]>
Commit | Line | Data |
---|---|---|
27dd65fc IB |
1 | { |
2 | inputs.nixpkgs.url = "github:NixOS/nixpkgs"; | |
1a64deeb IB |
3 | inputs.flake-parts.url = "github:hercules-ci/flake-parts"; |
4 | inputs.disko.url = "github:nix-community/disko"; | |
5 | # replace with zhaofengli/colmena once https://github.com/zhaofengli/colmena/pull/161 is merged | |
6 | inputs.colmena.url = "github:immae/colmena/add-lib-get-flake"; | |
7 | inputs.nixos-anywhere.url = "github:numtide/nixos-anywhere"; | |
8 | inputs.nixos-anywhere.inputs.disko.follows = "disko"; | |
9 | inputs.nixos-anywhere.inputs.flake-parts.follows = "flake-parts"; | |
27dd65fc IB |
10 | |
11 | description = "Useful libs"; | |
1a64deeb | 12 | outputs = { self, nixpkgs, flake-parts, disko, colmena, nixos-anywhere }: { |
27dd65fc | 13 | lib = rec { |
1a64deeb IB |
14 | mkColmenaFlake = { name, self, nixpkgs, system ? "x86_64-linux", nixosModules, moduleArgs ? {}, targetHost, targetUser ? "root" }: |
15 | flake-parts.lib.mkFlake { inputs = { inherit nixpkgs self; }; } { | |
16 | systems = [ system ]; | |
17 | perSystem = { pkgs, ... }: { | |
18 | apps."${name}-install" = { | |
19 | type = "app"; | |
20 | program = pkgs.writeScriptBin "${name}-install" '' | |
21 | #!${pkgs.stdenv.shell} | |
22 | set -euo pipefail | |
23 | : $SOPS_VARS_FILE | |
24 | TEMPDIR=$(mktemp -d) | |
25 | trap '[ -d "$TEMPDIR" ] && rm -rf "$TEMPDIR"' EXIT | |
27dd65fc | 26 | |
1a64deeb IB |
27 | password=$(sops -d $SOPS_VARS_FILE | yq -r .cryptsetup_encryption_keys.${name}) |
28 | mkdir -p $TEMPDIR/boot/initrdSecrets | |
29 | chmod -R go-rwx $TEMPDIR/boot/initrdSecrets | |
30 | sops -d $SOPS_VARS_FILE | yq -c '.ssh_host_keys.${name}[]' | while read -r key; do | |
31 | keytype=$(echo "$key" | yq -r .type) | |
32 | keyprivate=$(echo "$key" | yq -r .private) | |
33 | keypublic=$(echo "$key" | yq -r .public) | |
34 | echo "$keyprivate" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key | |
35 | echo "$keypublic" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key.pub | |
36 | done | |
37 | chmod -R go-rwx $TEMPDIR/boot/initrdSecrets | |
27dd65fc | 38 | |
1a64deeb IB |
39 | ${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere \ |
40 | -f .#${name}WithEncryption ${targetUser}@${targetHost} \ | |
41 | --disk-encryption-keys /run/decrypt-key <(echo -n "$password") \ | |
42 | --extra-files "$TEMPDIR" | |
43 | ''; | |
44 | }; | |
45 | ||
46 | }; | |
47 | flake = { | |
48 | nixosConfigurations.${name} = (colmena.lib.fromRawFlake self).nodes.${name}; | |
49 | nixosConfigurations."${name}WithEncryption" = let | |
50 | selfWithEncryption = nixpkgs.lib.recursiveUpdate self { outputs.colmena.meta.specialArgs.cryptKeyFile = "/run/decrypt-key"; }; | |
51 | in | |
52 | (colmena.lib.fromRawFlake selfWithEncryption).nodes.${name}; | |
53 | colmena = { | |
54 | meta.nixpkgs = nixpkgs.legacyPackages.${system}; | |
55 | meta.specialArgs = moduleArgs; | |
56 | "${name}" = { | |
57 | deployment = { inherit targetHost targetUser; }; | |
58 | imports = builtins.attrValues self.nixosModules; | |
59 | }; | |
60 | }; | |
61 | nixosModules = { | |
62 | _diskoModules = disko.nixosModules.disko; | |
63 | } // nixosModules; | |
64 | }; | |
65 | }; | |
27dd65fc IB |
66 | }; |
67 | }; | |
68 | } |