# nixConfig

## Build a machine
### Local
If you want to build the machineconfiguration for machine <name>
run
```
nix build .#nixosConfiguration.<name>.config.system.build.toplevel
```

### On the machine
clone this repo to `/etc/nixos/` and `nixos-rebuild` that will select
the appropriate machine based on hostname


### sops

We are sharing secrets using [`sops`](https://github.com/getsops/sops) and [`sops-nix`](https://github.com/Mic92/sops-nix)
As of right now we use only `age` keys.
The machine keys are derived from their server ssh keys, that they generate at first boot.
User keys are generated by the users.
New keys and machines need entries into the `.sops.yaml` file within the root directory of this repo.

To make a secret available on a given machine you need to do the following. Configure the following keys

```
sops.secrets.example-key = {
  sopsFile = "relative path to file in the repo containing the secrets (optional else the sops.defaultSopsFile is used)
  path = "optinal path where the secret gets symlinked to, practical if some programm expects a specific path"
  owner = user that owns the secret file: config.users.users.nerf.name (for example)
  group = same as user just with groups: config.users.users.nerf.group
  mode = "premission in usual octet: 0400 (for example)"
```
afterwards the secret should be available in `/run/secrets/example-key`.
If the accessing process is not root it must be member of the group `config.users.groups.keys`
for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];`
it the service config.