Maintenance#

Building#

System Configurations#

All of the hosts are available as packages using the .#system-HOSTNAME path. For example, to build the octopi host, you would run:

nom build .#system-octopi

Deploying#

Using deploy-rs

  1. add the host as normal
  2. add the host and profiles to the top level deploy.nodes set
  3. run deploy or deploy .#<host> -s --remote-build

Manual Deployment#

If you are on the remote host, all you need to do is run:

git clone http://voile.armadillo-banfish.ts.net:8418/tsunaminoai/nix-flake-final.git
# or from GitHub:
# git clone https://github.com/tsunaminoai/nix-flake-final.git
cd nix-flake-final
nix develop
nh os switch .#

If on the deployment server:

nh os build -H <host> .# -o result
nix copy --to ssh://<user>@<host> ./result
ssh <user>@<host> 'sudo /nix/store/<hash>/bin/switch-to-configuration switch'

See also NixOS for more information on building and deploying NixOS configurations.

Nix storage#

Currently, this is a local binary store that is service from Ereshkigal and is used for all builds and deployments. It is a Nix binary cache that is available to all hosts.

It may be worth converting this to an S3 bucket on voile1.

Development Shell#

Currently, the development shell is set up to use the nix develop command. This can be used to enter a development environment with all of the necessary dependencies and tools installed. If direnv is installed, it will automatically load the environment when you enter the directory.

Run menu to see the available commands in the development shell.

Useful Commands provided by the Shell#

The shell uses just for all recipes. Run just with no arguments to see all available commands.

  • just docs-build - build this documentation site
  • just docs-serve - build and serve this documentation site locally
  • just nix-store-fix - repair the Nix store (verify + check contents)
  • just clean-nix - clean the Nix store and remove old generations
  • just treefmt - format all code (Nix, etc.)
  • just vulscan - run a vulnerability scan (use the nix develop .#security shell)
  • just sbom <host> - generate a Software Bill of Materials for a host
  • just borg-generate-secrets <host> - generate borg SSH key + passphrase in secrets.yaml
  • just sops-update-hosts - re-encrypt secrets.yaml after updating .sops.yaml
  • just get-host-key <host> - fetch and save a host’s SSH host key to modules/nixos/security/pubkeys/
  • just plasma-settings-dump-nix - dump current KDE Plasma settings as a plasma-manager nix snippet

Other Useful Commands available in the Shell#

  • nh os switch .# - switch the system configuration for the current host
  • nh os build -H <host> .# - build the system configuration for the specified host
  • nh home switch .# - switch the home-manager configuration for the current user
  • nh home build -c user@host .# - build the home-manager configuration for the specified user and host
  • nix run github:tiiuae/sbomnix#sbomnix ./result -- --buildtime - generate a Software Bill of Materials for the system closure in the result directory, including build time dependencies
  • nix run github:tiiuae/sbomnix#nixgraph -- --depth=3 ./result - generate a graph of the closure dependencies using nixgraph
  • nix run github:tiiuae/sbomnix#nix_outdated -- ./result - check for outdated packages in the system closure using nix_outdated
  • nix run github:tiiuae/sbomnix#provenance (nixpkgs#hello or ./result) --recursive -out ./provenance.json - generate a provenance file for a package using sbomnix

  1. https://jcollie.github.io/nixos/2022/04/27/nixos-binary-cache-2022.html