flakes/lib/flake.nix

   1 {
   2   inputs.nixpkgs.url = "github:NixOS/nixpkgs";
   3   inputs.flake-parts.url = "github:hercules-ci/flake-parts";
   4   inputs.disko.url = "github:nix-community/disko";
   5   # replace with zhaofengli/colmena once https://github.com/zhaofengli/colmena/pull/161 is merged
   6   inputs.colmena.url = "github:immae/colmena/add-lib-get-flake";
   7   inputs.nixos-anywhere.url = "github:numtide/nixos-anywhere";
   8   inputs.nixos-anywhere.inputs.disko.follows = "disko";
   9   inputs.nixos-anywhere.inputs.flake-parts.follows = "flake-parts";
  10
  11   description = "Useful libs";
  12   outputs = { self, nixpkgs, flake-parts, disko, colmena, nixos-anywhere }: {
  13     lib = rec {
  14       mkColmenaFlake = { name, self, nixpkgs, system ? "x86_64-linux", nixosModules, moduleArgs ? {}, targetHost, targetUser ? "root" }:
  15         flake-parts.lib.mkFlake { inputs = { inherit nixpkgs self; }; } {
  16           systems = [ system ];
  17           perSystem = { pkgs, ... }: {
  18             apps."${name}-install" = {
  19               type = "app";
  20               program = pkgs.writeScriptBin "${name}-install" ''
  21                 #!${pkgs.stdenv.shell}
  22                 set -euo pipefail
  23                 : $SOPS_VARS_FILE
  24                 TEMPDIR=$(mktemp -d)
  25                 trap '[ -d "$TEMPDIR" ] && rm -rf "$TEMPDIR"' EXIT
  26
  27                 password=$(sops -d $SOPS_VARS_FILE | yq -r .cryptsetup_encryption_keys.${name})
  28                 mkdir -p $TEMPDIR/boot/initrdSecrets
  29                 chmod -R go-rwx $TEMPDIR/boot/initrdSecrets
  30                 sops -d $SOPS_VARS_FILE | yq -c '.ssh_host_keys.${name}[]' | while read -r key; do
  31                   keytype=$(echo "$key" | yq -r .type)
  32                   keyprivate=$(echo "$key" | yq -r .private)
  33                   keypublic=$(echo "$key" | yq -r .public)
  34                   echo "$keyprivate" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key
  35                   echo "$keypublic" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key.pub
  36                 done
  37                 chmod -R go-rwx $TEMPDIR/boot/initrdSecrets
  38
  39                 ${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere \
  40                   -f .#${name}WithEncryption ${targetUser}@${targetHost} \
  41                   --disk-encryption-keys /run/decrypt-key <(echo -n "$password") \
  42                   --extra-files "$TEMPDIR"
  43               '';
  44             };
  45
  46           };
  47           flake = {
  48             nixosConfigurations.${name} = (colmena.lib.fromRawFlake self).nodes.${name};
  49             nixosConfigurations."${name}WithEncryption" = let
  50               selfWithEncryption = nixpkgs.lib.recursiveUpdate self { outputs.colmena.meta.specialArgs.cryptKeyFile = "/run/decrypt-key"; };
  51             in
  52               (colmena.lib.fromRawFlake selfWithEncryption).nodes.${name};
  53             colmena = {
  54               meta.nixpkgs = nixpkgs.legacyPackages.${system};
  55               meta.specialArgs = moduleArgs;
  56               "${name}" = {
  57                 deployment = { inherit targetHost targetUser; };
  58                 imports = builtins.attrValues self.nixosModules;
  59               };
  60             };
  61             nixosModules = {
  62               _diskoModules = disko.nixosModules.disko;
  63             } // nixosModules;
  64           };
  65         };
  66     };
  67   };
  68 }