create top-level machine definition that is used by both deploy-rs and

nixos
rename bootstrap script
This commit is contained in:
Pim Kunis 2023-11-15 12:55:57 +01:00
parent b4fbc0b955
commit 3550a6e8a8
4 changed files with 48 additions and 28 deletions

View file

@ -1,11 +1,11 @@
{ machine, ...}:
{
age = {
identityPaths = [ "/root/age_ed25519" ];
secrets = {
# TODO: make machine independent
"jefke_host_ed25519".file = ./secrets/jefke_host_ed25519.age;
"jefke_user_ed25519".file = ./secrets/jefke_user_ed25519.age;
"host_ed25519".file = ./secrets/${machine.name}_host_ed25519.age;
"user_ed25519".file = ./secrets/${machine.name}_user_ed25519.age;
};
};
}

View file

@ -1,4 +1,4 @@
{ pkgs, config, ... }: {
{ pkgs, config, machine, ... }: {
imports = [ ./hardware-configuration.nix ./disk-config.nix ./agenix.nix ];
boot.loader = {
@ -31,10 +31,9 @@
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
# TODO! machine independent
extraConfig = ''
HostCertificate ${builtins.toFile "jefke_host_ed25519-cert.pub" (builtins.readFile ./jefke_host_ed25519-cert.pub)}
HostKey ${config.age.secrets.jefke_host_ed25519.path}
HostCertificate ${builtins.toFile "host_ed25519-cert.pub" machine.host-cert}
HostKey ${config.age.secrets.host_ed25519.path}
'';
};
@ -66,10 +65,9 @@
};
};
# TODO: machine independent
extraConfig = ''
CertificateFile ${builtins.toFile "jefke_user_ed25519-cert.pub" (builtins.readFile ./jefke_user_ed25519-cert.pub)}
HostKey ${config.age.secrets.jefke_user_ed25519.path}
CertificateFile ${builtins.toFile "user_ed25519-cert.pub" machine.user-cert}
HostKey ${config.age.secrets.user_ed25519.path}
'';
};

View file

@ -20,33 +20,55 @@
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
machines = {
jefke = {
name = "jefke";
hostname = "jefke.hyp";
user-cert = builtins.readFile ./jefke_user_ed25519-cert.pub;
host-cert = builtins.readFile ./jefke_host_ed25519-cert.pub;
};
};
in {
devShells.${system}.default = pkgs.mkShell {
packages = with pkgs-unstable; [ libsecret nixos-anywhere ];
};
formatter = pkgs.nixfmt;
nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
./configuration.nix
packages = [
pkgs.libsecret
pkgs-unstable.nixos-anywhere
pkgs-unstable.deploy-rs
];
};
# TODO. if uncommented, nix flake check fails
# formatter = pkgs.nixfmt;
# TODO create helper
nixosConfigurations = nixpkgs.lib.foldlAttrs (acc: name: machine:
acc // {
"${name}" = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit machine; };
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
./configuration.nix
];
};
}) { } machines;
deploy = {
sshUser = "root";
user = "root";
nodes.jefke = {
hostname = "jefke.hyp";
profiles.hypervisor = {
path = deploy-rs.lib.${system}.activate.nixos
self.nixosConfigurations.hypervisor;
};
};
# TODO create helper
nodes = nixpkgs.lib.foldlAttrs (acc: name: machine:
acc // {
"${name}" = {
hostname = machine.hostname;
profiles.hypervisor = {
path = deploy-rs.lib.${system}.activate.nixos
self.nixosConfigurations.${name};
};
};
}) { } machines;
};
checks = builtins.mapAttrs