diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..c4b17d7 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use_flake diff --git a/flake.lock b/flake.lock index c5676f1..c86dadb 100644 --- a/flake.lock +++ b/flake.lock @@ -137,6 +137,22 @@ "type": "github" } }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1699725108, + "narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1699291058, @@ -158,7 +174,8 @@ "agenix": "agenix", "deploy-rs": "deploy-rs", "disko": "disko", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "nixpkgs-unstable": "nixpkgs-unstable" } }, "utils": { diff --git a/flake.nix b/flake.nix index 585f61e..42b3f0a 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; deploy-rs.url = "github:serokell/deploy-rs"; disko = { url = "github:nix-community/disko"; @@ -14,11 +15,17 @@ }; }; - outputs = { self, nixpkgs, deploy-rs, disko, agenix, ... }: - let system = "x86_64-linux"; + outputs = { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, ... }: + let + system = "x86_64-linux"; + pkgs = nixpkgs.legacyPackages.${system}; + pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; in { + devShells.${system}.default = pkgs.mkShell { + packages = with pkgs-unstable; [ libsecret nixos-anywhere ]; + }; - formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt; + formatter = pkgs.nixfmt; nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem { inherit system; @@ -36,7 +43,7 @@ nodes.jefke = { hostname = "jefke.hyp"; profiles.hypervisor = { - path = deploy-rs.lib.x86_64-linux.activate.nixos + path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.hypervisor; }; }; diff --git a/nixos-anywhere.sh b/nixos-anywhere.sh old mode 100644 new mode 100755 index d6b6131..738cfe4 --- a/nixos-anywhere.sh +++ b/nixos-anywhere.sh @@ -1,4 +1,25 @@ #!/usr/bin/env bash +set -euo pipefail +IFS=$'\n\t' + +servername="${1-}" + +if [ -z "$servername" ] + then + echo "Usage: $0 SERVERNAME" + exit 1 +fi + +confirmation="Yes, wipe ${servername}." + +echo "⚠️ This will wipe ${servername} completely! ⚠️" +echo "Confirm by typing: \"${confirmation}\"" +read response + +if [ "$response" != "$confirmation" ]; then + echo "Aborting." + exit 1 +fi # Create a temporary directory temp=$(mktemp -d) @@ -9,15 +30,14 @@ cleanup() { } trap cleanup EXIT -# TODO from here -# Create the directory where sshd expects to find the host keys -install -d -m755 "$temp/etc/ssh" +# Create directory where age key will go. +# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system. +mkdir "$temp/root" -# Decrypt your private key from the password store and copy it to the temporary directory -pass ssh_host_ed25519_key > "$temp/etc/ssh/ssh_host_ed25519_key" +secret-tool lookup age-identity "$servername" > "$temp/root/age_ed25519" -# Set the correct permissions so sshd will accept the key -chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key" +# Set the correct permissions +chmod 600 "$temp/root/age_ed25519" -# Install NixOS to the host system with our secrets -nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip +# Install NixOS to the host system with our age identity +nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake '.#hypervisor' "root@$servername.hyp"