From 1a64deeb894dc95e2645a75771732c6cc53a79ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 4 Oct 2023 01:35:06 +0200 Subject: Squash changes containing private information There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository --- flakes/lib/flake.lock | 272 +++++++++++++++++++++++++++++++++++++++++++++++++- flakes/lib/flake.nix | 76 ++++++++++---- 2 files changed, 326 insertions(+), 22 deletions(-) (limited to 'flakes/lib') diff --git a/flakes/lib/flake.lock b/flakes/lib/flake.lock index 3e0b21e..3ca158e 100644 --- a/flakes/lib/flake.lock +++ b/flakes/lib/flake.lock @@ -1,12 +1,235 @@ { "nodes": { + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "stable": "stable" + }, + "locked": { + "lastModified": 1687954574, + "narHash": "sha256-YasVTaNXq2xqZdejyIhuyqvNypmx+K/Y1ZZ4+raeeII=", + "owner": "immae", + "repo": "colmena", + "rev": "e427171150a35e23204c4c15a2483358d22a0eff", + "type": "github" + }, + "original": { + "owner": "immae", + "ref": "add-lib-get-flake", + "repo": "colmena", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1687968164, + "narHash": "sha256-L9jr2zCB6NIaBE3towusjGBigsnE2pMID8wBGkYbTS4=", + "owner": "nix-community", + "repo": "disko", + "rev": "8002e7cb899bc2a02a2ebfb7f999fcd7c18b92a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1687762428, + "narHash": "sha256-DIf7mi45PKo+s8dOYF+UlXHzE0Wl/+k3tXUyAoAnoGE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "37dd7bb15791c86d55c5121740a1887ab55ee836", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixos-2305": { + "locked": { + "lastModified": 1687938137, + "narHash": "sha256-Z00c0Pk3aE1aw9x44lVcqHmvx+oX7dxCXCvKcUuE150=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ba2ded3227a2992f2040fad4ba6f218a701884a5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixos-anywhere": { + "inputs": { + "disko": [ + "disko" + ], + "flake-parts": [ + "flake-parts" + ], + "nixos-2305": "nixos-2305", + "nixos-images": "nixos-images", + "nixpkgs": "nixpkgs_3", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1689945193, + "narHash": "sha256-+GPRt7ouE84A7GPNKnFYGU0cQL7skKxz0BAY0sUjUmw=", + "owner": "numtide", + "repo": "nixos-anywhere", + "rev": "27161266077a177ac116e2cb72cc70af5f145189", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nixos-anywhere", + "type": "github" + } + }, + "nixos-images": { + "inputs": { + "nixos-2305": [ + "nixos-anywhere", + "nixos-2305" + ], + "nixos-unstable": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1686819168, + "narHash": "sha256-IbRVStbKoMC2fUX6TxNO82KgpVfI8LL4Cq0bTgdYhnY=", + "owner": "nix-community", + "repo": "nixos-images", + "rev": "ccc1a2c08ce2fc38bcece85d2a6e7bf17bac9e37", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-images", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1631570365, - "narHash": "sha256-vc6bfo0hijpicdUDiui2DvZXmpIP2iqOFZRcpMOuYPo=", + "lastModified": 1683408522, + "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1685564631, + "narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1687701825, + "narHash": "sha256-aMC9hqsf+4tJL7aJWSdEUurW2TsjxtDcJBwM9Y4FIYM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "07059ee2fa34f1598758839b9af87eae7f7ae6ea", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1687893427, + "narHash": "sha256-jJHj0Lxpvov1IPYQK441oLAKxxemHm16U9jf60bXAFU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4b14ab2a916508442e685089672681dff46805be", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1648725829, + "narHash": "sha256-tXEzI38lLrzW2qCAIs0UAatE2xcsTsoKWaaXqAcF1NI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "df7113c0727881519248d4c7d080324e0ee3327b", + "rev": "72152ff5ad470ed1a5b97c0ba2737938c136c994", "type": "github" }, "original": { @@ -17,7 +240,48 @@ }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "colmena": "colmena", + "disko": "disko", + "flake-parts": "flake-parts", + "nixos-anywhere": "nixos-anywhere", + "nixpkgs": "nixpkgs_4" + } + }, + "stable": { + "locked": { + "lastModified": 1669735802, + "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "731cc710aeebecbf45a258e977e8b68350549522", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixos-anywhere", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1687940979, + "narHash": "sha256-D4ZFkgIG2s9Fyi78T3fVG9mqMD+/UnFDB62jS4gjZKY=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "0a4f06c27610a99080b69433873885df82003aae", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" } } }, diff --git a/flakes/lib/flake.nix b/flakes/lib/flake.nix index 8faa136..5b78fb6 100644 --- a/flakes/lib/flake.nix +++ b/flakes/lib/flake.nix @@ -1,28 +1,68 @@ { inputs.nixpkgs.url = "github:NixOS/nixpkgs"; + inputs.flake-parts.url = "github:hercules-ci/flake-parts"; + inputs.disko.url = "github:nix-community/disko"; + # replace with zhaofengli/colmena once https://github.com/zhaofengli/colmena/pull/161 is merged + inputs.colmena.url = "github:immae/colmena/add-lib-get-flake"; + inputs.nixos-anywhere.url = "github:numtide/nixos-anywhere"; + inputs.nixos-anywhere.inputs.disko.follows = "disko"; + inputs.nixos-anywhere.inputs.flake-parts.follows = "flake-parts"; description = "Useful libs"; - outputs = { self, nixpkgs }: { + outputs = { self, nixpkgs, flake-parts, disko, colmena, nixos-anywhere }: { lib = rec { - computeNarHash = path: - let pkgs = import nixpkgs {}; - in - builtins.readFile (pkgs.runCommand "narHash" { - buildInputs = [ pkgs.nix ]; - } "echo -n $(nix hash-path ${path}) > $out"); + mkColmenaFlake = { name, self, nixpkgs, system ? "x86_64-linux", nixosModules, moduleArgs ? {}, targetHost, targetUser ? "root" }: + flake-parts.lib.mkFlake { inputs = { inherit nixpkgs self; }; } { + systems = [ system ]; + perSystem = { pkgs, ... }: { + apps."${name}-install" = { + type = "app"; + program = pkgs.writeScriptBin "${name}-install" '' + #!${pkgs.stdenv.shell} + set -euo pipefail + : $SOPS_VARS_FILE + TEMPDIR=$(mktemp -d) + trap '[ -d "$TEMPDIR" ] && rm -rf "$TEMPDIR"' EXIT - withNarKeyCompat = flakeCompat: path: moduleAttrs: - let module = (flakeCompat path).${moduleAttrs}; - narHash = computeNarHash path; - in if builtins.isFunction module - then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; }) - else module // { key = narHash; }; + password=$(sops -d $SOPS_VARS_FILE | yq -r .cryptsetup_encryption_keys.${name}) + mkdir -p $TEMPDIR/boot/initrdSecrets + chmod -R go-rwx $TEMPDIR/boot/initrdSecrets + sops -d $SOPS_VARS_FILE | yq -c '.ssh_host_keys.${name}[]' | while read -r key; do + keytype=$(echo "$key" | yq -r .type) + keyprivate=$(echo "$key" | yq -r .private) + keypublic=$(echo "$key" | yq -r .public) + echo "$keyprivate" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key + echo "$keypublic" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key.pub + done + chmod -R go-rwx $TEMPDIR/boot/initrdSecrets - withNarKey = dep: moduleAttrs: - let module = dep.${moduleAttrs}; - in if builtins.isFunction module - then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; }) - else module // { key = dep.narHash; }; + ${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere \ + -f .#${name}WithEncryption ${targetUser}@${targetHost} \ + --disk-encryption-keys /run/decrypt-key <(echo -n "$password") \ + --extra-files "$TEMPDIR" + ''; + }; + + }; + flake = { + nixosConfigurations.${name} = (colmena.lib.fromRawFlake self).nodes.${name}; + nixosConfigurations."${name}WithEncryption" = let + selfWithEncryption = nixpkgs.lib.recursiveUpdate self { outputs.colmena.meta.specialArgs.cryptKeyFile = "/run/decrypt-key"; }; + in + (colmena.lib.fromRawFlake selfWithEncryption).nodes.${name}; + colmena = { + meta.nixpkgs = nixpkgs.legacyPackages.${system}; + meta.specialArgs = moduleArgs; + "${name}" = { + deployment = { inherit targetHost targetUser; }; + imports = builtins.attrValues self.nixosModules; + }; + }; + nixosModules = { + _diskoModules = disko.nixosModules.disko; + } // nixosModules; + }; + }; }; }; } -- cgit v1.2.3