improve nixos anywhere script:
- deploy age identity - make script machine indepdendent - add sanity check for wiping the system create nix shell for running the script
This commit is contained in:
parent
022a6aabb4
commit
b4fbc0b955
4 changed files with 59 additions and 14 deletions
1
.envrc
Normal file
1
.envrc
Normal file
|
@ -0,0 +1 @@
|
|||
use_flake
|
19
flake.lock
19
flake.lock
|
@ -137,6 +137,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1699725108,
|
||||
"narHash": "sha256-NTiPW4jRC+9puakU4Vi8WpFEirhp92kTOSThuZke+FA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "911ad1e67f458b6bcf0278fa85e33bb9924fed7e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1699291058,
|
||||
|
@ -158,7 +174,8 @@
|
|||
"agenix": "agenix",
|
||||
"deploy-rs": "deploy-rs",
|
||||
"disko": "disko",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
|
|
15
flake.nix
15
flake.nix
|
@ -3,6 +3,7 @@
|
|||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
|
||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
disko = {
|
||||
url = "github:nix-community/disko";
|
||||
|
@ -14,11 +15,17 @@
|
|||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, deploy-rs, disko, agenix, ... }:
|
||||
let system = "x86_64-linux";
|
||||
outputs = { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, ... }:
|
||||
let
|
||||
system = "x86_64-linux";
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
|
||||
in {
|
||||
devShells.${system}.default = pkgs.mkShell {
|
||||
packages = with pkgs-unstable; [ libsecret nixos-anywhere ];
|
||||
};
|
||||
|
||||
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt;
|
||||
formatter = pkgs.nixfmt;
|
||||
|
||||
nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
|
@ -36,7 +43,7 @@
|
|||
nodes.jefke = {
|
||||
hostname = "jefke.hyp";
|
||||
profiles.hypervisor = {
|
||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
||||
path = deploy-rs.lib.${system}.activate.nixos
|
||||
self.nixosConfigurations.hypervisor;
|
||||
};
|
||||
};
|
||||
|
|
38
nixos-anywhere.sh
Normal file → Executable file
38
nixos-anywhere.sh
Normal file → Executable file
|
@ -1,4 +1,25 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
IFS=$'\n\t'
|
||||
|
||||
servername="${1-}"
|
||||
|
||||
if [ -z "$servername" ]
|
||||
then
|
||||
echo "Usage: $0 SERVERNAME"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
confirmation="Yes, wipe ${servername}."
|
||||
|
||||
echo "⚠️ This will wipe ${servername} completely! ⚠️"
|
||||
echo "Confirm by typing: \"${confirmation}\""
|
||||
read response
|
||||
|
||||
if [ "$response" != "$confirmation" ]; then
|
||||
echo "Aborting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create a temporary directory
|
||||
temp=$(mktemp -d)
|
||||
|
@ -9,15 +30,14 @@ cleanup() {
|
|||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
# TODO from here
|
||||
# Create the directory where sshd expects to find the host keys
|
||||
install -d -m755 "$temp/etc/ssh"
|
||||
# Create directory where age key will go.
|
||||
# Nixos-anwhere creates a kind of overlay and retains this structure on the final file system.
|
||||
mkdir "$temp/root"
|
||||
|
||||
# Decrypt your private key from the password store and copy it to the temporary directory
|
||||
pass ssh_host_ed25519_key > "$temp/etc/ssh/ssh_host_ed25519_key"
|
||||
secret-tool lookup age-identity "$servername" > "$temp/root/age_ed25519"
|
||||
|
||||
# Set the correct permissions so sshd will accept the key
|
||||
chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
|
||||
# Set the correct permissions
|
||||
chmod 600 "$temp/root/age_ed25519"
|
||||
|
||||
# Install NixOS to the host system with our secrets
|
||||
nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip
|
||||
# Install NixOS to the host system with our age identity
|
||||
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake '.#hypervisor' "root@$servername.hyp"
|
||||
|
|
Loading…
Reference in a new issue