change nixos -> nix

nix/flake/bootstrap/bootstrap.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+IFS=$'\n\t'
+
+servername="${1-}"
+
+hostname="${2-}"
+
+if [ -z "$servername" ] || [ -z "$hostname" ]
+  then
+    echo "Usage: $0 SERVERNAME HOSTNAME"
+    exit 1
+fi
+
+confirmation="Yes, wipe ${servername}."
+
+echo "⚠️  This will wipe ${servername} completely! ⚠️"
+echo "Confirm by typing: \"${confirmation}\""
+read response
+
+if [ "$response" != "$confirmation" ]; then
+  echo "Aborting."
+  exit 1
+fi
+
+# Create a temporary directory
+temp=$(mktemp -d)
+
+# Function to cleanup temporary directory on exit
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+# Create directory where age key will go.
+# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system.
+mkdir "$temp/etc"
+
+secret-tool lookup age-identity "$servername" > "$temp/etc/age_ed25519"
+
+# Set the correct permissions
+chmod 600 "$temp/etc/age_ed25519"
+
+# Install NixOS to the host system with our age identity
+nixos-anywhere --help #--extra-files "$temp" --flake ".#${servername}" "root@${hostname}"

nix/flake/bootstrap/default.nix

@@ -0,0 +1,16 @@
+{ flake-utils, hostPkgs, ... }: flake-utils.lib.eachDefaultSystem (system: {
+  packages.bootstrap =
+    let
+      name = "bootstrap";
+      buildInputs = with hostPkgs; [ libsecret coreutils nixos-anywhere ];
+      script = (hostPkgs.writeScriptBin name (builtins.readFile ./bootstrap.sh)).overrideAttrs (old: {
+        buildCommand = "${old.buildCommand}\n patchShebangs $out";
+      });
+    in
+    hostPkgs.symlinkJoin {
+      inherit name;
+      paths = [ script ] ++ buildInputs;
+      buildInputs = [ hostPkgs.makeWrapper ];
+      postBuild = "wrapProgram $out/bin/${name} --set PATH $out/bin";
+    };
+})

nix/flake/checks.nix

@@ -0,0 +1,11 @@
+{ self, hostPkgs, machines, flake-utils, deploy-rs, ... }: flake-utils.lib.eachDefaultSystem (system: {
+  # Deploy-rs' flake checks seem broken for architectures different from the deployment machine.
+  # We skip these here.
+  checks = deploy-rs.lib.${system}.deployChecks (self.deploy // {
+    nodes = (hostPkgs.lib.attrsets.filterAttrs
+      (name: node:
+        machines.${name}.arch == system
+      )
+      self.deploy.nodes);
+  });
+})

nix/flake/deploy.nix

@@ -0,0 +1,23 @@
+{ self, hostPkgs, physicalMachines, deploy-rs, ... }:
+let
+  mkDeployNodes = nodeDef:
+    builtins.mapAttrs
+      (name: machine: nodeDef name machine)
+      physicalMachines;
+in
+{
+  deploy = {
+    sshUser = "root";
+    user = "root";
+
+    nodes = mkDeployNodes (name: machine: {
+      hostname = self.nixosConfigurations.${name}.config.networking.fqdn;
+      profiles.system = {
+        remoteBuild = machine.arch != hostPkgs.stdenv.hostPlatform.system;
+        path = deploy-rs.lib.${machine.arch}.activate.nixos
+          self.nixosConfigurations.${name};
+      };
+    });
+  };
+
+}

nix/flake/nixos.nix

@@ -0,0 +1,20 @@
+{ nixpkgs, machines, physicalMachines, dns, microvm, disko, agenix, nixos-hardware, ... }:
+let
+  mkNixosSystems = systemDef:
+    builtins.mapAttrs
+      (name: machine:
+        nixpkgs.lib.nixosSystem (systemDef name machine)
+      )
+      physicalMachines;
+in
+{
+  nixosConfigurations = mkNixosSystems (name: machine: {
+    system = machine.arch;
+
+    specialArgs = { inherit machines machine dns microvm disko agenix nixos-hardware; };
+    modules = [
+      ../.
+      { networking.hostName = name; }
+    ];
+  });
+}