Daragh Downes
a7b559972b
Some checks failed
Build_Deploy / linter (push) Successful in 6s
Build_Deploy / build (push) Failing after 1m29s
Build_Deploy / deploy_dns (push) Has been skipped
Build_Deploy / deploy_active (active) (push) Has been skipped
Build_Deploy / deploy_active (active-core) (push) Has been skipped
Build_Deploy / deploy_active (active-ext) (push) Has been skipped
|
||
---|---|---|
.forgejo/workflows | ||
.gitlab/issue_templates | ||
applications | ||
config | ||
ITD | ||
machines | ||
secrets | ||
sync | ||
.gitattributes | ||
.gitignore | ||
.gitlab-ci.yml | ||
.mailmap | ||
flake.lock | ||
flake.nix | ||
Possible_Server_Names.md | ||
README.md |
Skynet
This is teh core config for teh skynet cluster which uses NixOS.
Dev
Prep
The system ye use does nto matter much, I (@silver) use nix in wsl and it works grand.
Shell
Now ye got nix installed and flakes enabled run nix develop
in the root folder (same place this readme is).
The dev dependencies you need to work with the project will be automatically installed.
The specific config for this can be found here.
Specifically it installs Colmena and Agenix.
Colmena is a build and deployment tool, Agenix is for secret management.
All following commands are inside the shell.
Colmena
Building
To build all nodes (servers) run:
colmena build
To build a specific one
colmena build --on skynet
To build a group (for example the dns servers)
colmena build --on @active-dns
Deploy
Deploying is putting (apply-ing) the config tat was built onto the server, there is no need to build first, it will automatically do so.
While the recommended way of deploying is using the CI/CD process there are times when you will have to manually deploy the config.
One such case is the @active-gitlab
group if either Gitlab or Gitlab-runner got updated.
Another is if ye have fecked up DNS.
Your ~/.ssh/config
should be set up as follows and you should be a member of skynet-admins-linux
Host *.skynet.ie 193.1.99.* 193.1.96.165
User username
IdentityFile ~/.ssh/skynet/username
IdentitiesOnly yes
Then you can run the following commands like so:
colmena apply
colmena apply --on @active-dns
colmena apply --on @active-gitlab
The CI/CD pipeline has a manual job that can be triggered to update @active-gitlab
if you know it wont cause issues.
Agenix
Agenix is for storing secrets in an encrypted manner using ssh keys.
All these commands require you to be in the secrets folder cd secrets
Prep
- Go to yer .ssh folder and see if you have a
id_ed25519
key (tutorial) - Make a pull request to add (
id_ed25519.pub
) to the secrets config. - An existing admin will pull, run
agenix --rekey
and commit changes. - Once committed and pushed up and merged in, you will be able to edit secrets.
id_ed25519
is preferred due to its neatness and security (Yes @silver is pedantic.)
Editing
When editing a terminal editor will open (nano).
You must use teh path defined in the secrets.nix
file.
agenix -e stream_ulfm.age
agenix -e ldap/self_service.age
agenix -e gitlab/runners/runner01.age
Updating inputs
Occasionally you will want to update the inputs for the project.
It is best to do this every few months or so, there is always a risk of things changing so a small pain often is better than a nightmare if left longer.
As seen in this merge request the layout of one config changed which had to be fixed.
We should be updating nixpkgs
at least once a semester, ideally to teh next NixOS release so we cna show ITD our servers are patched and up to date.
nix flake lock --update-input nixpkgs
# newser versions
nix flake update nixpkgs
Formatting
Formatting helps keep everything nice and consistent.
The pipeline will only run if the file is correctly formatted.
nix fmt