nixos/README.md

# Skynet

This is teh core config for teh skynet cluster which uses [NixOS][1].

## Dev 
### Prep 

1. Install [Nix][2]
2. Enable [Flakes][3]

The system ye use does nto matter much, I (@silver) use nix in wsl and it works grand.

### Shell

Now ye got nix installed and flakes enabled run ``nix develop`` in the root folder (same place this readme is).  
The dev dependencies you need to work with the project will be automatically installed.  
The specific config for this can be found [here][4].

Specifically it installs [Colmena][5] and [Agenix][6].  
Colmena is a build and deployment tool, Agenix is for secret management.

All following commands are inside the shell.
### Colmena

#### Building

To build all nodes (servers) run:
```shell
colmena build
```

To build a specific one
```shell
colmena build --on skynet
```

To build a group (for example the dns servers)
```shell
colmena build --on @active-dns
```

#### Deploy
Deploying is putting (apply-ing) the config tat was built onto the server, there is no need to build first, it will automatically do so.

While the ***recommended way of deploying is using the CI/CD process*** there are times when you will have to manually deploy the config.  
One such case is the ``@active-gitlab`` group if either Gitlab or Gitlab-runner got updated.  
Another is if ye have fecked up DNS.

Your ``~/.ssh/config``  should be set up as follows and you should be a member of ``skynet-admins-linux``

```ini
Host *.skynet.ie 193.1.99.* 193.1.96.165
   User username
   IdentityFile ~/.ssh/skynet/username
   IdentitiesOnly yes
```

Then you can run the following commands like so:

```shell
colmena apply
colmena apply --on @active-dns
colmena apply --on @active-gitlab
```

The CI/CD pipeline has a manual job that can be triggered to update ``@active-gitlab`` if you know it wont cause issues.

### Agenix

Agenix is for storing secrets in an encrypted manner using ssh keys.

All these commands require you to be in the secrets folder ``cd secrets``

#### Prep
1. Go to yer .ssh folder and see if you have a ``id_ed25519`` key ([tutorial][7])
2. Make a pull request to add (``id_ed25519.pub``) to the [secrets config][8].
3. An existing admin will pull, run ``agenix --rekey`` and commit changes.
4. Once committed and pushed up and merged in, you will be able to edit secrets.

``id_ed25519`` is preferred due to its neatness and security (Yes @silver is pedantic.)

#### Editing
When editing a terminal editor will open (nano).  
You must use teh path defined in the ``secrets.nix`` file.

````shell
agenix -e stream_ulfm.age
agenix -e ldap/self_service.age
agenix -e gitlab/runners/runner01.age
````

### Updating inputs
Occasionally you will want to update the inputs for the project.  
It is best to do this every few months or so, there is always a risk of things changing so a small pain often is better than a nightmare if left longer.  
As seen in [this merge request][9] the layout of one config changed which had to be fixed.  

We should be updating ``nixpkgs`` at least once a semester, ideally to teh next NixOS release so we cna show ITD our servers are patched and up to date.

```shell
nix flake lock --update-input nixpkgs
# newser versions
nix flake update nixpkgs
```

### Formatting
Formatting helps keep everything nice and consistent.  
The pipeline will only run if the file is correctly formatted.  

```shell
nix fmt
```





[1]: https://nixos.org/explore
[2]: https://nixos.org/download
[3]: https://nixos.wiki/wiki/Flakes
[4]: https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/blob/main/flake.nix#L33
[5]: https://github.com/zhaofengli/colmena
[6]: https://github.com/ryantm/agenix
[7]: https://docs.gitlab.com/ee/user/ssh.html#see-if-you-have-an-existing-ssh-key-pair
[8]: https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/blob/main/secrets/secrets.nix#L2
[9]: https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/merge_requests/4