SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-22 22:29:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Extract shell scripts into a scripts directory

Browse source
This commit is contained in:
SebastianStork 2026-02-05 20:57:58 +01:00
parent 6e8cea6a1f
commit 2cb6bb6a3c
Signed by: SebastianStork
SSH key fingerprint: SHA256:tRrGdjYOwgHxpSc/wTOZQZEjxcb15P0tyXRsbAfd+2Q
5 changed files with 105 additions and 95 deletions
Download patch file Download diff file Expand all files Collapse all files

62
flake-parts/install-anywhere.nix
View file

@ -1,62 +0,0 @@
_: {
perSystem =
{ pkgs, ... }:
{
packages.install-anywhere = pkgs.writeShellApplication {
name = "install-anywhere";
runtimeInputs = [
pkgs.sops
pkgs.ssh-to-age
pkgs.bitwarden-cli
];
text = ''
if [[ $# -ne 2 ]]; then
echo "Usage: $0 <host> <destination>"
exit 1
fi
host="$1"
destination="$2"
root="$(mktemp --directory)"
impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")"
if [ "$impermanence" = true ]; then
ssh_dir="$root/persist/etc/ssh"
else
ssh_dir="$root/etc/ssh"
fi
echo "==> Generating new SSH host keys..."
mkdir --parents "$ssh_dir"
ssh-keygen -C "root@$host" -f "$ssh_dir/ssh_host_ed25519_key" -N "" -q
echo "==> Replacing old age key with new age key..."
new_age_key="$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub")"
echo "$new_age_key" > "hosts/$host/keys/age.pub"
echo "==> Updating SOPS secrets..."
if ! declare -px BW_SESSION >/dev/null 2>&1; then
BW_SESSION="$(bw unlock --raw || bw login --raw)"
export BW_SESSION
fi
if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then
SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
export SOPS_AGE_KEY
fi
SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)"
export SOPS_CONFIG
sops updatekeys --yes "hosts/$host/secrets.json"
echo "==> Installing system..."
nix run github:nix-community/nixos-anywhere -- \
--extra-files "$root" \
--flake ".#$host" \
--target-host "$destination"
rm -rf "$root"
'';
};
};
}

33
flake-parts/nebula.nix
View file

@ -16,38 +16,5 @@ _: {
fi fi
''; '';
}; };
packages.nebula-regen-host-cert = pkgs.writeShellApplication {
name = "nebula-regen-host-cert";
runtimeInputs = [
pkgs.nebula
pkgs.bitwarden-cli
];
text = ''
if [[ $# -ne 1 ]]; then
echo "Usage: $0 <host>"
exit 1
fi
host="$1"
address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
ca_cert='modules/system/services/nebula/ca.crt'
host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
host_cert="''${host_cert#*-source/}"
if ! declare -px BW_SESSION >/dev/null 2>&1; then
BW_SESSION="$(bw unlock --raw || bw login --raw)"
fi
ca_key="$(mktemp)"
chmod 600 "$ca_key"
trap 'rm -f "$ca_key"' EXIT
bw get notes 'nebula ca-key' > "$ca_key"
rm -f "$host_cert"
nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
'';
};
}; };
} }

13
flake-parts/scripts.nix Normal file
View file

@ -0,0 +1,13 @@
{ self, ... }:
{
perSystem =
{ pkgs, lib, ... }:
{
packages =
"${self}/scripts"
|> builtins.readDir
|> lib.attrNames
|> lib.map (name: name |> lib.removeSuffix ".nix")
|> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit pkgs; });
};
}

57
scripts/install-anywhere.nix Normal file
View file

@ -0,0 +1,57 @@
{ pkgs }:
pkgs.writeShellApplication {
name = "install-anywhere";
runtimeInputs = [
pkgs.sops
pkgs.ssh-to-age
pkgs.bitwarden-cli
];
text = ''
if [[ $# -ne 2 ]]; then
echo "Usage: $0 <host> <destination>"
exit 1
fi
host="$1"
destination="$2"
root="$(mktemp --directory)"
impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")"
if [ "$impermanence" = true ]; then
ssh_dir="$root/persist/etc/ssh"
else
ssh_dir="$root/etc/ssh"
fi
echo "==> Generating new SSH host keys..."
mkdir --parents "$ssh_dir"
ssh-keygen -C "root@$host" -f "$ssh_dir/ssh_host_ed25519_key" -N "" -q
echo "==> Replacing old age key with new age key..."
new_age_key="$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub")"
echo "$new_age_key" > "hosts/$host/keys/age.pub"
echo "==> Updating SOPS secrets..."
if ! declare -px BW_SESSION >/dev/null 2>&1; then
BW_SESSION="$(bw unlock --raw || bw login --raw)"
export BW_SESSION
fi
if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then
SOPS_AGE_KEY="$(bw get notes 'admin age-key')"
export SOPS_AGE_KEY
fi
SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)"
export SOPS_CONFIG
sops updatekeys --yes "hosts/$host/secrets.json"
echo "==> Installing system..."
nix run github:nix-community/nixos-anywhere -- \
--extra-files "$root" \
--flake ".#$host" \
--target-host "$destination"
rm -rf "$root"
'';
}

35
scripts/nebula-regen-host-cert.nix Normal file
View file

@ -0,0 +1,35 @@
{ pkgs }:
pkgs.writeShellApplication {
name = "nebula-regen-host-cert";
runtimeInputs = [
pkgs.nebula
pkgs.bitwarden-cli
];
text = ''
if [[ $# -ne 1 ]]; then
echo "Usage: $0 <host>"
exit 1
fi
host="$1"
address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
ca_cert='modules/system/services/nebula/ca.crt'
host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
host_cert="''${host_cert#*-source/}"
if ! declare -px BW_SESSION >/dev/null 2>&1; then
BW_SESSION="$(bw unlock --raw || bw login --raw)"
fi
ca_key="$(mktemp)"
chmod 600 "$ca_key"
trap 'rm -f "$ca_key"' EXIT
bw get notes 'nebula ca-key' > "$ca_key"
rm -f "$host_cert"
nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert"
'';
}