38 lines
1.6 KiB
Markdown
38 lines
1.6 KiB
Markdown
# nixConfig
|
|
|
|
## Build a machine
|
|
### Local
|
|
If you want to build the machineconfiguration for machine <name>
|
|
run
|
|
```
|
|
nix build .#nixosConfiguration.<name>.config.system.build.toplevel
|
|
```
|
|
|
|
### On the machine
|
|
clone this repo to `/etc/nixos/` and `nixos-rebuild` that will select
|
|
the appropriate machine based on hostname
|
|
|
|
|
|
### sops
|
|
|
|
We are sharing secrets using [`sops`](https://github.com/getsops/sops) and [`sops-nix`](https://github.com/Mic92/sops-nix)
|
|
As of right now we use only `age` keys.
|
|
The machine keys are derived from their server ssh keys, that they generate at first boot.
|
|
User keys are generated by the users.
|
|
New keys and machines need entries into the `.sops.yaml` file within the root directory of this repo.
|
|
|
|
To make a secret available on a given machine you need to do the following. Configure the following keys
|
|
|
|
```
|
|
sops.secrets.example-key = {
|
|
sopsFile = "relative path to file in the repo containing the secrets (optional else the sops.defaultSopsFile is used)
|
|
path = "optinal path where the secret gets symlinked to, practical if some programm expects a specific path"
|
|
owner = user that owns the secret file: config.users.users.nerf.name (for example)
|
|
group = same as user just with groups: config.users.users.nerf.group
|
|
mode = "premission in usual octet: 0400 (for example)"
|
|
```
|
|
afterwards the secret should be available in `/run/secrets/example-key`.
|
|
If the accessing process is not root it must be member of the group `config.users.groups.keys`
|
|
for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];`
|
|
it the service config.
|
|
|