blob: a94a3c0e9862885863ce6cdfae09717cdf606750 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
{ self, ... }:
{
perSystem =
{ pkgs, ... }:
{
apps.infra-bootstrap-indra =
let
bin = pkgs.writeShellApplication {
name = "bootstrap-indra";
runtimeInputs = [
# keep-sorted start
pkgs.git
pkgs.nixos-anywhere
pkgs.openssh
pkgs.sops
pkgs.ssh-to-age
pkgs.yq-go
# keep-sorted end
];
text = ''
rootdir="$(git rev-parse --show-toplevel)"
extrafiles="$(mktemp -d)"
trap 'rm -rf "$extrafiles"' EXIT
keydir="$extrafiles/persist/etc/ssh"
mkdir --parents "$keydir"
privatekey="$keydir/ssh_host_ed25519_key"
publickey="$privatekey.pub"
ssh-keygen -t ed25519 -N "" -C "root@indra" -f "$privatekey"
chmod 600 "$privatekey"
chmod 644 "$publickey"
agekey="$(ssh-to-age < "$publickey")"
yq \
--inplace \
"(.keys | .. | select(anchor == \"indra\")) = \"$agekey\"" \
"$rootdir/infra/.sops.yaml"
sops updatekeys --yes "$rootdir/infra/modules/base/secrets.yaml"
nixos-anywhere \
--flake "$rootdir#indra" \
--extra-files "$extrafiles" \
--target-host "[email protected]"
printf "\n\nIMPORTANT: Remember to save the changes to the .sops.yaml file!\n"
'';
};
in
{
type = "app";
program = "${bin}/bin/bootstrap-indra";
meta.description = "bootstrap the indra machine by doing a fresh installation";
};
apps.infra-bootstrap-plato =
let
bin = pkgs.writeShellApplication {
name = "bootstrap-plato";
runtimeInputs = [
# keep-sorted start
pkgs.disko
pkgs.git
pkgs.openssh
pkgs.sops
pkgs.ssh-to-age
pkgs.yq-go
# keep-sorted end
];
text = ''
# The live installer creates its own hostid which results in the import of
# the ZFS pool failing. Instead forcefully set the hostid as configured in Nix.
sudo rm -rf /etc/hostid
sudo zgenhostid -f "${self.nixosConfigurations.plato.config.networking.hostId}"
rootdir="$(git rev-parse --show-toplevel)"
extrafiles="$(mktemp -d)"
trap 'rm -rf "$extrafiles"' EXIT
keydir="$extrafiles/persist/etc/ssh"
mkdir --parents "$keydir"
privatekey="$keydir/ssh_host_ed25519_key"
publickey="$privatekey.pub"
ssh-keygen -t ed25519 -N "" -f "$privatekey"
chmod 600 "$privatekey"
chmod 644 "$publickey"
agekey="$(ssh-to-age < "$publickey")"
yq \
--inplace \
"(.keys | .. | select(anchor == \"plato\")) = \"$agekey\"" \
"$rootdir/infra/.sops.yaml"
sops updatekeys --yes "$rootdir/infra/modules/base/secrets.yaml"
sudo disko-install \
--flake "$rootdir#plato" \
--disk main "/dev/disk/by-id/ata-CONSISTENT_SSD_S7_512GB_09092225J0987" \
--extra-files "$keydir" "/persist/etc/ssh"
'';
};
in
{
type = "app";
program = "${bin}/bin/bootstrap-plato";
meta.description = "bootstrap the plato machine by doing a fresh installation (run on the live installer after copying over the repo)";
};
};
}
|
