Skynet

This is teh core config for teh skynet cluster which uses NixOS.

Dev

Prep

1. Install Nix
2. Enable Flakes

The system ye use does nto matter much, I (@silver) use nix in wsl and it works grand.

Shell

Now ye got nix installed and flakes enabled run nix develop in the root folder (same place this readme is).
The dev dependencies you need to work with the project will be automatically installed.
The specific config for this can be found here.

Specifically it installs Colmena and Agenix.
Colmena is a build and deployment tool, Agenix is for secret management.

All following commands are inside the shell.

Colmena

Building

To build all nodes (servers) run:

colmena build

To build a specific one

colmena build --on skynet

To build a group (for example the dns servers)

colmena build --on @active-dns

Deploy

Deploying is putting (apply-ing) the config tat was built onto the server, there is no need to build first, it will automatically do so.

While the recommended way of deploying is using the CI/CD process there are times when you will have to manually deploy the config.
One such case is the @active-gitlab group if either Gitlab or Gitlab-runner got updated.
Another is if ye have fecked up DNS.

Your ~/.ssh/config should be set up as follows and you should be a member of skynet-admins-linux

Host *.skynet.ie 193.1.99.* 193.1.96.165
   User username
   IdentityFile ~/.ssh/skynet/username
   IdentitiesOnly yes

Then you can run the following commands like so:

colmena apply
colmena apply --on @active-dns
colmena apply --on @active-gitlab

The CI/CD pipeline has a manual job that can be triggered to update @active-gitlab if you know it wont cause issues.

Agenix

Agenix is for storing secrets in an encrypted manner using ssh keys.

All these commands require you to be in the secrets folder cd secrets

Prep

1. Go to yer .ssh folder and see if you have a id_ed25519 key (tutorial)
2. Make a pull request to add (id_ed25519.pub) to the secrets config.
3. An existing admin will pull, run agenix --rekey and commit changes.
4. Once committed and pushed up and merged in, you will be able to edit secrets.

id_ed25519 is preferred due to its neatness and security (Yes @silver is pedantic.)

Editing

When editing a terminal editor will open (nano).
You must use teh path defined in the secrets.nix file.

agenix -e stream_ulfm.age
agenix -e ldap/self_service.age
agenix -e gitlab/runners/runner01.age

Updating inputs

Occasionally you will want to update the inputs for the project.
It is best to do this every few months or so, there is always a risk of things changing so a small pain often is better than a nightmare if left longer.
As seen in this merge request the layout of one config changed which had to be fixed.

We should be updating nixpkgs at least once a semester, ideally to teh next NixOS release so we cna show ITD our servers are patched and up to date.

nix flake lock --update-input nixpkgs
# newser versions
nix flake update nixpkgs

Formatting

Formatting helps keep everything nice and consistent.
The pipeline will only run if the file is correctly formatted.

nix fmt