diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 01:35:06 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 02:11:48 +0200 |
commit | 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch) | |
tree | 1b9df4838f894577a09b9b260151756272efeb53 /flakes/lib/flake.nix | |
parent | fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff) | |
download | Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip |
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
Diffstat (limited to 'flakes/lib/flake.nix')
-rw-r--r-- | flakes/lib/flake.nix | 76 |
1 files changed, 58 insertions, 18 deletions
diff --git a/flakes/lib/flake.nix b/flakes/lib/flake.nix index 8faa136..5b78fb6 100644 --- a/flakes/lib/flake.nix +++ b/flakes/lib/flake.nix | |||
@@ -1,28 +1,68 @@ | |||
1 | { | 1 | { |
2 | inputs.nixpkgs.url = "github:NixOS/nixpkgs"; | 2 | inputs.nixpkgs.url = "github:NixOS/nixpkgs"; |
3 | inputs.flake-parts.url = "github:hercules-ci/flake-parts"; | ||
4 | inputs.disko.url = "github:nix-community/disko"; | ||
5 | # replace with zhaofengli/colmena once https://github.com/zhaofengli/colmena/pull/161 is merged | ||
6 | inputs.colmena.url = "github:immae/colmena/add-lib-get-flake"; | ||
7 | inputs.nixos-anywhere.url = "github:numtide/nixos-anywhere"; | ||
8 | inputs.nixos-anywhere.inputs.disko.follows = "disko"; | ||
9 | inputs.nixos-anywhere.inputs.flake-parts.follows = "flake-parts"; | ||
3 | 10 | ||
4 | description = "Useful libs"; | 11 | description = "Useful libs"; |
5 | outputs = { self, nixpkgs }: { | 12 | outputs = { self, nixpkgs, flake-parts, disko, colmena, nixos-anywhere }: { |
6 | lib = rec { | 13 | lib = rec { |
7 | computeNarHash = path: | 14 | mkColmenaFlake = { name, self, nixpkgs, system ? "x86_64-linux", nixosModules, moduleArgs ? {}, targetHost, targetUser ? "root" }: |
8 | let pkgs = import nixpkgs {}; | 15 | flake-parts.lib.mkFlake { inputs = { inherit nixpkgs self; }; } { |
9 | in | 16 | systems = [ system ]; |
10 | builtins.readFile (pkgs.runCommand "narHash" { | 17 | perSystem = { pkgs, ... }: { |
11 | buildInputs = [ pkgs.nix ]; | 18 | apps."${name}-install" = { |
12 | } "echo -n $(nix hash-path ${path}) > $out"); | 19 | type = "app"; |
20 | program = pkgs.writeScriptBin "${name}-install" '' | ||
21 | #!${pkgs.stdenv.shell} | ||
22 | set -euo pipefail | ||
23 | : $SOPS_VARS_FILE | ||
24 | TEMPDIR=$(mktemp -d) | ||
25 | trap '[ -d "$TEMPDIR" ] && rm -rf "$TEMPDIR"' EXIT | ||
13 | 26 | ||
14 | withNarKeyCompat = flakeCompat: path: moduleAttrs: | 27 | password=$(sops -d $SOPS_VARS_FILE | yq -r .cryptsetup_encryption_keys.${name}) |
15 | let module = (flakeCompat path).${moduleAttrs}; | 28 | mkdir -p $TEMPDIR/boot/initrdSecrets |
16 | narHash = computeNarHash path; | 29 | chmod -R go-rwx $TEMPDIR/boot/initrdSecrets |
17 | in if builtins.isFunction module | 30 | sops -d $SOPS_VARS_FILE | yq -c '.ssh_host_keys.${name}[]' | while read -r key; do |
18 | then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; }) | 31 | keytype=$(echo "$key" | yq -r .type) |
19 | else module // { key = narHash; }; | 32 | keyprivate=$(echo "$key" | yq -r .private) |
33 | keypublic=$(echo "$key" | yq -r .public) | ||
34 | echo "$keyprivate" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key | ||
35 | echo "$keypublic" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key.pub | ||
36 | done | ||
37 | chmod -R go-rwx $TEMPDIR/boot/initrdSecrets | ||
20 | 38 | ||
21 | withNarKey = dep: moduleAttrs: | 39 | ${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere \ |
22 | let module = dep.${moduleAttrs}; | 40 | -f .#${name}WithEncryption ${targetUser}@${targetHost} \ |
23 | in if builtins.isFunction module | 41 | --disk-encryption-keys /run/decrypt-key <(echo -n "$password") \ |
24 | then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; }) | 42 | --extra-files "$TEMPDIR" |
25 | else module // { key = dep.narHash; }; | 43 | ''; |
44 | }; | ||
45 | |||
46 | }; | ||
47 | flake = { | ||
48 | nixosConfigurations.${name} = (colmena.lib.fromRawFlake self).nodes.${name}; | ||
49 | nixosConfigurations."${name}WithEncryption" = let | ||
50 | selfWithEncryption = nixpkgs.lib.recursiveUpdate self { outputs.colmena.meta.specialArgs.cryptKeyFile = "/run/decrypt-key"; }; | ||
51 | in | ||
52 | (colmena.lib.fromRawFlake selfWithEncryption).nodes.${name}; | ||
53 | colmena = { | ||
54 | meta.nixpkgs = nixpkgs.legacyPackages.${system}; | ||
55 | meta.specialArgs = moduleArgs; | ||
56 | "${name}" = { | ||
57 | deployment = { inherit targetHost targetUser; }; | ||
58 | imports = builtins.attrValues self.nixosModules; | ||
59 | }; | ||
60 | }; | ||
61 | nixosModules = { | ||
62 | _diskoModules = disko.nixosModules.disko; | ||
63 | } // nixosModules; | ||
64 | }; | ||
65 | }; | ||
26 | }; | 66 | }; |
27 | }; | 67 | }; |
28 | } | 68 | } |