improve nixos anywhere script:

- deploy age identity
- make script machine indepdendent
- add sanity check for wiping the system
create nix shell for running the script

.envrc

@@ -0,0 +1 @@
+use_flake

flake.lock

@@ -137,6 +137,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1699725108,
+        "narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1699291058,
@@ -158,7 +174,8 @@
         "agenix": "agenix",
         "deploy-rs": "deploy-rs",
         "disko": "disko",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-unstable": "nixpkgs-unstable"
       }
     },
     "utils": {

flake.nix

@@ -3,6 +3,7 @@
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     deploy-rs.url = "github:serokell/deploy-rs";
     disko = {
       url = "github:nix-community/disko";
@@ -14,11 +15,17 @@
     };
   };
 
-  outputs = { self, nixpkgs, deploy-rs, disko, agenix, ... }:
-    let system = "x86_64-linux";
+  outputs = { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, ... }:
+    let
+      system = "x86_64-linux";
+      pkgs = nixpkgs.legacyPackages.${system};
+      pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
     in {
+      devShells.${system}.default = pkgs.mkShell {
+        packages = with pkgs-unstable; [ libsecret nixos-anywhere ];
+      };
 
-      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt;
+      formatter = pkgs.nixfmt;
 
       nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem {
         inherit system;
@@ -36,7 +43,7 @@
         nodes.jefke = {
           hostname = "jefke.hyp";
           profiles.hypervisor = {
-            path = deploy-rs.lib.x86_64-linux.activate.nixos
+            path = deploy-rs.lib.${system}.activate.nixos
               self.nixosConfigurations.hypervisor;
           };
         };

nixos-anywhere.sh

@@ -1,4 +1,25 @@
 #!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+
+servername="${1-}"
+
+if [ -z "$servername" ]
+  then
+    echo "Usage: $0 SERVERNAME"
+    exit 1
+fi
+
+confirmation="Yes, wipe ${servername}."
+
+echo "⚠️  This will wipe ${servername} completely! ⚠️"
+echo "Confirm by typing: \"${confirmation}\""
+read response
+
+if [ "$response" != "$confirmation" ]; then
+  echo "Aborting."
+  exit 1
+fi
 
 # Create a temporary directory
 temp=$(mktemp -d)
@@ -9,15 +30,14 @@ cleanup() {
 }
 trap cleanup EXIT
 
-# TODO from here
-# Create the directory where sshd expects to find the host keys
-install -d -m755 "$temp/etc/ssh"
+# Create directory where age key will go.
+# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system.
+mkdir "$temp/root"
 
-# Decrypt your private key from the password store and copy it to the temporary directory
-pass ssh_host_ed25519_key > "$temp/etc/ssh/ssh_host_ed25519_key"
+secret-tool lookup age-identity "$servername" > "$temp/root/age_ed25519"
 
-# Set the correct permissions so sshd will accept the key
-chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
+# Set the correct permissions
+chmod 600 "$temp/root/age_ed25519"
 
-# Install NixOS to the host system with our secrets
-nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip
+# Install NixOS to the host system with our age identity
+nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake '.#hypervisor' "root@$servername.hyp"