From 3550a6e8a808a40806c591134e284b73df34794e Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 15 Nov 2023 12:55:57 +0100 Subject: [PATCH] create top-level machine definition that is used by both deploy-rs and nixos rename bootstrap script --- agenix.nix | 6 ++-- nixos-anywhere.sh => bootstrap.sh | 0 configuration.nix | 12 +++---- flake.nix | 58 +++++++++++++++++++++---------- 4 files changed, 48 insertions(+), 28 deletions(-) rename nixos-anywhere.sh => bootstrap.sh (100%) diff --git a/agenix.nix b/agenix.nix index 2bd6b1b..2f442c0 100644 --- a/agenix.nix +++ b/agenix.nix @@ -1,11 +1,11 @@ +{ machine, ...}: { age = { identityPaths = [ "/root/age_ed25519" ]; secrets = { - # TODO: make machine independent - "jefke_host_ed25519".file = ./secrets/jefke_host_ed25519.age; - "jefke_user_ed25519".file = ./secrets/jefke_user_ed25519.age; + "host_ed25519".file = ./secrets/${machine.name}_host_ed25519.age; + "user_ed25519".file = ./secrets/${machine.name}_user_ed25519.age; }; }; } diff --git a/nixos-anywhere.sh b/bootstrap.sh similarity index 100% rename from nixos-anywhere.sh rename to bootstrap.sh diff --git a/configuration.nix b/configuration.nix index d20f040..15c49d8 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,4 +1,4 @@ -{ pkgs, config, ... }: { +{ pkgs, config, machine, ... }: { imports = [ ./hardware-configuration.nix ./disk-config.nix ./agenix.nix ]; boot.loader = { @@ -31,10 +31,9 @@ PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; - # TODO! machine independent extraConfig = '' - HostCertificate ${builtins.toFile "jefke_host_ed25519-cert.pub" (builtins.readFile ./jefke_host_ed25519-cert.pub)} - HostKey ${config.age.secrets.jefke_host_ed25519.path} + HostCertificate ${builtins.toFile "host_ed25519-cert.pub" machine.host-cert} + HostKey ${config.age.secrets.host_ed25519.path} ''; }; @@ -66,10 +65,9 @@ }; }; - # TODO: machine independent extraConfig = '' - CertificateFile ${builtins.toFile "jefke_user_ed25519-cert.pub" (builtins.readFile ./jefke_user_ed25519-cert.pub)} - HostKey ${config.age.secrets.jefke_user_ed25519.path} + CertificateFile ${builtins.toFile "user_ed25519-cert.pub" machine.user-cert} + HostKey ${config.age.secrets.user_ed25519.path} ''; }; diff --git a/flake.nix b/flake.nix index 42b3f0a..c5056ad 100644 --- a/flake.nix +++ b/flake.nix @@ -20,33 +20,55 @@ system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; + machines = { + jefke = { + name = "jefke"; + hostname = "jefke.hyp"; + user-cert = builtins.readFile ./jefke_user_ed25519-cert.pub; + host-cert = builtins.readFile ./jefke_host_ed25519-cert.pub; + }; + }; in { devShells.${system}.default = pkgs.mkShell { - packages = with pkgs-unstable; [ libsecret nixos-anywhere ]; - }; - - formatter = pkgs.nixfmt; - - nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - disko.nixosModules.disko - agenix.nixosModules.default - ./configuration.nix + packages = [ + pkgs.libsecret + pkgs-unstable.nixos-anywhere + pkgs-unstable.deploy-rs ]; }; + # TODO. if uncommented, nix flake check fails + # formatter = pkgs.nixfmt; + + # TODO create helper + nixosConfigurations = nixpkgs.lib.foldlAttrs (acc: name: machine: + acc // { + "${name}" = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit machine; }; + modules = [ + disko.nixosModules.disko + agenix.nixosModules.default + ./configuration.nix + ]; + }; + }) { } machines; + deploy = { sshUser = "root"; user = "root"; - nodes.jefke = { - hostname = "jefke.hyp"; - profiles.hypervisor = { - path = deploy-rs.lib.${system}.activate.nixos - self.nixosConfigurations.hypervisor; - }; - }; + # TODO create helper + nodes = nixpkgs.lib.foldlAttrs (acc: name: machine: + acc // { + "${name}" = { + hostname = machine.hostname; + profiles.hypervisor = { + path = deploy-rs.lib.${system}.activate.nixos + self.nixosConfigurations.${name}; + }; + }; + }) { } machines; }; checks = builtins.mapAttrs