blob: f5b86afd57217d02e124c67bf15060ecec96384a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
{
perSystem =
{ pkgs, ... }:
{
apps.infra-bootstrap-indra =
let
bin = pkgs.writeShellApplication {
name = "bootstrap-indra";
runtimeInputs = [
# keep-sorted start
pkgs.git
pkgs.nixos-anywhere
pkgs.openssh
pkgs.sops
pkgs.ssh-to-age
pkgs.yq-go
# keep-sorted end
];
text = ''
rootdir="$(git rev-parse --show-toplevel)"
extrafiles="$(mktemp -d)"
trap 'rm -rf "$extrafiles"' EXIT
keydir="$extrafiles/persist/etc/ssh"
mkdir --parents "$keydir"
privatekey="$keydir/ssh_host_ed25519_key"
publickey="$privatekey.pub"
ssh-keygen -t ed25519 -N "" -C "root@indra" -f "$privatekey"
chmod 600 "$privatekey"
chmod 644 "$publickey"
agekey="$(ssh-to-age < "$publickey")"
yq \
--inplace \
"(.keys | .. | select(anchor == \"indra\")) = \"$agekey\"" \
"$rootdir/infra/.sops.yaml"
sops updatekeys --yes "$rootdir/infra/modules/base/secrets.yaml"
nixos-anywhere \
--flake "$rootdir#indra" \
--extra-files "$extrafiles" \
--target-host "[email protected]"
printf "\n\nIMPORTANT: Remember to save the changes to the .sops.yaml file!\n"
'';
};
in
{
type = "app";
program = "${bin}/bin/bootstrap-indra";
meta.description = "bootstrap the indra machine by doing a fresh installation";
};
};
}
|
