped to expand soon!

A note here, once this project is underway, CI/CD should only allow changes to come through reviewed PRs into the main branch. These changes would then be built and deployed from an automated Github action (could be forgejo actions in the future)

The current repo is the deployment foundation for a two-machine MediaWiki stack:

  • primary host: MediaWiki, MariaDB primary, Caddy, agenix-managed secrets
  • replica host: MediaWiki, MariaDB read-only replica, Caddy, agenix-managed secrets

We haven't fully implemented all the features, but ones that are needed before we do the big swap are:

Commands

Bootstrap a brand new Ubuntu 22.04 DigitalOcean VPS into NixOS:

nix run .#bootstrap-host -- [--admin <name>] <main-wiki|replica-wiki> <target-host> [ssh-identity-file]
nix run .#bootstrap-host -- [--admin <name>] <main-target-host> <replica-target-host> [ssh-identity-file]

Example:

nix run .#bootstrap-host -- main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
nix run .#bootstrap-host -- --admin jet main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap

What bootstrap does:

  • copies a first-boot module to the host
  • runs nixos-infect on the Ubuntu VPS
  • converts the machine to NixOS with the jet admin user
  • disables direct root SSH
  • fixes the known bad IPv6 routes generated by nixos-infect
  • verifies that jet login and sudo work and that the host reaches running

What bootstrap is not:

  • it is not the normal long-term deploy path
  • it is not the full application rollout
  • it is only the one-off Ubuntu-to-NixOS installer step

This is made to only be run once and to potentially prop up new servers if needed

Deploy all already-bootstrapped hosts:

nix run .#deploy

Deploy one host only:

nix run .#deploy -- .#main-wiki
nix run .#deploy -- .#replica-wiki

Check the flake:

nix flake check 'path:.' --accept-flake-config

Secret Model

  • admin keys stay in secrets/secrets.nix
  • host recipients live in secrets/hosts/*.age.pub
  • host private age keys stay local in .bootstrap/ and are gitignored
  • hosts decrypt agenix secrets with /var/lib/agenix/host.age
  • host SSH keys are separate and can rotate without breaking agenix

Normal Lifecycle

  1. Create a raw VPS.
  2. Run nix run .#bootstrap-host -- ... from the repo root on an admin laptop.
  3. The machine installs NixOS and comes up over public SSH.
  4. Future configuration changes would be made through CI/CD.