sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sam:e6f0770f97817d58e5dd3c9a04a4187654a0fdcf
Branches Tags
sam:master
sam:docker
sam:docker-entrypoint
sam:incus
sam:lxd
sam:nebula
sam:overseer
sam:disko
sam:development
sam:change-decrypt-key
sam:media
sam:impermanence
sam:fileserver-host
sam:sops
sam:modules
..
compare: sam:ecdf80143d211af689aef890067cd7ec26ad59a6
Branches Tags
sam:master
sam:docker
sam:docker-entrypoint
sam:incus
sam:lxd
sam:nebula
sam:overseer
sam:disko
sam:development
sam:change-decrypt-key
sam:media
sam:impermanence
sam:fileserver-host
sam:sops
sam:modules

No commits in common. "e6f0770f97817d58e5dd3c9a04a4187654a0fdcf" and "ecdf80143d211af689aef890067cd7ec26ad59a6" have entirely different histories.
e6f0770f97 ... ecdf80143d

23 changed files with 89 additions and 206 deletions
Show Stats Expand all files Collapse all files

75
flake.lock
View File

@ -45,16 +45,15 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715070411, "lastModified": 1718846788,
"narHash": "sha256-5CNvkH0Nf7yMwgKhjUNg/lUK40C7DXB4zKOuA2jVO90=", "narHash": "sha256-9dtXYtEkmXoUJV+PGLqscqF7qTn4AIhAKpFWRFU2NYs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "4677f6c53482a8b01ee93957e3bdd569d51261d6", "rev": "e1174d991944a01eaaa04bc59c6281edca4c0e6e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "v1.6.1",
"repo": "disko", "repo": "disko",
"type": "github" "type": "github"
} }
@ -142,11 +141,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1719259945, "lastModified": 1718879355,
"narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=", "narHash": "sha256-RTyqP4fBX2MdhNuMP+fnR3lIwbdtXhyj7w7fwtvgspc=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07", "rev": "8cd35b9496d21a6c55164d8547d9d5280162b07a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -222,11 +221,11 @@
}, },
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1719091691, "lastModified": 1717932370,
"narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=", "narHash": "sha256-7C5lCpiWiyPoIACOcu2mukn/1JRtz6HC/1aEMhUdcw0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "impermanence", "repo": "impermanence",
"rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a", "rev": "27979f1c3a0d3b9617a3563e2839114ba7d48d3f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -262,11 +261,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1719128254, "lastModified": 1718662658,
"narHash": "sha256-I7jMpq0CAOZA/i70+HDQO/ulLttyQu/K70cSESiMX7A=", "narHash": "sha256-AKG7BsqtVWDlefgzyKz7vjaKTLi4+bmTSBhowbQoZtM=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "50581970f37f06a4719001735828519925ef8310", "rev": "29b3096a6e283d7e6779187244cb2a3942239fdf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -278,11 +277,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1719601133, "lastModified": 1718651801,
"narHash": "sha256-2+e92LyX1fFj3mIZft+K8OzR9NT/1xtheO8hO/3DyRc=", "narHash": "sha256-YoYeg48dhvHzwcwb+TJMv4vlB4tcics9u6N/kXxfUYA=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "278ccbbd646e86cab5fd38d43d9134270d8123d0", "rev": "e02bf3cecdb9a49e9cc9e777b8406f5ab28a2566",
"revCount": 141, "revCount": 94,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },
@ -293,11 +292,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1719426051, "lastModified": 1718835956,
"narHash": "sha256-yJL9VYQhaRM7xs0M867ZFxwaONB9T2Q4LnGo1WovuR4=", "narHash": "sha256-wM9v2yIxClRYsGHut5vHICZTK7xdrUGfrLkXvSuv6s4=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "89c49874fb15f4124bf71ca5f42a04f2ee5825fd", "rev": "dd457de7e08c6d06789b1f5b88fc9327f4d96309",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -324,11 +323,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1719099622, "lastModified": 1718478900,
"narHash": "sha256-YzJECAxFt+U5LPYf/pCwW/e1iUd2PF21WITHY9B/BAs=", "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5e8e3b89adbd0be63192f6e645e0a54080004924", "rev": "c884223af91820615a6146af1ae1fea25c107005",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -340,11 +339,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1719254875, "lastModified": 1718895438,
"narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=", "narHash": "sha256-k3JqJrkdoYwE3fHE6xGDY676AYmyh4U2Zw+0Bwe5DLU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60", "rev": "d603719ec6e294f034936c0d0dc06f689d91b6c3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -368,11 +367,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1719469291, "lastModified": 1718966331,
"narHash": "sha256-Efir01r7ThPabDBFOygX1UDyerJFHelbRGdMo/VNw14=", "narHash": "sha256-JKc3awrDQhdYT9LUAVgt74rFVcSrZ+VgNTsWLo2Kp24=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "8f52e4d1e34039937efb0ee05825b9963ef29739", "rev": "1cd17226d5c75d20df2ebb754c3fc60ccc735a25",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -384,11 +383,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1719596768, "lastModified": 1719053107,
"narHash": "sha256-quSWztqqMxvSJIKddYp1D0GdR7Kg8JjEVCIzMbtBTQ4=", "narHash": "sha256-gUnarEm0XN7xVK2s9t7eEEixctynaERMruLdzkDloV8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "35e48702118124ec52a071e300f55c78a4b7b338", "rev": "f1b52ba4df9226117b0f33b5226ccea7aad08068",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -419,11 +418,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1719268571, "lastModified": 1718506969,
"narHash": "sha256-pcUk2Fg5vPXLUEnFI97qaB8hto/IToRfqskFqsjvjb8=", "narHash": "sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg=",
"owner": "mic92", "owner": "mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "c2ea1186c0cbfa4d06d406ae50f3e4b085ddc9b3", "rev": "797ce4c1f45a85df6dd3d9abdc53f2691bea9251",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -455,11 +454,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1719243788, "lastModified": 1718522839,
"narHash": "sha256-9T9mSY35EZSM1KAwb7K9zwQ78qTlLjosZgtUGnw4rn4=", "narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "065a23edceff48f948816b795ea8cc6c0dee7cdf", "rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81",
"type": "github" "type": "github"
}, },
"original": { "original": {

12
flake.nix
View File

@ -26,7 +26,7 @@
# Declarative partitioning and formatting # Declarative partitioning and formatting
disko = { disko = {
url = "github:nix-community/disko/v1.6.1"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
@ -115,16 +115,6 @@
} }
]; ];
}; };
nebula = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/nebula
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
}; };
}; };
} }

3
home/common/core/default.nix
View File

@ -4,6 +4,7 @@
inputs.nix-colors.homeManagerModules.default inputs.nix-colors.homeManagerModules.default
./zsh.nix ./zsh.nix
./nixvim ./nixvim
./fonts.nix
]; ];
nixpkgs.overlays = [ nixpkgs.overlays = [
@ -28,5 +29,5 @@
libqalculate libqalculate
; ;
}; };
home.stateVersion = "24.05"; home.stateVersion = "23.11";
} }

15
home/common/core/fonts.nix Normal file
View File

@ -0,0 +1,15 @@
{ pkgs, ... }:
{
fonts.fontconfig.enable = true;
home.packages = with pkgs; [
nerdfonts
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
hack-font
liberation_ttf
libertine
font-awesome
];
}

14
home/common/optional/desktop/common/fontconfig.nix
View File

@ -1,16 +1,4 @@
{ ... }: { ... }: {
{
fonts.fontconfig.enable = true;
home.packages = with pkgs; [
nerdfonts
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
hack-font
liberation_ttf
libertine
font-awesome
];
fonts = { fonts = {
fontconfig = { fontconfig = {
defaultFonts = { defaultFonts = {

13
home/nebula.nix
View File

@ -1,13 +0,0 @@
{ ...
}: {
imports = [
# Import users
./users/admin
./common/core
# Import optional
./common/optional/git.nix
];
}

1
home/users/admin/default.nix
View File

@ -3,6 +3,7 @@
{ {
home.username = "admin"; home.username = "admin";
home.homeDirectory = "/home/admin"; home.homeDirectory = "/home/admin";
home.stateVersion = "23.11";
imports = [ imports = [
] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules? ] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?

1
home/users/media/default.nix
View File

@ -3,6 +3,7 @@
{ {
home.username = "media"; home.username = "media";
home.homeDirectory = "/home/media"; home.homeDirectory = "/home/media";
home.stateVersion = "23.11";
imports = [ imports = [
inputs.impermanence.nixosModules.home-manager.impermanence inputs.impermanence.nixosModules.home-manager.impermanence

1
home/users/sam/default.nix
View File

@ -3,6 +3,7 @@
{ {
home.username = "sam"; home.username = "sam";
home.homeDirectory = "/home/sam"; home.homeDirectory = "/home/sam";
home.stateVersion = "23.11";
imports = [ imports = [
] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules? ] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?

3
hosts/common/core/default.nix
View File

@ -4,7 +4,6 @@ let
in in
{ {
imports = [ imports = [
inputs.impermanence.nixosModules.impermanence
./sops.nix ./sops.nix
./locale.nix ./locale.nix
]; ];
@ -45,5 +44,5 @@ in
pkgs.vim pkgs.vim
]; ];
system.stateVersion = "24.05"; system.stateVersion = "23.11";
} }

0
hosts/common/disks/btrfs/impermanence.nix → hosts/common/disks/btrfs-impermanence.nix
View File

7
hosts/common/disks/luks.nix → hosts/common/disks/btrfs-luks.nix
View File

@ -1,7 +1,4 @@
{ {device ? throw "Must define a device, e.g. /dev/sda"}:
device ? throw "Must define a device, e.g. /dev/sda",
fsModule ? "Must specify submodule"
}:
{ {
disko.devices = { disko.devices = {
disk = { disk = {
@ -29,7 +26,7 @@ fsModule ? "Must specify submodule"
type = "luks"; type = "luks";
name = "crypted"; name = "crypted";
passwordFile = "/tmp/luks_secret.key"; # Interactive passwordFile = "/tmp/luks_secret.key"; # Interactive
content = (import "${fsModule}"); content = (import ./btrfs-persist.nix);
}; };
}; };
}; };

7
hosts/common/disks/lvm.nix → hosts/common/disks/btrfs-lvm.nix
View File

@ -1,7 +1,4 @@
{ {device ? throw "Must define a device, e.g. /dev/sda"}:
device ? throw "Must define a device, e.g. /dev/sda",
fsModule ? "Must specify submodule"
}:
{ {
disko.devices = { disko.devices = {
disk.main = { disk.main = {
@ -39,7 +36,7 @@ fsModule ? "Must specify submodule"
lvs = { lvs = {
root = { root = {
size = "100%FREE"; size = "100%FREE";
content = (import "${fsModule}"); content = (import ./btrfs-persist.nix);
}; };
}; };
}; };

0
hosts/common/disks/btrfs/persist.nix → hosts/common/disks/btrfs-persist.nix
View File

21
hosts/common/disks/btrfs/standard.nix
View File

@ -1,21 +0,0 @@
{
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/nix" = {
mountOptions = [ "subvol=nix" "noatime" ];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
}

16
hosts/common/disks/default.nix
View File

@ -1,11 +1,11 @@
{ device, fsType, encrypted, impermanence, ... }: { device, fsType, encrypted, ... }:
let let
fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix; # basic and perists configs. basic fs = ext4, persist fs = btrfs either encrypted or under lvm
basic = import ./${fsType}/basic.nix { inherit device; }; basic = import ./gpt-bios-compact.nix { inherit device; };
lvm = import ./lvm.nix { inherit device; fsModule = fsModule; }; btrfs-persist-lvm = import ./btrfs-lvm.nix { inherit device; };
luks = import ./luks.nix { inherit device; fsModule = fsModule; }; btrfs-persist-luks = import ./btrfs-luks.nix { inherit device; };
in in
if fsType == "ext4" then basic if fsType == "ext4" then basic
else if fsType == "btrfs" && encrypted then luks else if fsType == "btrfs" && encrypted then btrfs-persist-luks
else if fsType == "btrfs" then lvm else if fsType == "btrfs" then btrfs-persist-lvm
else null else null # or some default value

0
hosts/common/disks/ext4/basic.nix → hosts/common/disks/gpt-bios-compact.nix
View File

7
hosts/common/users/admin/default.nix
View File

@ -15,9 +15,14 @@ in
hashedPasswordFile = sopsHashedPasswordFile; hashedPasswordFile = sopsHashedPasswordFile;
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = ["wheel"]; extraGroups =
[
"wheel"
];
packages = with pkgs; [ packages = with pkgs; [
flatpak
gnome.gnome-software
]; ];
}; };

51
hosts/nebula/default.nix
View File

@ -1,51 +0,0 @@
{ inputs, config, lib, pkgs, outputs, ... }:
let
# Disko setup
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/sda"; # depends on target hardware
encrypted = false; # currrently only applies to btrfs
impermanence = false; # currrently only applies to btrfs
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
user = "admin";
in
{
imports =
[
# Create users for this host
../common/users/${user}
# Disk configuration
inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; })
# Import core options
./hardware-configuration.nix
../common/core
# Import optional options
../common/optional/openssh.nix
];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
timeout = 3;
};
};
networking = {
hostName = "nebula";
networkmanager.enable = true;
enableIPv6 = false;
};
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
networking.hostId = "18aec5d7";
services.libinput.enable = true;
}

24
hosts/nebula/hardware-configuration.nix
View File

@ -1,24 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

6
hosts/semita/default.nix
View File

@ -6,7 +6,6 @@ let
encrypted = true; # currrently only applies to btrfs encrypted = true; # currrently only applies to btrfs
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root"; btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
user = "sam"; user = "sam";
impermanence = true;
in in
{ {
imports = imports =
@ -16,10 +15,11 @@ in
# Disk configuration # Disk configuration
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; }) (import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; })
# Impermanence # Impermanence
(import ../common/disks/btrfs/impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; }) inputs.impermanence.nixosModules.impermanence
(import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix

6
hosts/sparky/default.nix
View File

@ -5,7 +5,6 @@ let
dev = "/dev/sda"; # depends on target hardware dev = "/dev/sda"; # depends on target hardware
encrypted = false; # currrently only applies to btrfs encrypted = false; # currrently only applies to btrfs
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root"; btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
impermanence = true;
in in
{ {
imports = imports =
@ -15,10 +14,11 @@ in
# Disk configuration # Disk configuration
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; }) (import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; })
# Impermanence # Impermanence
(import ../common/disks/btrfs/impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; }) inputs.impermanence.nixosModules.impermanence
(import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix

12
scripts/bootstrap.sh
View File

@ -17,8 +17,6 @@ read -p "Enter hostname of target: " hostname
read -p "Enter IP of target: " ip read -p "Enter IP of target: " ip
read -p "Enter config to install on target: " config read -p "Enter config to install on target: " config
read -p "Enter username (if none, use 'root'): " username read -p "Enter username (if none, use 'root'): " username
read -p "Using impermanence? (yes|no): " impermanence
[ "$impermanence" = "yes" ] && persist="/persist"
# Delete key in known hosts if exists # Delete key in known hosts if exists
sed -i "/$ip/d" ~/.ssh/known_hosts sed -i "/$ip/d" ~/.ssh/known_hosts
@ -38,11 +36,11 @@ cleanup() {
trap cleanup EXIT trap cleanup EXIT
# Create the directory for target host keys # Create the directory for target host keys
install -d -m755 "$temp$persist/etc/ssh" install -d -m755 "$temp/persist/etc/ssh"
# Create ssh keys # Create ssh keys
echo "Creating '$hostname' ssh keys" echo "Creating '$hostname' ssh keys"
ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
# Extract luks key from secrets # Extract luks key from secrets
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ../nix-secrets/secrets.yaml") luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ../nix-secrets/secrets.yaml")
@ -50,7 +48,7 @@ echo "$luks_secret" > /tmp/luks_secret.key
# Generate age key from target host and user public ssh key # Generate age key from target host and user public ssh key
echo "Generating age key from target host and user ssh key" echo "Generating age key from target host and user ssh key"
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
echo -e "Host age key:\n$HOST_AGE_KEY\n" echo -e "Host age key:\n$HOST_AGE_KEY\n"
# Update .sops.yaml with new age key: # Update .sops.yaml with new age key:
@ -69,10 +67,10 @@ sed -i "{
just update-sops-secrets && just update-flake-secrets && just update-flake just update-sops-secrets && just update-flake-secrets && just update-flake
# Copy current nix config over to target # Copy current nix config over to target
cp -prv . "$temp$persist/etc/nixos" cp -prv . "$temp/persist/etc/nixos"
# Install Nixos to target # Install Nixos to target
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.3.0 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts ## Delete keys from local known_hosts