diff --git a/README.md b/README.md new file mode 100644 index 0000000..35019eb --- /dev/null +++ b/README.md @@ -0,0 +1,102 @@ +# Skynet + +This is teh core config for teh skynet cluster which uses [NixOS][1]. + +## Dev +### Prep + +1. Install [Nix][2] +2. Enable [Flakes][3] + +The system ye use does nto matter much, I (@silver) use nix in wsl and it works grand. + +### Shell + +Now ye got nix installed and flakes enabled run ``nix develop`` in the root folder (same place this readme is). +The dev dependencies you need to work with the project will be automatically installed. +The specific config for this can be found [here][4]. + +Specifically it installs [Colmena][5] and [Agenix][6]. +Colmena is a build and deployment tool, Agenix is for secret management. + +All following commands are inside the shell. +### Colmena + +#### Building + +To build all nodes (servers) run: +```shell +colmena build +``` + +To build a specific one +```shell +colmena build --on skynet +``` + +To build a group (for example the dns servers) +```shell +colmena build --on @active-dns +``` + +#### Deploy +Deploying is putting (apply-ing) the config tat was built onto the server, there is no need to build first, it will automatically do so. + +While the ***recommended way of deploying is using the CI/CD process*** there are times when you will have to manually deploy the config. +One such case is the ``@active-gitlab`` group if either Gitlab or Gitlab-runner got updated. +Another is if ye have fecked up DNS. + +```shell +colmena apply --on @active-gitlab +``` + +The CI/CD pipeline has a manual job that can be triggered to update ``@active-gitlab`` if you know it wont cause issues. + +### Agenix + +Agenix is for storing secrets in an encrypted manner using ssh keys. + +All these commands require you to be in the secrets folder ``cd secrets`` + +#### Prep +1. Go to yer .ssh folder and see if you have a ``id_ed25519`` key ([tutorial][7]) +2. Make a pull request to add (``id_ed25519.pub``) to the [secrets config][8]. +3. An existing admin will pull, run ``agenix --rekey`` and commit changes. +4. Once committed and pushed up and merged in, you will be able to edit secrets. + +``id_ed25519`` is preferred due to its neatness and security (Yes @silver is pedantic.) + +#### Editing +When editing a terminal editor will open (nano). +You must use teh path defined in the ``secrets.nix`` file. + +````shell +agenix -e stream_ulfm.age +agenix -e ldap/self_service.age +agenix -e gitlab/runners/runner01.age +```` + +### Updating inputs +Occasionally you will want to update the inputs for the project. +It is best to do this every few months or so, there is always a risk of things changing so a small pain often is better than a nightmare if left longer. +As seen in [this merge request][9] the layout of one config changed which had to be fixed. + +We should be updating ``nixpkgs`` at least once a semester, ideally to teh next NixOS release so we cna show ITD our servers are patched and up to date. + +```shell +nix flake lock --update-input nixpkgs +``` + + + + + +[1]: https://nixos.org/explore +[2]: https://nixos.org/download +[3]: https://nixos.wiki/wiki/Flakes +[4]: https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/blob/main/flake.nix#L33 +[5]: https://github.com/zhaofengli/colmena +[6]: https://github.com/ryantm/agenix +[7]: https://docs.gitlab.com/ee/user/ssh.html#see-if-you-have-an-existing-ssh-key-pair +[8]: https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/blob/main/secrets/secrets.nix#L2 +[9]: https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/merge_requests/4 \ No newline at end of file diff --git a/dev.nix b/dev.nix deleted file mode 100644 index 759a79c..0000000 --- a/dev.nix +++ /dev/null @@ -1,29 +0,0 @@ -# run with: nix-shell dev.nix -# has everything installed for dev - -{ pkgs ? import {} }: -with pkgs; -let -imports = - let agenixCommit = "42d371d861a227149dc9a7e03350c9ab8b8ddd68"; - in - { - agenix = import - (builtins.fetchTarball { - url = "https://github.com/ryantm/agenix/archive/${agenixCommit}.tar.gz"; - sha256 = "14sszf5s85i4jd3lc8c167fbxvpj13da45wl1j7wpd20n0fic5c1"; - }) - { inherit pkgs; }; - }; -in mkShell { - # nativeBuildInputs is usually what you want -- tools you need to run - nativeBuildInputs = [ - pkgs.buildPackages.git - pkgs.buildPackages.colmena - pkgs.buildPackages.nmap - ]; - - buildInputs = [ imports.agenix.agenix ]; - - shellHook = ''export EDITOR="${pkgs.nano}/bin/nano --nonewlines"''; -} \ No newline at end of file diff --git a/flake.nix b/flake.nix index b0233fe..2236dc8 100644 --- a/flake.nix +++ b/flake.nix @@ -23,11 +23,24 @@ skynet_website_2016.url = "gitlab:compsoc1%2Fskynet%2Fwebsite/2016?host=gitlab.skynet.ie"; }; - outputs = { self, nixpkgs, ... } @inputs: { - # https://github.com/zhaofengli/colmena - # colmena apply --on agentjones - # colmena apply --on @dns - # nix flake lock --update-input skynet_ldap_backend + nixConfig.bash-prompt-suffix = "[Skynet Dev] "; + + outputs = { self, nixpkgs, agenix, ... } @inputs: + let + pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs; + in { + + devShells.x86_64-linux.default = pkgs.mkShell { + name = "Skynet build env"; + nativeBuildInputs = [ + pkgs.buildPackages.git + pkgs.buildPackages.colmena + pkgs.buildPackages.nmap + ]; + buildInputs = [ agenix.packages.x86_64-linux.default ]; + shellHook = ''export EDITOR="${pkgs.nano}/bin/nano --nonewlines"''; + }; + colmena = { meta = { nixpkgs = import nixpkgs {