aynish/commoncomputing-nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
44 Commits 1 Branch 0 Tags
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

Commons Computing NixOS Configuration

Infrastructure-as-code for Commons Computing's ATProto services.

Services

This flake manages the following services on asusmini:

  • PDS (Personal Data Server) - pds.commonscomputer.com:5556
  • Tangled Knot (Git forge) - knot.commonscomputer.com:5555
  • Tangled Spindle (CI runner) - spindle.commonscomputer.com:6555

All services are proxied through Caddy with automatic HTTPS.

Setup

Prerequisites

nix develop

Or install direnv to automatically get the devshell going.

This provides agenix and dnscontrol.

Managing Secrets

Secrets are managed with agenix. If you're unfamiliar with agenix, here is a good introduction.

Adding a New User's Key

  1. Get their SSH public key (ed25519 or RSA)
  2. Add it to secrets/secrets.nix in the appropriate key list
  3. Re-encrypt all secrets: 
    cd secrets
agenix -e pds-env.age  # repeat for each secret

Creating/Editing Secrets

cd secrets
agenix -e pds-env.age

This opens your $EDITOR with the decrypted content. Save and close to re-encrypt.

Adding New Secrets

  1. Add the secret to secrets/secrets.nix: 
    "new-secret.age".publicKeys = allKeys;
  2. Create it: 
    cd secrets
agenix -e new-secret.age
  3. Reference it in your NixOS config: 
    age.secrets.new-secret = {
  file = ../../secrets/new-secret.age;
  mode = "0400";
  owner = "service-user";
};

Deployment

Manual Deployment

From the server:

cd /etc/nixos  # or wherever this repo is cloned
git pull
sudo nixos-rebuild switch --flake .#asusmini

Auto-Update

A systemd timer runs weekly to:

  1. Pull latest git changes
  2. Run nix flake update
  3. Commit and push flake.lock changes
  4. Run nixos-rebuild switch with automatic rollback on failure

Setup required:

# On the server, generate SSH key for git push
ssh-keygen -t ed25519 -f /root/.ssh/commons-nix-deploy -N ""
cat /root/.ssh/commons-nix-deploy.pub
# Add the public key as a deploy key with write access to the GitHub repo

# Configure git to use the key
cat >> /root/.ssh/config <<EOF
Host github.com
  IdentityFile /root/.ssh/commons-nix-deploy
EOF

Manual trigger:

sudo systemctl start auto-update

Check status:

sudo systemctl status auto-update
sudo journalctl -u auto-update

Development

Updating Flake Inputs

nix flake update

Testing Changes Locally

nixos-rebuild build --flake .#asusmini

DNS Management

DNS is managed with dnscontrol (available in dev shell). See dns/README.md for details.

Architecture

┌─────────────────────────────────────────┐
│           Internet (HTTPS)              │
└────────────────┬────────────────────────┘
                 │
         ┌───────▼────────┐
         │  Caddy (80/443)│
         └───────┬────────┘
                 │
     ┌───────────┼───────────────┐
     │           │               │
┌────▼─────┐ ┌──▼────┐ ┌───────▼──────┐
│PDS (5556)│ │Knot   │ │Spindle (6555)│
│          │ │(5555) │ │              │
└──────────┘ └───────┘ └──────────────┘

Key Files

  • flake.nix - Main flake configuration
  • hosts/asusmini/ - Server-specific configuration
    • default.nix - Base system config
    • atproto.nix - ATProto service configs
    • hardware-configuration.nix - Hardware-specific settings
  • secrets/secrets.nix - Secret encryption keys
  • secrets/*.age - Encrypted secrets

Admin Contact

Primary admin: Anish

Notes

  • System uses NixOS unstable
  • All services run under dedicated system users
  • Secrets are encrypted at rest and decrypted on boot to /run/agenix/
  • Keep at least one personal SSH key in addition to the system key for emergency access
Reference in New Issue View Git Blame Copy Permalink
S
Description
Nix config for our non-cloudron server
Readme 182 KiB
Languages
Nix 97%
JavaScript 3%