This repository contains the configuration for the KoMa computing infrastructure. We run NixOS, with all configuration exposed through this flake.
We use wat for deployment. Use
deploy brausefrosch switch to switch to a new configuration, or
deploy brausefrosch reboot to reboot into a new configuration.
Run nix flake update --commit-lock-file to update all flake inputs
(most importantly, the version of nixpkgs used). Afterwards,
To upgrade to a newer NixOS release, check the
release
notes and
update flake.nix to point to the corresponding branch. Then proceed
with “Updating” and “Deployment”, as outlined above.
We are currently using a single machine, brausefrosch hosted on the
Hetzner cloud. Machine configurations go
below machines/<hostname>. Machine-specific secrets can go into
machines/<hostname>/secrets.yaml, see below for details.
Machine-independent configuration is encapsulated in individual
modules, each located below modules/, and providing relevant
configuration options for customisation. Individual machines can
then enable these modules.
Secrets are managed using
sops-nix. .sops.yaml configures
which secrets are encrypted with which keys. Use nix run .#sops-rekey to update encrypted files after modifying these
associations. Use nix run .#sops …/….yaml to edit a file containing
encrypted secrets.
We use dnscontrol to manage our DNS
zones. The main zones are die-koma.org and komapedia.org, which
are both managed at INWX. We use a
deSEC zone for dynamic DNS-01 ACME challenges. Use
nix run .#dnscontrol preview to view the differences between
configured and actual zone entries, and nix run .#dnscontrol push to
push the configured zones to the nameservers.