diff --git a/flake-parts/dev-shells.nix b/flake-parts/dev-shells.nix deleted file mode 100644 index 6d8ac6a..0000000 --- a/flake-parts/dev-shells.nix +++ /dev/null @@ -1,44 +0,0 @@ -_: { - perSystem = - { self', pkgs, ... }: - { - devShells = { - sops = pkgs.mkShellNoCC { - packages = [ - pkgs.sops - pkgs.age - pkgs.ssh-to-age - pkgs.bitwarden-cli - ]; - - shellHook = '' - if ! declare -px BW_SESSION >/dev/null 2>&1; then - BW_SESSION="$(bw unlock --raw || bw login --raw)" - export BW_SESSION - fi - if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then - SOPS_AGE_KEY="$(bw get notes 'admin age-key')" - export SOPS_AGE_KEY - fi - SOPS_CONFIG="${self'.packages.sops-config}" - export SOPS_CONFIG - ''; - }; - - nebula = pkgs.mkShellNoCC { - packages = [ - pkgs.nebula - pkgs.bitwarden-cli - self'.packages.nebula-regen-host-cert - ]; - - shellHook = '' - if ! declare -px BW_SESSION >/dev/null 2>&1; then - BW_SESSION="$(bw unlock --raw || bw login --raw)" - export BW_SESSION - fi - ''; - }; - }; - }; -} diff --git a/flake-parts/install-anywhere.nix b/flake-parts/install-anywhere.nix new file mode 100644 index 0000000..c0f1570 --- /dev/null +++ b/flake-parts/install-anywhere.nix @@ -0,0 +1,62 @@ +_: { + perSystem = + { pkgs, ... }: + { + packages.install-anywhere = pkgs.writeShellApplication { + name = "install-anywhere"; + + runtimeInputs = [ + pkgs.sops + pkgs.ssh-to-age + pkgs.bitwarden-cli + ]; + + text = '' + if [[ $# -ne 2 ]]; then + echo "Usage: $0 " + exit 1 + fi + + host="$1" + destination="$2" + root="$(mktemp --directory)" + + impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")" + if [ "$impermanence" = true ]; then + ssh_dir="$root/persist/etc/ssh" + else + ssh_dir="$root/etc/ssh" + fi + + echo "==> Generating new SSH host keys..." + mkdir --parents "$ssh_dir" + ssh-keygen -C "root@$host" -f "$ssh_dir/ssh_host_ed25519_key" -N "" -q + + echo "==> Replacing old age key with new age key..." + new_age_key="$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub")" + echo "$new_age_key" > "hosts/$host/keys/age.pub" + + echo "==> Updating SOPS secrets..." + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION + fi + if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then + SOPS_AGE_KEY="$(bw get notes 'admin age-key')" + export SOPS_AGE_KEY + fi + SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)" + export SOPS_CONFIG + sops updatekeys --yes "hosts/$host/secrets.json" + + echo "==> Installing system..." + nix run github:nix-community/nixos-anywhere -- \ + --extra-files "$root" \ + --flake ".#$host" \ + --target-host "$destination" + + rm -rf "$root" + ''; + }; + }; +} diff --git a/flake-parts/nebula.nix b/flake-parts/nebula.nix new file mode 100644 index 0000000..813c8cb --- /dev/null +++ b/flake-parts/nebula.nix @@ -0,0 +1,53 @@ +_: { + perSystem = + { self', pkgs, ... }: + { + devShells.nebula = pkgs.mkShellNoCC { + packages = [ + pkgs.nebula + pkgs.bitwarden-cli + self'.packages.nebula-regen-host-cert + ]; + + shellHook = '' + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION + fi + ''; + }; + + packages.nebula-regen-host-cert = pkgs.writeShellApplication { + name = "nebula-regen-host-cert"; + runtimeInputs = [ + pkgs.nebula + pkgs.bitwarden-cli + ]; + text = '' + if [[ $# -ne 1 ]]; then + echo "Usage: $0 " + exit 1 + fi + + host="$1" + address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")" + ca_cert='modules/system/services/nebula/ca.crt' + host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")" + host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")" + host_cert="''${host_cert#*-source/}" + + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + fi + + ca_key="$(mktemp)" + chmod 600 "$ca_key" + trap 'rm -f "$ca_key"' EXIT + bw get notes 'nebula ca-key' > "$ca_key" + + rm -f "$host_cert" + nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert" + ''; + }; + }; +} diff --git a/flake-parts/scripts.nix b/flake-parts/scripts.nix deleted file mode 100644 index 62fecf0..0000000 --- a/flake-parts/scripts.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ self, ... }: -{ - perSystem = - { pkgs, lib, ... }: - { - packages = - "${self}/scripts" - |> builtins.readDir - |> lib.attrNames - |> lib.map (name: name |> lib.removeSuffix ".nix") - |> self.lib.genAttrs (name: import "${self}/scripts/${name}.nix" { inherit pkgs; }); - }; -} diff --git a/flake-parts/sops-config.nix b/flake-parts/sops.nix similarity index 64% rename from flake-parts/sops-config.nix rename to flake-parts/sops.nix index 1d9f167..2022158 100644 --- a/flake-parts/sops-config.nix +++ b/flake-parts/sops.nix @@ -1,7 +1,12 @@ { self, ... }: { perSystem = - { pkgs, lib, ... }: + { + self', + pkgs, + lib, + ... + }: { packages.sops-config = let @@ -37,5 +42,27 @@ pkgs.runCommand "sops.yaml" { buildInputs = [ pkgs.yj ]; } '' echo '${jsonConfig}' | yj -jy > $out ''; + + devShells.sops = pkgs.mkShellNoCC { + packages = [ + pkgs.sops + pkgs.age + pkgs.ssh-to-age + ]; + + nativeBuildInputs = [ pkgs.bitwarden-cli ]; + shellHook = '' + if ! declare -px BW_SESSION >/dev/null 2>&1; then + BW_SESSION="$(bw unlock --raw || bw login --raw)" + export BW_SESSION + fi + if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then + SOPS_AGE_KEY="$(bw get notes 'admin age-key')" + export SOPS_AGE_KEY + fi + SOPS_CONFIG="${self'.packages.sops-config}" + export SOPS_CONFIG + ''; + }; }; } diff --git a/scripts/install-anywhere.nix b/scripts/install-anywhere.nix deleted file mode 100644 index 10be289..0000000 --- a/scripts/install-anywhere.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ pkgs }: -pkgs.writeShellApplication { - name = "install-anywhere"; - - runtimeInputs = [ - pkgs.sops - pkgs.ssh-to-age - pkgs.bitwarden-cli - ]; - - text = '' - if [[ $# -ne 2 ]]; then - echo "Usage: $0 " - exit 1 - fi - - host="$1" - destination="$2" - root="$(mktemp --directory)" - - impermanence="$(nix eval ".#nixosConfigurations.$host.config.custom.persistence.enable")" - if [ "$impermanence" = true ]; then - ssh_dir="$root/persist/etc/ssh" - else - ssh_dir="$root/etc/ssh" - fi - - echo "==> Generating new SSH host keys..." - mkdir --parents "$ssh_dir" - ssh-keygen -C "root@$host" -f "$ssh_dir/ssh_host_ed25519_key" -N "" -q - - echo "==> Replacing old age key with new age key..." - new_age_key="$(ssh-to-age -i "$ssh_dir/ssh_host_ed25519_key.pub")" - echo "$new_age_key" > "hosts/$host/keys/age.pub" - - echo "==> Updating SOPS secrets..." - if ! declare -px BW_SESSION >/dev/null 2>&1; then - BW_SESSION="$(bw unlock --raw || bw login --raw)" - export BW_SESSION - fi - if ! declare -px SOPS_AGE_KEY >/dev/null 2>&1; then - SOPS_AGE_KEY="$(bw get notes 'admin age-key')" - export SOPS_AGE_KEY - fi - SOPS_CONFIG="$(nix build .#sops-config --print-out-paths)" - export SOPS_CONFIG - sops updatekeys --yes "hosts/$host/secrets.json" - - echo "==> Installing system..." - nix run github:nix-community/nixos-anywhere -- \ - --extra-files "$root" \ - --flake ".#$host" \ - --target-host "$destination" - - rm -rf "$root" - ''; -} diff --git a/scripts/nebula-regen-host-cert.nix b/scripts/nebula-regen-host-cert.nix deleted file mode 100644 index 1d6e75d..0000000 --- a/scripts/nebula-regen-host-cert.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ pkgs }: -pkgs.writeShellApplication { - name = "nebula-regen-host-cert"; - - runtimeInputs = [ - pkgs.nebula - pkgs.bitwarden-cli - ]; - - text = '' - if [[ $# -ne 1 ]]; then - echo "Usage: $0 " - exit 1 - fi - - host="$1" - address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")" - ca_cert='modules/system/services/nebula/ca.crt' - host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")" - host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")" - host_cert="''${host_cert#*-source/}" - - if ! declare -px BW_SESSION >/dev/null 2>&1; then - BW_SESSION="$(bw unlock --raw || bw login --raw)" - export BW_SESSION - fi - - ca_key="$(mktemp)" - chmod 600 "$ca_key" - trap 'rm -f "$ca_key"' EXIT - bw get notes 'nebula ca-key' > "$ca_key" - - rm -f "$host_cert" - nebula-cert sign -name "$host" -networks "$address" -ca-crt "$ca_cert" -ca-key "$ca_key" -in-pub "$host_pub" -out-crt "$host_cert" - ''; -}