improve nixos anywhere script:

- deploy age identity
- make script machine indepdendent
- add sanity check for wiping the system
create nix shell for running the script
This commit is contained in:
Pim Kunis 2023-11-15 11:41:45 +01:00
parent 022a6aabb4
commit b4fbc0b955
4 changed files with 59 additions and 14 deletions

1
.envrc Normal file
View file

@ -0,0 +1 @@
use_flake

View file

@ -137,6 +137,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": {
"locked": {
"lastModified": 1699725108,
"narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1699291058, "lastModified": 1699291058,
@ -158,7 +174,8 @@
"agenix": "agenix", "agenix": "agenix",
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"disko": "disko", "disko": "disko",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable"
} }
}, },
"utils": { "utils": {

View file

@ -3,6 +3,7 @@
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
@ -14,11 +15,17 @@
}; };
}; };
outputs = { self, nixpkgs, deploy-rs, disko, agenix, ... }: outputs = { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, ... }:
let system = "x86_64-linux"; let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
in { in {
devShells.${system}.default = pkgs.mkShell {
packages = with pkgs-unstable; [ libsecret nixos-anywhere ];
};
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt; formatter = pkgs.nixfmt;
nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem { nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
@ -36,7 +43,7 @@
nodes.jefke = { nodes.jefke = {
hostname = "jefke.hyp"; hostname = "jefke.hyp";
profiles.hypervisor = { profiles.hypervisor = {
path = deploy-rs.lib.x86_64-linux.activate.nixos path = deploy-rs.lib.${system}.activate.nixos
self.nixosConfigurations.hypervisor; self.nixosConfigurations.hypervisor;
}; };
}; };

38
nixos-anywhere.sh Normal file → Executable file
View file

@ -1,4 +1,25 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail
IFS=$'\n\t'
servername="${1-}"
if [ -z "$servername" ]
then
echo "Usage: $0 SERVERNAME"
exit 1
fi
confirmation="Yes, wipe ${servername}."
echo "⚠️ This will wipe ${servername} completely! ⚠️"
echo "Confirm by typing: \"${confirmation}\""
read response
if [ "$response" != "$confirmation" ]; then
echo "Aborting."
exit 1
fi
# Create a temporary directory # Create a temporary directory
temp=$(mktemp -d) temp=$(mktemp -d)
@ -9,15 +30,14 @@ cleanup() {
} }
trap cleanup EXIT trap cleanup EXIT
# TODO from here # Create directory where age key will go.
# Create the directory where sshd expects to find the host keys # Nixos-anwhere creates a kind of overlay and retains this structure on the final file system.
install -d -m755 "$temp/etc/ssh" mkdir "$temp/root"
# Decrypt your private key from the password store and copy it to the temporary directory secret-tool lookup age-identity "$servername" > "$temp/root/age_ed25519"
pass ssh_host_ed25519_key > "$temp/etc/ssh/ssh_host_ed25519_key"
# Set the correct permissions so sshd will accept the key # Set the correct permissions
chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key" chmod 600 "$temp/root/age_ed25519"
# Install NixOS to the host system with our secrets # Install NixOS to the host system with our age identity
nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake '.#hypervisor' "root@$servername.hyp"