Initialize host on official NixOS infrastructure #454

Merged

Erethon merged 8 commits from init-stf-master into main 2024-12-17 10:04:08 +00:00

Conversation 3 Commits 8 Files changed 20 +370

Erethon commented 2024-12-10 22:05:58 +00:00 (Migrated from github.com)

Copy link

This PR initializes the stfmaster host for running the Nix Security Tracker on official NixOS infrastructure. Closes #175.

Things left to do before marking this as ready to review:

• Change ACME email to infra@nixos.org, depends on children task
  • Change the domain to something that's under nixos.org
• [] Automated deployments after merging to master Making this out of scope for this PR and moving it to a new one so it's easier to review.
• Documentation for this setup can be part of another PR or we can add it here.

Things not carried over from staging:

• The S3 reverse proxy
• Glitchtip
• Other staging specific (raito-dc, ipv4-to-v6 proxy, etc) configurations

A Prometheus Node Exporter is added on the host in order to allow scraping of metrics to use in prometheus.nixos.org. This isn't locked down to specific IPs, since the metrics themselves will be public either way (and it's what the infra team is already doing with other hosts). We can add more exporters (postgres, etc) in the future as needed.

One of the notable things in this PR is the handling of SSH keys for the root account. I've copied over the keys from staging, but I'm also including the ssh keys from the NixOS infra team (in the specific linked commit).

This PR initializes the `stfmaster` host for running the Nix Security Tracker on official NixOS infrastructure. Closes #175. Things left to do before marking this as ready to review: - [x] Change ACME email to `infra@nixos.org`, depends on children task - [x] Change the domain to something that's under nixos.org - ~~[] Automated deployments after merging to master~~ Making this out of scope for this PR and moving it to a new one so it's easier to review. - [x] Documentation for this setup can be part of another PR or we can add it here. Things not carried over from staging: - The S3 reverse proxy - Glitchtip - Other staging specific (raito-dc, ipv4-to-v6 proxy, etc) configurations A [Prometheus Node Exporter](https://github.com/prometheus/node_exporter) is added on the host in order to allow scraping of metrics to use in prometheus.nixos.org. This isn't locked down to specific IPs, since the metrics themselves will be public either way (and it's what the infra team is already doing with other hosts). We can add more exporters (postgres, etc) in the future as needed. One of the notable things in this PR is the handling of SSH keys for the root account. I've copied over the keys from `staging`, but I'm also including the ssh keys from the [NixOS infra team](https://github.com/NixOS/infra/blob/0d476c97da758e94856e02dc90f772e54841b58e/ssh-keys.nix) (in the specific linked commit).

🎉 1

fricklerhandwerk (Migrated from github.com) reviewed 2024-12-10 23:46:23 +00:00

infra/configuration.nix

fricklerhandwerk (Migrated from github.com) commented 2024-12-10 23:46:23 +00:00

Copy link

  networking.hostName = "sectracker";

I recommend something along these lines. While the Sovereign Tech Fund (STF) made all of this possible to begin with by funding the project, the service is the Nixpkgs security tracker.

```suggestion networking.hostName = "sectracker"; ``` I recommend something along these lines. While the Sovereign Tech Fund (STF) made all of this possible to begin with by funding the project, the service is the Nixpkgs security tracker.

Erethon (Migrated from github.com) reviewed 2024-12-11 11:54:23 +00:00

infra/configuration.nix

Erethon (Migrated from github.com) commented 2024-12-11 11:54:23 +00:00

Copy link

Agreed and nice catch, applied.

Agreed and nice catch, applied.

fricklerhandwerk (Migrated from github.com) reviewed 2024-12-11 13:04:28 +00:00

infra/README.md

fricklerhandwerk (Migrated from github.com) commented 2024-12-11 13:04:28 +00:00

Copy link

Agenix decrypts secrets on the host by using its [OpenSSH host keys](https://github.com/ryantm/agenix#ageidentitypaths).
Reading the [Agenix tutorial](https://github.com/ryantm/agenix#tutorial) is recommended.

```suggestion Agenix decrypts secrets on the host by using its [OpenSSH host keys](https://github.com/ryantm/agenix#ageidentitypaths). Reading the [Agenix tutorial](https://github.com/ryantm/agenix#tutorial) is recommended. ```

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

automation

  

backend

something the web server needs to provide the frontend with

  

bug

Something isn't working

  

contributor experience

  

data

something about quality or quantity of ingested data

  

deployment

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

nice to have

Nice to have, but not necessary for the time being

  

notifications

  

package maintainer

user story for package maintainers

  

performance

  

skin

Anything related to the visual presentation

  

tech debt

Activities that reduce tech debt

  

user story

description or implementation of a workflow

No labels

automation

backend

bug

contributor experience

data

deployment

documentation

duplicate

good first issue

help wanted

nice to have

notifications

package maintainer

performance

skin

tech debt

user story

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-community/nix-security-tracker#454

No description provided.