Closed delroth closed 4 months ago
Sounds good overall.
I would even remove the bastion and wireguard. Make things simple. Take a step back. And then once you're comfortable, re-introduce appropriate security measures. If you have the NixOS firewall enabled, and password auth disabled on OpenSSH, things are already pretty secure.
Might be worth introducing Tailscale for access management and ssh. It would probably make it cleaner to handle ACLs and access control in general.
I won't be making much progress on this for the next ~7 days, so current progress on nixops removal is dumped at https://github.com/NixOS/nixos-org-configurations/compare/master...delroth:nixos-org-configurations:remove-nixops if someone wants to move things forward in the meantime.
I think we can call this fixed:
Unify access management, currently very fragmented.
infra-build can ssh root@{eris,haumea,rhea}.nixos.org
Unify deployment mechanisms.
Everything can now be done with a nixos-rebuild --flake. In the future we can add colmena support for convenience.
Introduce proper secret management.
delft/* now uses agenix. TBD: moving non-critical-infra to agenix too to align.
Please take this as an RFC and feel free to yell at what seems to be a bad idea and/or suggest improvements.
Goals
nixops ssh
frombastion
, some only accessible viassh
on Wireguard, varying login usernames depending on the host.nixops
and manual on-hostnixos-rebuild
.bastion
deployed vianixops
, and manually deployed secret files onrhea
andbastion
.Plan
root
SSH access for all core infra SSH keys.sops-nix
.non-critical-infra
.nixops
completely.outputs.nixosConfigurations
per machine, as well asoutputs.colmena
forcolmena
compat for remote deployment.rhea
. So for now, until new use cases appear for this, let's stop relying on any cross-machine configuration and keep everynixosConfiguration
independently evaluable.Future improvements
bastion
and get rid of it.nixops
is dead + secrets versioned, the use case forbastion
kind of goes away (no more unversioned state required for a deployment tool).