torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

docs: mark auth01, ca, and sops-nix removal as complete
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details

Browse Source 
- auth01 host and services (authelia, lldap) already removed
- ca host and services already removed (PKI migrated to OpenBao)
- sops-nix fully removed (secrets/, .sops.yaml gone)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-07 22:33:18 +01:00
parent 98e808cd6c
commit e937c68965
1 changed files with 32 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
docs/plans/host-migration-to-opentofu.md
View File

@@ -25,7 +25,8 @@ Hosts to migrate:
| jelly01 | Stateful | Jellyfin metadata, watch history, config | | jelly01 | Stateful | Jellyfin metadata, watch history, config |
| pgdb1 | Stateful | PostgreSQL databases | | pgdb1 | Stateful | PostgreSQL databases |
| ~~jump~~ | ~~Decommission~~ | ✓ Complete | | ~~jump~~ | ~~Decommission~~ | ✓ Complete |
| ca | Deferred | Pending Phase 4c PKI migration to OpenBao | | ~~auth01~~ | ~~Decommission~~ | ✓ Complete |
| ~~ca~~ | ~~Deferred~~ | ✓ Complete |
## Phase 1: Backup Preparation ## Phase 1: Backup Preparation
@@ -181,36 +182,41 @@ through before starting Zigbee2MQTT on the new host.
Host was already removed from flake.nix and VM destroyed. Configuration cleaned up in ba9f47f. Host was already removed from flake.nix and VM destroyed. Configuration cleaned up in ba9f47f.
### auth01 ### auth01 ✓ COMPLETE
1. Remove host configuration from `hosts/auth01/`
2. Remove from `flake.nix`
3. Remove any secrets in `secrets/auth01/`
4. Remove from `.sops.yaml`
5. Remove `services/authelia/` and `services/lldap/` (only used by auth01)
6. Destroy the VM in Proxmox
7. Commit cleanup
## Phase 6: Decommission ca Host (Deferred) ~~1. Remove host configuration from `hosts/auth01/`~~
~~2. Remove from `flake.nix`~~
~~3. Remove any secrets in `secrets/auth01/`~~
~~4. Remove from `.sops.yaml`~~
~~5. Remove `services/authelia/` and `services/lldap/` (only used by auth01)~~
~~6. Destroy the VM in Proxmox~~
~~7. Commit cleanup~~
Deferred until Phase 4c (PKI migration to OpenBao) is complete. Once all hosts use the Host configuration, services, and VM already removed.
## Phase 6: Decommission ca Host ✓ COMPLETE
~~Deferred until Phase 4c (PKI migration to OpenBao) is complete. Once all hosts use the
OpenBao ACME endpoint for certificates, the step-ca host can be decommissioned following OpenBao ACME endpoint for certificates, the step-ca host can be decommissioned following
the same cleanup steps as the jump host. the same cleanup steps as the jump host.~~
## Phase 7: Remove sops-nix PKI migration to OpenBao complete. Host configuration, `services/ca/`, and VM removed.
Once `ca` is decommissioned (Phase 6), `sops-nix` is no longer used by any host. Remove ## Phase 7: Remove sops-nix ✓ COMPLETE
all remnants:
- `sops-nix` input from `flake.nix` and `flake.lock`
- `sops-nix.nixosModules.sops` from all host module lists in `flake.nix`
- `inherit sops-nix` from all specialArgs in `flake.nix`
- `system/sops.nix` and its import in `system/default.nix`
- `.sops.yaml`
- `secrets/` directory
- All `sops.secrets.*` declarations in `services/ca/`, `services/authelia/`, `services/lldap/`
- Template scripts that generate age keys for sops (`hosts/template/scripts.nix`,
`hosts/template2/scripts.nix`)
See `docs/plans/completed/sops-to-openbao-migration.md` for full context. ~~Once `ca` is decommissioned (Phase 6), `sops-nix` is no longer used by any host. Remove
all remnants:~~
~~- `sops-nix` input from `flake.nix` and `flake.lock`~~
~~- `sops-nix.nixosModules.sops` from all host module lists in `flake.nix`~~
~~- `inherit sops-nix` from all specialArgs in `flake.nix`~~
~~- `system/sops.nix` and its import in `system/default.nix`~~
~~- `.sops.yaml`~~
~~- `secrets/` directory~~
~~- All `sops.secrets.*` declarations in `services/ca/`, `services/authelia/`, `services/lldap/`~~
~~- Template scripts that generate age keys for sops (`hosts/template/scripts.nix`,
`hosts/template2/scripts.nix`)~~
All sops-nix remnants removed. See `docs/plans/completed/sops-to-openbao-migration.md` for context.
## Notes ## Notes
@@ -219,7 +225,7 @@ See `docs/plans/completed/sops-to-openbao-migration.md` for full context.
- The old VMs use IPs that the new VMs need, so the old VM must be shut down before - The old VMs use IPs that the new VMs need, so the old VM must be shut down before
the new one is provisioned (or use a temporary IP and swap after verification) the new one is provisioned (or use a temporary IP and swap after verification)
- Stateful migrations should be done during low-usage windows - Stateful migrations should be done during low-usage windows
- After all migrations are complete, the only hosts not in OpenTofu will be ca (deferred) - After all migrations are complete, all decommissioned hosts (jump, auth01, ca) have been removed
- Since many hosts are being recreated, this is a good opportunity to establish consistent - Since many hosts are being recreated, this is a good opportunity to establish consistent
hostname naming conventions before provisioning the new VMs. Current naming is inconsistent hostname naming conventions before provisioning the new VMs. Current naming is inconsistent
(e.g. `ns1` vs `nix-cache01`, `ha1` vs `auth01`, `pgdb1` vs `http-proxy`). Decide on a (e.g. `ns1` vs `nix-cache01`, `ha1` vs `auth01`, `pgdb1` vs `http-proxy`). Decide on a