aynish/commoncomputing-nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init temp while waiting for public ip address

Browse Source
This commit is contained in:
Anish Lakhwara
2025-10-16 02:37:11 -07:00
commit 680c000c36
10 changed files with 902 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+171
View File
@@ -0,0 +1,171 @@
# Commons Computing NixOS Configuration
Infrastructure-as-code for Commons Computing's ATProto services.
## Services
This flake manages the following services on `asusmini`:
- **PDS** (Personal Data Server) - `pds.commonscomputer.com:5556`
- **Tangled Knot** (Git forge) - `knot.commonscomputer.com:5555`
- **Tangled Spindle** (CI runner) - `spindle.commonscomputer.com:6555`
All services are proxied through Caddy with automatic HTTPS.
## Setup
### Prerequisites
```bash
nix develop
```
Or install direnv to automatically get the devshell going.
This provides `agenix` and `dnscontrol`.
### Managing Secrets
Secrets are managed with [agenix](https://github.com/ryantm/agenix). If you're unfamiliar with agenix, [here](https://www.splitbrain.org/blog/2025-07/27-agenix) is a good introduction.
#### Adding a New User's Key
1. Get their SSH public key (ed25519 or RSA)
2. Add it to `secrets/secrets.nix` in the appropriate key list
3. Re-encrypt all secrets:
```bash
cd secrets
agenix -e pds-env.age # repeat for each secret
```
#### Creating/Editing Secrets
```bash
cd secrets
agenix -e pds-env.age
```
This opens your `$EDITOR` with the decrypted content. Save and close to re-encrypt.
#### Adding New Secrets
1. Add the secret to `secrets/secrets.nix`:
```nix
"new-secret.age".publicKeys = allKeys;
```
2. Create it:
```bash
cd secrets
agenix -e new-secret.age
```
3. Reference it in your NixOS config:
```nix
age.secrets.new-secret = {
file = ../../secrets/new-secret.age;
mode = "0400";
owner = "service-user";
};
```
### Deployment
#### Manual Deployment
From the server:
```bash
cd /etc/nixos # or wherever this repo is cloned
git pull
sudo nixos-rebuild switch --flake .#asusmini
```
#### Auto-Update
A systemd timer runs weekly to:
1. Pull latest git changes
2. Run `nix flake update`
3. Commit and push flake.lock changes
4. Run `nixos-rebuild switch` with automatic rollback on failure
**Setup required:**
```bash
# On the server, generate SSH key for git push
ssh-keygen -t ed25519 -f /root/.ssh/commons-nix-deploy -N ""
cat /root/.ssh/commons-nix-deploy.pub
# Add the public key as a deploy key with write access to the GitHub repo
# Configure git to use the key
cat >> /root/.ssh/config <<EOF
Host github.com
IdentityFile /root/.ssh/commons-nix-deploy
EOF
```
**Manual trigger:**
```bash
sudo systemctl start auto-update
```
**Check status:**
```bash
sudo systemctl status auto-update
sudo journalctl -u auto-update
```
## Development
### Updating Flake Inputs
```bash
nix flake update
```
### Testing Changes Locally
```bash
nixos-rebuild build --flake .#asusmini
```
### DNS Management
DNS is managed with dnscontrol (available in dev shell).
## Architecture
```
┌─────────────────────────────────────────┐
│ Internet (HTTPS) │
└────────────────┬────────────────────────┘
┌───────▼────────┐
│ Caddy (80/443)│
└───────┬────────┘
┌───────────┼───────────────┐
│ │ │
┌────▼─────┐ ┌──▼────┐ ┌───────▼──────┐
│PDS (5556)│ │Knot │ │Spindle (6555)│
│ │ │(5555) │ │ │
└──────────┘ └───────┘ └──────────────┘
```
## Key Files
- `flake.nix` - Main flake configuration
- `hosts/asusmini/` - Server-specific configuration
- `default.nix` - Base system config
- `atproto.nix` - ATProto service configs
- `hardware-configuration.nix` - Hardware-specific settings
- `secrets/secrets.nix` - Secret encryption keys
- `secrets/*.age` - Encrypted secrets
## Admin Contact
Primary admin: Anish
## Notes
- System uses NixOS unstable
- All services run under dedicated system users
- Secrets are encrypted at rest and decrypted on boot to `/run/agenix/`
- Keep at least one personal SSH key in addition to the system key for emergency access