improve nixos anywhere script:
- deploy age identity - make script machine indepdendent - add sanity check for wiping the system create nix shell for running the script
This commit is contained in:
parent
022a6aabb4
commit
b4fbc0b955
4 changed files with 59 additions and 14 deletions
1
.envrc
Normal file
1
.envrc
Normal file
|
@ -0,0 +1 @@
|
||||||
|
use_flake
|
19
flake.lock
19
flake.lock
|
@ -137,6 +137,22 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-unstable": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1699725108,
|
||||||
|
"narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1699291058,
|
"lastModified": 1699291058,
|
||||||
|
@ -158,7 +174,8 @@
|
||||||
"agenix": "agenix",
|
"agenix": "agenix",
|
||||||
"deploy-rs": "deploy-rs",
|
"deploy-rs": "deploy-rs",
|
||||||
"disko": "disko",
|
"disko": "disko",
|
||||||
"nixpkgs": "nixpkgs_2"
|
"nixpkgs": "nixpkgs_2",
|
||||||
|
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"utils": {
|
"utils": {
|
||||||
|
|
15
flake.nix
15
flake.nix
|
@ -3,6 +3,7 @@
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
|
||||||
|
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||||
deploy-rs.url = "github:serokell/deploy-rs";
|
deploy-rs.url = "github:serokell/deploy-rs";
|
||||||
disko = {
|
disko = {
|
||||||
url = "github:nix-community/disko";
|
url = "github:nix-community/disko";
|
||||||
|
@ -14,11 +15,17 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, deploy-rs, disko, agenix, ... }:
|
outputs = { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, ... }:
|
||||||
let system = "x86_64-linux";
|
let
|
||||||
|
system = "x86_64-linux";
|
||||||
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
|
pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
|
||||||
in {
|
in {
|
||||||
|
devShells.${system}.default = pkgs.mkShell {
|
||||||
|
packages = with pkgs-unstable; [ libsecret nixos-anywhere ];
|
||||||
|
};
|
||||||
|
|
||||||
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt;
|
formatter = pkgs.nixfmt;
|
||||||
|
|
||||||
nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem {
|
nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
|
@ -36,7 +43,7 @@
|
||||||
nodes.jefke = {
|
nodes.jefke = {
|
||||||
hostname = "jefke.hyp";
|
hostname = "jefke.hyp";
|
||||||
profiles.hypervisor = {
|
profiles.hypervisor = {
|
||||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
path = deploy-rs.lib.${system}.activate.nixos
|
||||||
self.nixosConfigurations.hypervisor;
|
self.nixosConfigurations.hypervisor;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
38
nixos-anywhere.sh
Normal file → Executable file
38
nixos-anywhere.sh
Normal file → Executable file
|
@ -1,4 +1,25 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
IFS=$'\n\t'
|
||||||
|
|
||||||
|
servername="${1-}"
|
||||||
|
|
||||||
|
if [ -z "$servername" ]
|
||||||
|
then
|
||||||
|
echo "Usage: $0 SERVERNAME"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
confirmation="Yes, wipe ${servername}."
|
||||||
|
|
||||||
|
echo "⚠️ This will wipe ${servername} completely! ⚠️"
|
||||||
|
echo "Confirm by typing: \"${confirmation}\""
|
||||||
|
read response
|
||||||
|
|
||||||
|
if [ "$response" != "$confirmation" ]; then
|
||||||
|
echo "Aborting."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# Create a temporary directory
|
# Create a temporary directory
|
||||||
temp=$(mktemp -d)
|
temp=$(mktemp -d)
|
||||||
|
@ -9,15 +30,14 @@ cleanup() {
|
||||||
}
|
}
|
||||||
trap cleanup EXIT
|
trap cleanup EXIT
|
||||||
|
|
||||||
# TODO from here
|
# Create directory where age key will go.
|
||||||
# Create the directory where sshd expects to find the host keys
|
# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system.
|
||||||
install -d -m755 "$temp/etc/ssh"
|
mkdir "$temp/root"
|
||||||
|
|
||||||
# Decrypt your private key from the password store and copy it to the temporary directory
|
secret-tool lookup age-identity "$servername" > "$temp/root/age_ed25519"
|
||||||
pass ssh_host_ed25519_key > "$temp/etc/ssh/ssh_host_ed25519_key"
|
|
||||||
|
|
||||||
# Set the correct permissions so sshd will accept the key
|
# Set the correct permissions
|
||||||
chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
|
chmod 600 "$temp/root/age_ed25519"
|
||||||
|
|
||||||
# Install NixOS to the host system with our secrets
|
# Install NixOS to the host system with our age identity
|
||||||
nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip
|
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake '.#hypervisor' "root@$servername.hyp"
|
||||||
|
|
Loading…
Reference in a new issue