X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=flakes%2Flib%2Fflake.nix;h=5b78fb693a8439b351389a575ed39373741769f3;hb=1a64deeb894dc95e2645a75771732c6cc53a79ad;hp=8faa136898ce51107e1ab6156f96a1c3b1cf40de;hpb=fa25ffd4583cc362075cd5e1b4130f33306103f0;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/flakes/lib/flake.nix b/flakes/lib/flake.nix index 8faa136..5b78fb6 100644 --- a/flakes/lib/flake.nix +++ b/flakes/lib/flake.nix @@ -1,28 +1,68 @@ { inputs.nixpkgs.url = "github:NixOS/nixpkgs"; + inputs.flake-parts.url = "github:hercules-ci/flake-parts"; + inputs.disko.url = "github:nix-community/disko"; + # replace with zhaofengli/colmena once https://github.com/zhaofengli/colmena/pull/161 is merged + inputs.colmena.url = "github:immae/colmena/add-lib-get-flake"; + inputs.nixos-anywhere.url = "github:numtide/nixos-anywhere"; + inputs.nixos-anywhere.inputs.disko.follows = "disko"; + inputs.nixos-anywhere.inputs.flake-parts.follows = "flake-parts"; description = "Useful libs"; - outputs = { self, nixpkgs }: { + outputs = { self, nixpkgs, flake-parts, disko, colmena, nixos-anywhere }: { lib = rec { - computeNarHash = path: - let pkgs = import nixpkgs {}; - in - builtins.readFile (pkgs.runCommand "narHash" { - buildInputs = [ pkgs.nix ]; - } "echo -n $(nix hash-path ${path}) > $out"); + mkColmenaFlake = { name, self, nixpkgs, system ? "x86_64-linux", nixosModules, moduleArgs ? {}, targetHost, targetUser ? "root" }: + flake-parts.lib.mkFlake { inputs = { inherit nixpkgs self; }; } { + systems = [ system ]; + perSystem = { pkgs, ... }: { + apps."${name}-install" = { + type = "app"; + program = pkgs.writeScriptBin "${name}-install" '' + #!${pkgs.stdenv.shell} + set -euo pipefail + : $SOPS_VARS_FILE + TEMPDIR=$(mktemp -d) + trap '[ -d "$TEMPDIR" ] && rm -rf "$TEMPDIR"' EXIT - withNarKeyCompat = flakeCompat: path: moduleAttrs: - let module = (flakeCompat path).${moduleAttrs}; - narHash = computeNarHash path; - in if builtins.isFunction module - then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; }) - else module // { key = narHash; }; + password=$(sops -d $SOPS_VARS_FILE | yq -r .cryptsetup_encryption_keys.${name}) + mkdir -p $TEMPDIR/boot/initrdSecrets + chmod -R go-rwx $TEMPDIR/boot/initrdSecrets + sops -d $SOPS_VARS_FILE | yq -c '.ssh_host_keys.${name}[]' | while read -r key; do + keytype=$(echo "$key" | yq -r .type) + keyprivate=$(echo "$key" | yq -r .private) + keypublic=$(echo "$key" | yq -r .public) + echo "$keyprivate" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key + echo "$keypublic" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key.pub + done + chmod -R go-rwx $TEMPDIR/boot/initrdSecrets - withNarKey = dep: moduleAttrs: - let module = dep.${moduleAttrs}; - in if builtins.isFunction module - then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; }) - else module // { key = dep.narHash; }; + ${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere \ + -f .#${name}WithEncryption ${targetUser}@${targetHost} \ + --disk-encryption-keys /run/decrypt-key <(echo -n "$password") \ + --extra-files "$TEMPDIR" + ''; + }; + + }; + flake = { + nixosConfigurations.${name} = (colmena.lib.fromRawFlake self).nodes.${name}; + nixosConfigurations."${name}WithEncryption" = let + selfWithEncryption = nixpkgs.lib.recursiveUpdate self { outputs.colmena.meta.specialArgs.cryptKeyFile = "/run/decrypt-key"; }; + in + (colmena.lib.fromRawFlake selfWithEncryption).nodes.${name}; + colmena = { + meta.nixpkgs = nixpkgs.legacyPackages.${system}; + meta.specialArgs = moduleArgs; + "${name}" = { + deployment = { inherit targetHost targetUser; }; + imports = builtins.attrValues self.nixosModules; + }; + }; + nixosModules = { + _diskoModules = disko.nixosModules.disko; + } // nixosModules; + }; + }; }; }; }