Flakify lib, sas

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

scripts/add-host.sh

@@ -0,0 +1,209 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [[ "$#" -ne 1 ]]; then
+  echo "Usage: $0 <host>"
+  exit 1
+fi
+
+host="$1"
+
+mkdir -p "./secrets/hosts/$host"
+ssh-keygen -t ed25519 -f "./secrets/hosts/$host/ssh_host_ed25519_key" -C "root@$host" -N ""
+age_key=$(ssh-to-age < "./secrets/hosts/$host/ssh_host_ed25519_key.pub")
+
+cat <<EOF > "./secrets/hosts/$host/sops.yaml"
+keys:
+  - hosts:
+      - &$host $age_key
+  - namespaces:
+      - &personal $(age-keygen -y ./secrets/domains/personal/key.txt | tr -d '\n')
+
+creation_rules:
+  - path_regex: .+\.(yaml|yml|json|env|ini|bin)
+    key_groups:
+      - age:
+          - *$host
+          - *personal
+EOF
+
+luks=""
+luks_confirm=""
+
+until [[ "$luks" == "$luks_confirm" && -n "$luks" ]]; do
+  read -r -s -p "Enter LUKS passphrase for $host: " luks
+  echo
+  read -r -s -p "Confirm LUKS passphrase for $host: " luks_confirm
+  echo
+
+  if [[ "$luks" != "$luks_confirm" ]]; then
+    echo "They didn't match. Let's try again."
+  fi
+done
+
+machine_id=$(uuidgen -r | tr -d -)
+
+cat <<EOF > "./secrets/hosts/$host/.decrypted~secrets.yaml"
+luks: '$luks'
+machineId: $machine_id
+EOF
+
+tmp_age_key="$(mktemp)"
+echo "$age_key" > "$tmp_age_key"
+export SOPS_AGE_KEY_FILE="$tmp_age_key"
+
+sops --config "./secrets/hosts/$host/sops.yaml" --encrypt "./secrets/hosts/$host/.decrypted~secrets.yaml" > "./secrets/hosts/$host/secrets.yaml"
+
+unset SOPS_AGE_KEY_FILE
+rm -f "$tmp_age_key"
+rm -f "./secrets/hosts/$host/.decrypted~secrets.yaml"
+
+mkdir -p "./hosts/$host/hardware"
+
+cat <<'EOF' > "./hosts/$host/hardware/default.nix"
+{ ... }:
+{
+
+}
+EOF
+
+cat <<'EOF' > "./hosts/$host/format.nix"
+{
+  disko.devices = {
+    disk.main = {
+      device = ""; # TODO: Set this to the device you want to install to
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "esp";
+            size = "512M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [ "umask=0077" ];
+            };
+          };
+          swap = {
+            name = "swap";
+            size = ""; # TODO: Set this to the swap size you want
+            content = {
+              type = "swap";
+              resumeDevice = true;
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              name = "main";
+              type = "luks";
+              passwordFile = "/tmp/keyfile";
+              settings = {
+                allowDiscards = true;
+              };
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ];
+                subvolumes =
+                  let
+                    mountOptions = [
+                      "compress=zstd:1"
+                      "noatime"
+                    ];
+                  in
+                  {
+                    "@" = {
+                      mountpoint = "/";
+                      inherit mountOptions;
+                    };
+                    "@persist" = {
+                      mountpoint = "/persist";
+                      inherit mountOptions;
+                    };
+                    "@persist/user" = {
+                      mountpoint = "/persist/user";
+                      inherit mountOptions;
+                    };
+                    "@persist/state" = {
+                      mountpoint = "/persist/state";
+                      inherit mountOptions;
+                    };
+                    "@persist/cache" = {
+                      mountpoint = "/persist/cache";
+                      inherit mountOptions;
+                    };
+                    "@nix" = {
+                      mountpoint = "/nix";
+                      inherit mountOptions;
+                    };
+                  };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
+EOF
+
+cat <<EOF > "./hosts/$host/default.nix"
+{ inputs, ... }:
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    ./format.nix
+    ./hardware
+
+    ../common/configs/system
+
+    ../common/configs/system/boot
+    ../common/configs/system/btrfs
+    ../common/configs/system/documentation
+    ../common/configs/system/impermanence
+    ../common/configs/system/nix
+    ../common/configs/system/nix-cleanup
+    ../common/configs/system/nixpkgs
+    ../common/configs/system/ntp
+    ../common/configs/system/sops
+    ../common/configs/system/system
+    ../common/configs/system/users
+    ../common/configs/system/zsh
+  ];
+
+  networking.hostName = "$host";
+}
+EOF
+
+cat <<EOF > "./hosts/$host/README.md"
+# $host
+EOF
+
+sed -i "/nixosConfigurations = {/a\\
+          $host = mkNixosConfiguration inputs system [ ./hosts/$host ];\n" flake.nix
+
+sed -i "/knownHosts = {/a\\    $host.publicKeyFile = \"\${inputs.secrets}/$host/ssh_host_ed25519_key.pub\";" ./hosts/common/configs/system/ssh/default.nix
+
+new_entry="| \`$host\` | [hosts/$host/README.md](./hosts/$host/README.md) |"
+last_table_line=$(grep -n "^| " README.md | tail -n 1 | cut -d: -f1)
+sed -i "${last_table_line}a$new_entry" README.md
+
+nix fmt
+
+echo "Host $host has been successfully added."
+echo "Age Public Key: $age_key"
+echo
+echo "If you need user-level SSH keys, generate them like this:"
+echo "  ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_${host}_<user>"

scripts/remove-host.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if [[ "$#" -ne 1 ]]; then
+  echo "Usage: $0 <host>"
+  exit 1
+fi
+
+host="$1"
+
+age_key=$(ssh-to-age < "./secrets/hosts/$host/ssh_host_ed25519_key.pub")
+
+find . -type f -name "sops.yaml" | while IFS= read -r sops_file; do
+  sed -i "/      - &$host $age_key/d" "$sops_file"
+  sed -i "/          - \*$host/d" "$sops_file"
+done
+
+sed -i "/$host = mkNixosConfiguration/d" flake.nix
+sed -i "/\`$host\`/d" ./README.md
+
+rm -rf "./hosts/$host"
+
+"$(dirname "$0")/update-keys.sh"
+
+echo "Please remove SSH key pairs for any users that used to connect to $host."
+echo "Host $host has been successfully removed."

scripts/update-keys.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+find . -type f -name 'sops.yaml' | while IFS= read -r sops_file; do
+  dir=$(dirname "$sops_file")
+
+  namespace=$(grep -A1 "namespaces:" "$sops_file" | tail -n1 | awk '{print $2}' | tr -d '&')
+  SOPS_AGE_KEY_FILE="./secrets/$namespace/key.txt"
+  export SOPS_AGE_KEY_FILE
+
+  find "$dir" -maxdepth 1 -type f -regextype posix-extended \
+    -regex '.+\.(yaml|yml|json|env|ini|bin)' \
+    ! -name 'sops.yaml' | while IFS= read -r file; do
+      sops --config "$sops_file" updatekeys "$file" -y
+    done
+
+  unset SOPS_AGE_KEY_FILE
+done

scripts/update.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+find . -type f -name "*.nix" | while read -r file; do
+  update_command=$(grep -oP '^#\s*AUTO-UPDATE:\s*\K.+' "$file" || true)
+  if [[ -n "$update_command" ]]; then
+    echo "Running update command in: $file"
+    eval "$update_command"
+  fi
+done
+
+nix flake update