Extract shell scripts into a scripts directory

flake-parts/install-anywhere.nix

@@ -1,62 +0,0 @@
-_: {
-  perSystem =
-    { pkgs, ... }:
-    {
-      packages.install-anywhere = pkgs.writeShellApplication {
-        name = "install-anywhere";
-
-        runtimeInputs = [
-          pkgs.sops
-          pkgs.ssh-to-age
-          pkgs.bitwarden-cli
-        ];
-
-        text = ''
-          if [[ $# -ne 2 ]]; then
-            echo "Usage: $0 <host> <destination>"
-            exit 1
-          fi
-
-          host="$1"
-          destination="$2"
-          root="$(mktemp --directory)"
-
-          impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")"
-          if [ "$impermanence" = true ]; then
-            ssh_dir="$root/persist/etc/ssh"
-          else
-            ssh_dir="$root/etc/ssh"
-          fi
-
-          echo "==> Generating new SSH host keys..."
-          mkdir --parents "$ssh_dir"
-          ssh-keygen -C "root@$host" -f "$ssh_dir/ssh_host_ed25519_key" -N "" -q
-
-          echo "==> Replacing old age key with new age key..."
-          new_age_key="$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub")"
-          echo "$new_age_key" > "hosts/$host/keys/age.pub"
-
-          echo "==> Updating SOPS secrets..."
-          if ! declare -px BW_SESSION >/dev/null 2>&1; then
-            BW_SESSION="$(bw unlock --raw || bw login --raw)"
-            export BW_SESSION
-          fi
-          if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then
-            SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
-            export SOPS_AGE_KEY
-          fi
-          SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)"
-          export SOPS_CONFIG
-          sops updatekeys --yes "hosts/$host/secrets.json"
-
-          echo "==> Installing system..."
-          nix run github:nix-community/nixos-anywhere -- \
-            --extra-files "$root" \
-            --flake ".#$host" \
-            --target-host "$destination"
-
-          rm -rf "$root"
-        '';
-      };
-    };
-}

flake-parts/nebula.nix

@@ -16,38 +16,5 @@ _: {
           fi
         '';
       };
-
-      packages.nebula-regen-host-cert = pkgs.writeShellApplication {
-        name = "nebula-regen-host-cert";
-        runtimeInputs = [
-          pkgs.nebula
-          pkgs.bitwarden-cli
-        ];
-        text = ''
-          if [[ $# -ne 1 ]]; then
-            echo "Usage: $0 <host>"
-            exit 1
-          fi
-
-          host="$1"
-          address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
-          ca_cert='modules/system/services/nebula/ca.crt'
-          host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
-          host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
-          host_cert="''${host_cert#*-source/}"
-
-          if ! declare -px BW_SESSION >/dev/null 2>&1; then
-            BW_SESSION="$(bw unlock --raw || bw login --raw)"
-          fi
-
-          ca_key="$(mktemp)"
-          chmod 600 "$ca_key"
-          trap 'rm -f "$ca_key"' EXIT
-          bw get notes 'nebula ca-key' > "$ca_key"
-
-          rm -f "$host_cert"
-          nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
-        '';
-      };
     };
 }

flake-parts/scripts.nix

@@ -0,0 +1,13 @@
+{ self, ... }:
+{
+  perSystem =
+    { pkgs, lib, ... }:
+    {
+      packages =
+        "${self}/scripts"
+        |> builtins.readDir
+        |> lib.attrNames
+        |> lib.map (name: name |> lib.removeSuffix ".nix")
+        |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit pkgs; });
+    };
+}