docs: add sections and fix typos/errors
This commit is contained in:
@@ -16,13 +16,19 @@ To test the environment, you can launch a virtualized NixOS system derived from
|
|||||||
nix run '.#nixosConfigurations.<system>.config.system.build.vm'
|
nix run '.#nixosConfigurations.<system>.config.system.build.vm'
|
||||||
```
|
```
|
||||||
|
|
||||||
Here, `<system>` refers to the hostname of the system you want to test (e.g., tuxcord-ca).
|
Here, `<system>` refers to the hostname of the system you want to test (e.g., tuxcord-test).
|
||||||
|
|
||||||
Note that this will create a `qcow2` image file in the current directory. Nix will automatically manage changes to the configuration and update the image file accordingly while keeping part of its mutable state (e.g., root bash history).
|
Note that this will create a `qcow2` image file in the current directory. Nix will automatically manage changes to the configuration and update the image file accordingly while keeping part of its mutable state (e.g., root bash history).
|
||||||
|
|
||||||
> [!WARNING]
|
> [!WARNING]
|
||||||
> Not all changes are applied automatically. Updates such as user passwords changes or modifications to the filesystem layout will require deleting the image file so that Nix can re-create it from scratch.
|
> Not all changes are applied automatically. Updates such as user passwords changes or modifications to the filesystem layout will require deleting the image file so that Nix can re-create it from scratch.
|
||||||
|
|
||||||
|
# Access
|
||||||
|
|
||||||
|
The initial password for the `root` account is `tuxcord`.
|
||||||
|
|
||||||
|
SSH login is enabled for the configured user keys, if using the VM test configuration, yo will have to use the bridged IP.
|
||||||
|
|
||||||
# Tooling
|
# Tooling
|
||||||
|
|
||||||
Tooling used to aid in development.
|
Tooling used to aid in development.
|
||||||
|
|||||||
+1
-1
@@ -42,7 +42,7 @@ Host specific configuration can be found at `nixos/hosts/tuxcord-XX`. This is us
|
|||||||
|
|
||||||
To learn how to get started, refer to the [Getting Started guide](./GETTING_STARTED.md).
|
To learn how to get started, refer to the [Getting Started guide](./GETTING_STARTED.md).
|
||||||
|
|
||||||
The guide contains basic instructions as to how to use Nix for this repository, as well as tools to help in certain tasks, some of this tools might be assumed accross document resources.
|
The guide contains basic instructions as to how to use Nix for this repository, as well as tools to help in certain tasks, some of this tools might be assumed across document resources.
|
||||||
|
|
||||||
It might also be useful to read the [installation section](#installation) to learn how to configure your testing environment.
|
It might also be useful to read the [installation section](#installation) to learn how to configure your testing environment.
|
||||||
|
|
||||||
|
|||||||
+9
-3
@@ -6,14 +6,20 @@ Secrets are managed with `agenix` in the `agenix/` directory. This allows to dec
|
|||||||
|
|
||||||
The `agenix` help menu is already very helpful, but here you have a survival guide:
|
The `agenix` help menu is already very helpful, but here you have a survival guide:
|
||||||
|
|
||||||
- `agenix` commands should run relative to the `agenix/` direcotry.
|
- `agenix` commands should run relative to the `agenix/` directory.
|
||||||
- `agenix -d` allows you to descrypt such file if you possess any of the decryption keys.
|
- `agenix -d` allows you to descrypt such file if you possess any of the decryption keys.
|
||||||
- `agenix -e` decrypts (if present) and opens the file in your editor to re-encrypt when exited.
|
- `agenix -e` decrypts (if present) and opens the file in your editor to re-encrypt when exited.
|
||||||
- `agenix -r` re-encypts `*.age` files in the case you ever change its decryption keys.
|
- `agenix -r` re-encypts `*.age` files in the case you ever change its decryption keys.
|
||||||
|
|
||||||
# Secrets
|
# Secrets
|
||||||
|
|
||||||
<!-- TODO: missing ntfy.sh secret docs -->
|
There is a `ntfy.age` secret file which contents look like:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
NTFY_TOPIC=readable-name_XXXXXXXXXX
|
||||||
|
```
|
||||||
|
|
||||||
|
This secret file is meant to be sources by shells before using [ntfy.sh](<https://ntfy.sh/>) to push important notifications. This topic could contain sensitive information and must be kept secret amongst administrators.
|
||||||
|
|
||||||
## DNS TSIG Keys
|
## DNS TSIG Keys
|
||||||
|
|
||||||
@@ -24,5 +30,5 @@ These keys can be generated using `tsig-keygen <key-name>` (historically they we
|
|||||||
When DNS is enabled for a host, it will look for `dns/${fqdn}/${zone}.key` secrets.
|
When DNS is enabled for a host, it will look for `dns/${fqdn}/${zone}.key` secrets.
|
||||||
|
|
||||||
- The key whose zone matches the `${fqdn}` will be allowed to tramit updates for all the domain.
|
- The key whose zone matches the `${fqdn}` will be allowed to tramit updates for all the domain.
|
||||||
- Keys restrained to a specific `${subdomain}` will only be allowed to edit records of such subdomain.
|
- Keys restrained to a specific `${zone}` will only be allowed to edit records of such zone.
|
||||||
- All keys must be named with the zone they affect, final dot included, so that (e.g. `tuxcord.net/javalsai.tuxcord.net.key` must be generated by `tsig-keygen javalsai.tuxcord.net.`).
|
- All keys must be named with the zone they affect, final dot included, so that (e.g. `tuxcord.net/javalsai.tuxcord.net.key` must be generated by `tsig-keygen javalsai.tuxcord.net.`).
|
||||||
|
|||||||
+7
-1
@@ -2,7 +2,13 @@
|
|||||||
|
|
||||||
The first configuration of the server needs some configuration of its mutable state:
|
The first configuration of the server needs some configuration of its mutable state:
|
||||||
|
|
||||||
Setup also heavily relies on the secrets configured, make sure you [undestand agenix](./SECRETS.md) good enough.
|
Setup also heavily relies on the secrets configured, make sure you [understand agenix](./SECRETS.md) good enough.
|
||||||
|
|
||||||
|
# Root Password
|
||||||
|
|
||||||
|
The `root` password is `tuxcord` by default on all system configurations. For security, it's important to remember to change it as soon as an installation is done.
|
||||||
|
|
||||||
|
The root account is intended to be kept active in case there ever is the need to perform a TTY login. But this will be rare so do keep a security complex password saved somewhere and don't share it beyond the necessary amount.
|
||||||
|
|
||||||
# SSH Keys
|
# SSH Keys
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user