torjus/nixos-servers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

decommission-ca-host #32

Merged
torjus merged 3 commits from decommission-ca-host into master 2026-02-07 17:50:45 +00:00
Conversation 0 Commits 3 Files Changed 31 +24 -780
torjus commented 2026-02-07 17:50:38 +00:00
Owner
Copy Link

Summary

Decommission the ca host (step-ca) and remove all legacy sops-nix infrastructure, completing the migration to OpenBao for secrets and PKI.

Changes

Host Removal:

  • Remove ca host from flake.nix
  • Delete hosts/ca/ directory
  • Delete services/ca/ directory (step-ca service module)

Monitoring Cleanup:

  • Remove labmon input and service (only used for step-ca certificate monitoring)
  • Remove labmon scrape target from Prometheus
  • Remove certificate_rules alert group from rules.yml
  • Delete services/monitoring/alloy.nix (only used for labmon profiling)

sops-nix Removal:

  • Remove sops-nix input from flake
  • Delete system/sops.nix module
  • Delete secrets/ directory (all encrypted secrets)
  • Delete .sops.yaml configuration
  • Remove age key generation from template prepare scripts
  • Update create-host tool to not include sops-nix in specialArgs

Documentation:

  • Create docs/plans/cert-monitoring.md documenting labmon removal and future needs
  • Move TODO.md to docs/plans/completed/automated-host-deployment-pipeline.md
  • Update CLAUDE.md to remove step-ca, ca host, labmon, and SOPS references

Migration Status

All hosts have been migrated to OpenBao PKI (completed in the migrate-to-openbao-pki branch). This PR completes the cleanup by removing the now-unused infrastructure.

## Summary Decommission the `ca` host (step-ca) and remove all legacy sops-nix infrastructure, completing the migration to OpenBao for secrets and PKI. ### Changes **Host Removal:** - Remove `ca` host from `flake.nix` - Delete `hosts/ca/` directory - Delete `services/ca/` directory (step-ca service module) **Monitoring Cleanup:** - Remove `labmon` input and service (only used for step-ca certificate monitoring) - Remove labmon scrape target from Prometheus - Remove `certificate_rules` alert group from `rules.yml` - Delete `services/monitoring/alloy.nix` (only used for labmon profiling) **sops-nix Removal:** - Remove `sops-nix` input from flake - Delete `system/sops.nix` module - Delete `secrets/` directory (all encrypted secrets) - Delete `.sops.yaml` configuration - Remove age key generation from template prepare scripts - Update `create-host` tool to not include sops-nix in specialArgs **Documentation:** - Create `docs/plans/cert-monitoring.md` documenting labmon removal and future needs - Move `TODO.md` to `docs/plans/completed/automated-host-deployment-pipeline.md` - Update `CLAUDE.md` to remove step-ca, ca host, labmon, and SOPS references ### Migration Status All hosts have been migrated to OpenBao PKI (completed in the `migrate-to-openbao-pki` branch). This PR completes the cleanup by removing the now-unused infrastructure.
torjus added 3 commits 2026-02-07 17:50:39 +00:00
hosts: decommission ca host and remove labmon
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details
bdc6057689 
Remove the step-ca host and labmon flake input now that ACME has been
migrated to OpenBao PKI.

Removed:
- hosts/ca/ - step-ca host configuration
- services/ca/ - step-ca service module
- labmon flake input and module (no longer used)

Updated:
- flake.nix - removed ca host and labmon references
- flake.lock - removed labmon input
- rebuild-all.sh - removed ca from host list
- CLAUDE.md - updated documentation

Note: secrets/ca/ should be manually removed by the user.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
flake: remove sops-nix (no longer used)
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details
aedccbd9a0 
All secrets are now managed by OpenBao (Vault). Remove the legacy
sops-nix infrastructure that is no longer in use.

Removed:
- sops-nix flake input
- system/sops.nix module
- .sops.yaml configuration file
- Age key generation from template prepare-host scripts

Updated:
- flake.nix - removed sops-nix references from all hosts
- flake.lock - removed sops-nix input
- scripts/create-host/ - removed sops references
- CLAUDE.md - removed SOPS documentation

Note: secrets/ directory should be manually removed by the user.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
cleanup: remove legacy secrets directory and move TODO.md to completed plans
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Details
Run nix flake check / flake-check (pull_request) Failing after 1s
Details
f36457ee0d 
- Remove secrets/ directory (sops-nix no longer in use, all hosts use Vault)
- Move TODO.md to docs/plans/completed/automated-host-deployment-pipeline.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
torjus merged commit 4c1debf0a3 into master 2026-02-07 17:50:45 +00:00
torjus deleted branch decommission-ca-host 2026-02-07 17:50:45 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
torjus
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: torjus/nixos-servers#32
Delete Branch "decommission-ca-host"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?