87 lines
2.9 KiB
Markdown
87 lines
2.9 KiB
Markdown
# Noisebridge Wiki *2.0 Prototype*
|
|
|
|
This repo manages the Noisebridge wiki. It is currently for the Noisebridge Wiki 2.0 Prototype that is planned to eventually replace the current Noisebridge wiki infrastructure.
|
|
|
|
## Development Hosts
|
|
|
|
- primary wiki: `main-wiki.extremist.software`
|
|
- read-only replica: `replica-wiki.extremist.software`
|
|
- deployment/admin SSH user: `jet` *this is hoped to expand soon!*
|
|
|
|
A note here, once this project is underway, CI/CD should only allow changes to come through reviewed PRs into the main branch. These changes would then be built and deployed from an automated Github action (could be forgejo actions in the future)
|
|
|
|
The current repo is the deployment foundation for a two-machine MediaWiki stack:
|
|
|
|
- primary host: MediaWiki, MariaDB primary, Caddy, agenix-managed secrets
|
|
- replica host: MediaWiki, MariaDB read-only replica, Caddy, agenix-managed secrets
|
|
|
|
We haven't fully implemented all the features, but ones that are needed before we do the big swap are:
|
|
<list future features here>
|
|
|
|
## Commands
|
|
|
|
Bootstrap a brand new Ubuntu 22.04 DigitalOcean VPS into NixOS:
|
|
|
|
```sh
|
|
nix run .#bootstrap-host -- [--admin <name>] <main-wiki|replica-wiki> <target-host> [ssh-identity-file]
|
|
nix run .#bootstrap-host -- [--admin <name>] <main-target-host> <replica-target-host> [ssh-identity-file]
|
|
```
|
|
|
|
Example:
|
|
|
|
```sh
|
|
nix run .#bootstrap-host -- main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
|
|
nix run .#bootstrap-host -- --admin jet main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
|
|
nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap
|
|
```
|
|
|
|
What bootstrap does:
|
|
|
|
- copies a first-boot module to the host
|
|
- runs `nixos-infect` on the Ubuntu VPS
|
|
- converts the machine to NixOS with the `jet` admin user
|
|
- disables direct root SSH
|
|
- fixes the known bad IPv6 routes generated by `nixos-infect`
|
|
- verifies that `jet` login and `sudo` work and that the host reaches `running`
|
|
|
|
What bootstrap is not:
|
|
|
|
- it is not the normal long-term deploy path
|
|
- it is not the full application rollout
|
|
- it is only the one-off Ubuntu-to-NixOS installer step
|
|
|
|
> This is made to only be run once and to potentially prop up new servers if needed
|
|
|
|
Deploy all already-bootstrapped hosts:
|
|
|
|
```sh
|
|
nix run .#deploy
|
|
```
|
|
|
|
Deploy one host only:
|
|
|
|
```sh
|
|
nix run .#deploy -- .#main-wiki
|
|
nix run .#deploy -- .#replica-wiki
|
|
```
|
|
|
|
Check the flake:
|
|
|
|
```sh
|
|
nix flake check 'path:.' --accept-flake-config
|
|
```
|
|
|
|
## Secret Model
|
|
|
|
- admin keys stay in `secrets/secrets.nix`
|
|
- host recipients live in `secrets/hosts/*.age.pub`
|
|
- host private age keys stay local in `.bootstrap/` and are gitignored
|
|
- hosts decrypt agenix secrets with `/var/lib/agenix/host.age`
|
|
- host SSH keys are separate and can rotate without breaking agenix
|
|
|
|
## Normal Lifecycle
|
|
|
|
1. Create a raw VPS.
|
|
2. Run `nix run .#bootstrap-host -- ...` from the repo root on an admin laptop.
|
|
3. The machine installs NixOS and comes up over public SSH.
|
|
4. Future configuration changes would be made through CI/CD.
|