Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 01:35:06 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 02:11:48 +0200
commit: 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree: 1b9df4838f894577a09b9b260151756272efeb53 /flakes/lib
parent: fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download: Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip
2 files changed, 326 insertions, 22 deletions
diff --git a/flakes/lib/flake.lock b/flakes/lib/flake.lock
index 3e0b21e..3ca158e 100644
--- a/flakes/lib/flake.lock
+++ b/flakes/lib/flake.lock
@@ -1,12 +1,235 @@
 {
  "nodes": {
+    "colmena": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs",
+        "stable": "stable"
+      },
+      "locked": {
+        "lastModified": 1687954574,
+        "narHash": "sha256-YasVTaNXq2xqZdejyIhuyqvNypmx+K/Y1ZZ4+raeeII=",
+        "owner": "immae",
+        "repo": "colmena",
+        "rev": "e427171150a35e23204c4c15a2483358d22a0eff",
+        "type": "github"
+      },
+      "original": {
+        "owner": "immae",
+        "ref": "add-lib-get-flake",
+        "repo": "colmena",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1687968164,
+        "narHash": "sha256-L9jr2zCB6NIaBE3towusjGBigsnE2pMID8wBGkYbTS4=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "8002e7cb899bc2a02a2ebfb7f999fcd7c18b92a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1687762428,
+        "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixos-2305": {
+      "locked": {
+        "lastModified": 1687938137,
+        "narHash": "sha256-Z00c0Pk3aE1aw9x44lVcqHmvx+oX7dxCXCvKcUuE150=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ba2ded3227a2992f2040fad4ba6f218a701884a5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixos-anywhere": {
+      "inputs": {
+        "disko": [
+          "disko"
+        ],
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixos-2305": "nixos-2305",
+        "nixos-images": "nixos-images",
+        "nixpkgs": "nixpkgs_3",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1689945193,
+        "narHash": "sha256-+GPRt7ouE84A7GPNKnFYGU0cQL7skKxz0BAY0sUjUmw=",
+        "owner": "numtide",
+        "repo": "nixos-anywhere",
+        "rev": "27161266077a177ac116e2cb72cc70af5f145189",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nixos-anywhere",
+        "type": "github"
+      }
+    },
+    "nixos-images": {
+      "inputs": {
+        "nixos-2305": [
+          "nixos-anywhere",
+          "nixos-2305"
+        ],
+        "nixos-unstable": [
+          "nixos-anywhere",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1686819168,
+        "narHash": "sha256-IbRVStbKoMC2fUX6TxNO82KgpVfI8LL4Cq0bTgdYhnY=",
+        "owner": "nix-community",
+        "repo": "nixos-images",
+        "rev": "ccc1a2c08ce2fc38bcece85d2a6e7bf17bac9e37",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-images",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1631570365,
+        "lastModified": 1683408522,
-        "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=",
+        "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1685564631,
+        "narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1687701825,
+        "narHash": "sha256-aMC9hqsf+4tJL7aJWSdEUurW2TsjxtDcJBwM9Y4FIYM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "07059ee2fa34f1598758839b9af87eae7f7ae6ea",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1687893427,
+        "narHash": "sha256-jJHj0Lxpvov1IPYQK441oLAKxxemHm16U9jf60bXAFU=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "4b14ab2a916508442e685089672681dff46805be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1648725829,
+        "narHash": "sha256-tXEzI38lLrzW2qCAIs0UAatE2xcsTsoKWaaXqAcF1NI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "df7113c0727881519248d4c7d080324e0ee3327b",
+        "rev": "72152ff5ad470ed1a5b97c0ba2737938c136c994",
        "type": "github"
      },
      "original": {
@@ -17,7 +240,48 @@
    },
    "root": {
      "inputs": {
-        "nixpkgs": "nixpkgs"
+        "colmena": "colmena",
+        "disko": "disko",
+        "flake-parts": "flake-parts",
+        "nixos-anywhere": "nixos-anywhere",
+        "nixpkgs": "nixpkgs_4"
+      }
+    },
+    "stable": {
+      "locked": {
+        "lastModified": 1669735802,
+        "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "731cc710aeebecbf45a258e977e8b68350549522",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-22.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixos-anywhere",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1687940979,
+        "narHash": "sha256-D4ZFkgIG2s9Fyi78T3fVG9mqMD+/UnFDB62jS4gjZKY=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "0a4f06c27610a99080b69433873885df82003aae",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
      }
    }
  },
diff --git a/flakes/lib/flake.nix b/flakes/lib/flake.nix
index 8faa136..5b78fb6 100644
--- a/flakes/lib/flake.nix
+++ b/flakes/lib/flake.nix
@@ -1,28 +1,68 @@
 {
  inputs.nixpkgs.url = "github:NixOS/nixpkgs";
+  inputs.flake-parts.url = "github:hercules-ci/flake-parts";
+  inputs.disko.url = "github:nix-community/disko";
+  # replace with zhaofengli/colmena once https://github.com/zhaofengli/colmena/pull/161 is merged
+  inputs.colmena.url = "github:immae/colmena/add-lib-get-flake";
+  inputs.nixos-anywhere.url = "github:numtide/nixos-anywhere";
+  inputs.nixos-anywhere.inputs.disko.follows = "disko";
+  inputs.nixos-anywhere.inputs.flake-parts.follows = "flake-parts";
  description = "Useful libs";
-  outputs = { self, nixpkgs }: {
+  outputs = { self, nixpkgs, flake-parts, disko, colmena, nixos-anywhere }: {
    lib = rec {
-      computeNarHash = path:
+      mkColmenaFlake = { name, self, nixpkgs, system ? "x86_64-linux", nixosModules, moduleArgs ? {}, targetHost, targetUser ? "root" }:
-        let pkgs = import nixpkgs {};
+        flake-parts.lib.mkFlake { inputs = { inherit nixpkgs self; }; } {
-        in
+          systems = [ system ];
-          builtins.readFile (pkgs.runCommand "narHash" {
+          perSystem = { pkgs, ... }: {
-            buildInputs = [ pkgs.nix ];
+            apps."${name}-install" = {
-          } "echo -n $(nix hash-path ${path}) > $out");
+              type = "app";
+              program = pkgs.writeScriptBin "${name}-install" ''
+                #!${pkgs.stdenv.shell}
+                set -euo pipefail
+                : $SOPS_VARS_FILE
+                TEMPDIR=$(mktemp -d)
+                trap '[ -d "$TEMPDIR" ] && rm -rf "$TEMPDIR"' EXIT
-      withNarKeyCompat = flakeCompat: path: moduleAttrs:
+                password=$(sops -d $SOPS_VARS_FILE | yq -r .cryptsetup_encryption_keys.${name})
-        let module = (flakeCompat path).${moduleAttrs};
+                mkdir -p $TEMPDIR/boot/initrdSecrets
-            narHash = computeNarHash path;
+                chmod -R go-rwx $TEMPDIR/boot/initrdSecrets
-        in if builtins.isFunction module
+                sops -d $SOPS_VARS_FILE | yq -c '.ssh_host_keys.${name}[]' | while read -r key; do
-          then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; })
+                  keytype=$(echo "$key" | yq -r .type)
-          else module // { key = narHash; };
+                  keyprivate=$(echo "$key" | yq -r .private)
+                  keypublic=$(echo "$key" | yq -r .public)
+                  echo "$keyprivate" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key
+                  echo "$keypublic" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key.pub
+                done
+                chmod -R go-rwx $TEMPDIR/boot/initrdSecrets
-      withNarKey = dep: moduleAttrs:
+                ${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere \
-        let module = dep.${moduleAttrs};
+                  -f .#${name}WithEncryption ${targetUser}@${targetHost} \
-        in if builtins.isFunction module
+                  --disk-encryption-keys /run/decrypt-key <(echo -n "$password") \
-          then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; })
+                  --extra-files "$TEMPDIR"
-          else module // { key = dep.narHash; };
+              '';
+            };
+          };
+          flake = {
+            nixosConfigurations.${name} = (colmena.lib.fromRawFlake self).nodes.${name};
+            nixosConfigurations."${name}WithEncryption" = let
+              selfWithEncryption = nixpkgs.lib.recursiveUpdate self { outputs.colmena.meta.specialArgs.cryptKeyFile = "/run/decrypt-key"; };
+            in
+              (colmena.lib.fromRawFlake selfWithEncryption).nodes.${name};
+            colmena = {
+              meta.nixpkgs = nixpkgs.legacyPackages.${system};
+              meta.specialArgs = moduleArgs;
+              "${name}" = {
+                deployment = { inherit targetHost targetUser; };
+                imports = builtins.attrValues self.nixosModules;
+              };
+            };
+            nixosModules = {
+              _diskoModules = disko.nixosModules.disko;
+            } // nixosModules;
+          };
+        };
    };
  };
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 01:35:06 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 02:11:48 +0200
commit	1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree	1b9df4838f894577a09b9b260151756272efeb53 /flakes/lib
parent	fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download	Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip

diff --git a/flakes/lib/flake.lock b/flakes/lib/flake.lock index 3e0b21e..3ca158e 100644 --- a/flakes/lib/flake.lock +++ b/flakes/lib/flake.lock
@@ -1,12 +1,235 @@
1	{	1	{
2	"nodes": {	2	"nodes": {
		3	"colmena": {
		4	"inputs": {
		5	"flake-compat": "flake-compat",
		6	"flake-utils": "flake-utils",
		7	"nixpkgs": "nixpkgs",
		8	"stable": "stable"
		9	},
		10	"locked": {
		11	"lastModified": 1687954574,
		12	"narHash": "sha256-YasVTaNXq2xqZdejyIhuyqvNypmx+K/Y1ZZ4+raeeII=",
		13	"owner": "immae",
		14	"repo": "colmena",
		15	"rev": "e427171150a35e23204c4c15a2483358d22a0eff",
		16	"type": "github"
		17	},
		18	"original": {
		19	"owner": "immae",
		20	"ref": "add-lib-get-flake",
		21	"repo": "colmena",
		22	"type": "github"
		23	}
		24	},
		25	"disko": {
		26	"inputs": {
		27	"nixpkgs": "nixpkgs_2"
		28	},
		29	"locked": {
		30	"lastModified": 1687968164,
		31	"narHash": "sha256-L9jr2zCB6NIaBE3towusjGBigsnE2pMID8wBGkYbTS4=",
		32	"owner": "nix-community",
		33	"repo": "disko",
		34	"rev": "8002e7cb899bc2a02a2ebfb7f999fcd7c18b92a1",
		35	"type": "github"
		36	},
		37	"original": {
		38	"owner": "nix-community",
		39	"repo": "disko",
		40	"type": "github"
		41	}
		42	},
		43	"flake-compat": {
		44	"flake": false,
		45	"locked": {
		46	"lastModified": 1650374568,
		47	"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
		48	"owner": "edolstra",
		49	"repo": "flake-compat",
		50	"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
		51	"type": "github"
		52	},
		53	"original": {
		54	"owner": "edolstra",
		55	"repo": "flake-compat",
		56	"type": "github"
		57	}
		58	},
		59	"flake-parts": {
		60	"inputs": {
		61	"nixpkgs-lib": "nixpkgs-lib"
		62	},
		63	"locked": {
		64	"lastModified": 1687762428,
		65	"narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=",
		66	"owner": "hercules-ci",
		67	"repo": "flake-parts",
		68	"rev": "37dd7bb15791c86d55c5121740a1887ab55ee836",
		69	"type": "github"
		70	},
		71	"original": {
		72	"owner": "hercules-ci",
		73	"repo": "flake-parts",
		74	"type": "github"
		75	}
		76	},
		77	"flake-utils": {
		78	"locked": {
		79	"lastModified": 1659877975,
		80	"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
		81	"owner": "numtide",
		82	"repo": "flake-utils",
		83	"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
		84	"type": "github"
		85	},
		86	"original": {
		87	"owner": "numtide",
		88	"repo": "flake-utils",
		89	"type": "github"
		90	}
		91	},
		92	"nixos-2305": {
		93	"locked": {
		94	"lastModified": 1687938137,
		95	"narHash": "sha256-Z00c0Pk3aE1aw9x44lVcqHmvx+oX7dxCXCvKcUuE150=",
		96	"owner": "NixOS",
		97	"repo": "nixpkgs",
		98	"rev": "ba2ded3227a2992f2040fad4ba6f218a701884a5",
		99	"type": "github"
		100	},
		101	"original": {
		102	"owner": "NixOS",
		103	"ref": "release-23.05",
		104	"repo": "nixpkgs",
		105	"type": "github"
		106	}
		107	},
		108	"nixos-anywhere": {
		109	"inputs": {
		110	"disko": [
		111	"disko"
		112	],
		113	"flake-parts": [
		114	"flake-parts"
		115	],
		116	"nixos-2305": "nixos-2305",
		117	"nixos-images": "nixos-images",
		118	"nixpkgs": "nixpkgs_3",
		119	"treefmt-nix": "treefmt-nix"
		120	},
		121	"locked": {
		122	"lastModified": 1689945193,
		123	"narHash": "sha256-+GPRt7ouE84A7GPNKnFYGU0cQL7skKxz0BAY0sUjUmw=",
		124	"owner": "numtide",
		125	"repo": "nixos-anywhere",
		126	"rev": "27161266077a177ac116e2cb72cc70af5f145189",
		127	"type": "github"
		128	},
		129	"original": {
		130	"owner": "numtide",
		131	"repo": "nixos-anywhere",
		132	"type": "github"
		133	}
		134	},
		135	"nixos-images": {
		136	"inputs": {
		137	"nixos-2305": [
		138	"nixos-anywhere",
		139	"nixos-2305"
		140	],
		141	"nixos-unstable": [
		142	"nixos-anywhere",
		143	"nixpkgs"
		144	]
		145	},
		146	"locked": {
		147	"lastModified": 1686819168,
		148	"narHash": "sha256-IbRVStbKoMC2fUX6TxNO82KgpVfI8LL4Cq0bTgdYhnY=",
		149	"owner": "nix-community",
		150	"repo": "nixos-images",
		151	"rev": "ccc1a2c08ce2fc38bcece85d2a6e7bf17bac9e37",
		152	"type": "github"
		153	},
		154	"original": {
		155	"owner": "nix-community",
		156	"repo": "nixos-images",
		157	"type": "github"
		158	}
		159	},
3	"nixpkgs": {	160	"nixpkgs": {
4	"locked": {	161	"locked": {
5	"lastModified": 1631570365,	162	"lastModified": 1683408522,
6	"narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=",	163	"narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=",
		164	"owner": "NixOS",
		165	"repo": "nixpkgs",
		166	"rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7",
		167	"type": "github"
		168	},
		169	"original": {
		170	"owner": "NixOS",
		171	"ref": "nixos-unstable",
		172	"repo": "nixpkgs",
		173	"type": "github"
		174	}
		175	},
		176	"nixpkgs-lib": {
		177	"locked": {
		178	"dir": "lib",
		179	"lastModified": 1685564631,
		180	"narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=",
		181	"owner": "NixOS",
		182	"repo": "nixpkgs",
		183	"rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a",
		184	"type": "github"
		185	},
		186	"original": {
		187	"dir": "lib",
		188	"owner": "NixOS",
		189	"ref": "nixos-unstable",
		190	"repo": "nixpkgs",
		191	"type": "github"
		192	}
		193	},
		194	"nixpkgs_2": {
		195	"locked": {
		196	"lastModified": 1687701825,
		197	"narHash": "sha256-aMC9hqsf+4tJL7aJWSdEUurW2TsjxtDcJBwM9Y4FIYM=",
		198	"owner": "NixOS",
		199	"repo": "nixpkgs",
		200	"rev": "07059ee2fa34f1598758839b9af87eae7f7ae6ea",
		201	"type": "github"
		202	},
		203	"original": {
		204	"owner": "NixOS",
		205	"ref": "nixpkgs-unstable",
		206	"repo": "nixpkgs",
		207	"type": "github"
		208	}
		209	},
		210	"nixpkgs_3": {
		211	"locked": {
		212	"lastModified": 1687893427,
		213	"narHash": "sha256-jJHj0Lxpvov1IPYQK441oLAKxxemHm16U9jf60bXAFU=",
		214	"owner": "nixos",
		215	"repo": "nixpkgs",
		216	"rev": "4b14ab2a916508442e685089672681dff46805be",
		217	"type": "github"
		218	},
		219	"original": {
		220	"owner": "nixos",
		221	"ref": "nixos-unstable-small",
		222	"repo": "nixpkgs",
		223	"type": "github"
		224	}
		225	},
		226	"nixpkgs_4": {
		227	"locked": {
		228	"lastModified": 1648725829,
		229	"narHash": "sha256-tXEzI38lLrzW2qCAIs0UAatE2xcsTsoKWaaXqAcF1NI=",
7	"owner": "NixOS",	230	"owner": "NixOS",
8	"repo": "nixpkgs",	231	"repo": "nixpkgs",
9	"rev": "df7113c0727881519248d4c7d080324e0ee3327b",	232	"rev": "72152ff5ad470ed1a5b97c0ba2737938c136c994",
10	"type": "github"	233	"type": "github"
11	},	234	},
12	"original": {	235	"original": {
@@ -17,7 +240,48 @@
17	},	240	},
18	"root": {	241	"root": {
19	"inputs": {	242	"inputs": {
20	"nixpkgs": "nixpkgs"	243	"colmena": "colmena",
		244	"disko": "disko",
		245	"flake-parts": "flake-parts",
		246	"nixos-anywhere": "nixos-anywhere",
		247	"nixpkgs": "nixpkgs_4"
		248	}
		249	},
		250	"stable": {
		251	"locked": {
		252	"lastModified": 1669735802,
		253	"narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
		254	"owner": "NixOS",
		255	"repo": "nixpkgs",
		256	"rev": "731cc710aeebecbf45a258e977e8b68350549522",
		257	"type": "github"
		258	},
		259	"original": {
		260	"owner": "NixOS",
		261	"ref": "nixos-22.11",
		262	"repo": "nixpkgs",
		263	"type": "github"
		264	}
		265	},
		266	"treefmt-nix": {
		267	"inputs": {
		268	"nixpkgs": [
		269	"nixos-anywhere",
		270	"nixpkgs"
		271	]
		272	},
		273	"locked": {
		274	"lastModified": 1687940979,
		275	"narHash": "sha256-D4ZFkgIG2s9Fyi78T3fVG9mqMD+/UnFDB62jS4gjZKY=",
		276	"owner": "numtide",
		277	"repo": "treefmt-nix",
		278	"rev": "0a4f06c27610a99080b69433873885df82003aae",
		279	"type": "github"
		280	},
		281	"original": {
		282	"owner": "numtide",
		283	"repo": "treefmt-nix",
		284	"type": "github"
21	}	285	}
22	}	286	}
23	},	287	},


diff --git a/flakes/lib/flake.nix b/flakes/lib/flake.nix index 8faa136..5b78fb6 100644 --- a/flakes/lib/flake.nix +++ b/flakes/lib/flake.nix
@@ -1,28 +1,68 @@
1	{	1	{
2	inputs.nixpkgs.url = "github:NixOS/nixpkgs";	2	inputs.nixpkgs.url = "github:NixOS/nixpkgs";
		3	inputs.flake-parts.url = "github:hercules-ci/flake-parts";
		4	inputs.disko.url = "github:nix-community/disko";
		5	# replace with zhaofengli/colmena once https://github.com/zhaofengli/colmena/pull/161 is merged
		6	inputs.colmena.url = "github:immae/colmena/add-lib-get-flake";
		7	inputs.nixos-anywhere.url = "github:numtide/nixos-anywhere";
		8	inputs.nixos-anywhere.inputs.disko.follows = "disko";
		9	inputs.nixos-anywhere.inputs.flake-parts.follows = "flake-parts";
3		10
4	description = "Useful libs";	11	description = "Useful libs";
5	outputs = { self, nixpkgs }: {	12	outputs = { self, nixpkgs, flake-parts, disko, colmena, nixos-anywhere }: {
6	lib = rec {	13	lib = rec {
7	computeNarHash = path:	14	mkColmenaFlake = { name, self, nixpkgs, system ? "x86_64-linux", nixosModules, moduleArgs ? {}, targetHost, targetUser ? "root" }:
8	let pkgs = import nixpkgs {};	15	flake-parts.lib.mkFlake { inputs = { inherit nixpkgs self; }; } {
9	in	16	systems = [ system ];
10	builtins.readFile (pkgs.runCommand "narHash" {	17	perSystem = { pkgs, ... }: {
11	buildInputs = [ pkgs.nix ];	18	apps."${name}-install" = {
12	} "echo -n $(nix hash-path ${path}) > $out");	19	type = "app";
		20	program = pkgs.writeScriptBin "${name}-install" ''
		21	#!${pkgs.stdenv.shell}
		22	set -euo pipefail
		23	: $SOPS_VARS_FILE
		24	TEMPDIR=$(mktemp -d)
		25	trap '[ -d "$TEMPDIR" ] && rm -rf "$TEMPDIR"' EXIT
13		26
14	withNarKeyCompat = flakeCompat: path: moduleAttrs:	27	password=$(sops -d $SOPS_VARS_FILE \| yq -r .cryptsetup_encryption_keys.${name})
15	let module = (flakeCompat path).${moduleAttrs};	28	mkdir -p $TEMPDIR/boot/initrdSecrets
16	narHash = computeNarHash path;	29	chmod -R go-rwx $TEMPDIR/boot/initrdSecrets
17	in if builtins.isFunction module	30	sops -d $SOPS_VARS_FILE \| yq -c '.ssh_host_keys.${name}[]' \| while read -r key; do
18	then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; })	31	keytype=$(echo "$key" \| yq -r .type)
19	else module // { key = narHash; };	32	keyprivate=$(echo "$key" \| yq -r .private)
		33	keypublic=$(echo "$key" \| yq -r .public)
		34	echo "$keyprivate" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key
		35	echo "$keypublic" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key.pub
		36	done
		37	chmod -R go-rwx $TEMPDIR/boot/initrdSecrets
20		38
21	withNarKey = dep: moduleAttrs:	39	${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere \
22	let module = dep.${moduleAttrs};	40	-f .#${name}WithEncryption ${targetUser}@${targetHost} \
23	in if builtins.isFunction module	41	--disk-encryption-keys /run/decrypt-key <(echo -n "$password") \
24	then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; })	42	--extra-files "$TEMPDIR"
25	else module // { key = dep.narHash; };	43	'';
		44	};
		45
		46	};
		47	flake = {
		48	nixosConfigurations.${name} = (colmena.lib.fromRawFlake self).nodes.${name};
		49	nixosConfigurations."${name}WithEncryption" = let
		50	selfWithEncryption = nixpkgs.lib.recursiveUpdate self { outputs.colmena.meta.specialArgs.cryptKeyFile = "/run/decrypt-key"; };
		51	in
		52	(colmena.lib.fromRawFlake selfWithEncryption).nodes.${name};
		53	colmena = {
		54	meta.nixpkgs = nixpkgs.legacyPackages.${system};
		55	meta.specialArgs = moduleArgs;
		56	"${name}" = {
		57	deployment = { inherit targetHost targetUser; };
		58	imports = builtins.attrValues self.nixosModules;
		59	};
		60	};
		61	nixosModules = {
		62	_diskoModules = disko.nixosModules.disko;
		63	} // nixosModules;
		64	};
		65	};
26	};	66	};
27	};	67	};
28	}	68	}