nix/scripts/add-host.sh

#!/usr/bin/env bash

set -o errexit
set -o nounset
set -o pipefail

if [[ "$#" -ne 1 ]]; then
  echo "Usage: $0 <host>"
  exit 1
fi

host="$1"

mkdir -p "./submodules/secrets/hosts/$host"
ssh-keygen -t ed25519 -f "./submodules/secrets/hosts/$host/ssh_host_ed25519_key" -C "root@$host" -N ""
age_key=$(ssh-to-age < "./submodules/secrets/hosts/$host/ssh_host_ed25519_key.pub")

cat <<EOF > "./submodules/secrets/hosts/$host/sops.yaml"
keys:
  - hosts:
      - &$host $age_key
  - namespaces:
      - &personal $(age-keygen -y ./submodules/secrets/domains/personal/key.txt | tr -d '\n')

creation_rules:
  - path_regex: .+\.(yaml|yml|json|env|ini|bin)
    key_groups:
      - age:
          - *$host
          - *personal
EOF

luks=""
luks_confirm=""

until [[ "$luks" == "$luks_confirm" && -n "$luks" ]]; do
  read -r -s -p "Enter LUKS passphrase for $host: " luks
  echo
  read -r -s -p "Confirm LUKS passphrase for $host: " luks_confirm
  echo

  if [[ "$luks" != "$luks_confirm" ]]; then
    echo "They didn't match. Let's try again."
  fi
done

machine_id=$(uuidgen -r | tr -d -)

cat <<EOF > "./submodules/secrets/hosts/$host/.decrypted~secrets.yaml"
luks: '$luks'
machineId: $machine_id
EOF

tmp_age_key="$(mktemp)"
echo "$age_key" > "$tmp_age_key"
export SOPS_AGE_KEY_FILE="$tmp_age_key"

sops --config "./submodules/secrets/hosts/$host/sops.yaml" --encrypt "./submodules/secrets/hosts/$host/.decrypted~secrets.yaml" > "./submodules/secrets/hosts/$host/secrets.yaml"

unset SOPS_AGE_KEY_FILE
rm -f "$tmp_age_key"
rm -f "./submodules/secrets/hosts/$host/.decrypted~secrets.yaml"

mkdir -p "./hosts/$host/hardware"

cat <<'EOF' > "./hosts/$host/hardware/default.nix"
{ ... }:
{

}
EOF

cat <<'EOF' > "./hosts/$host/format.nix"
{
  disko.devices = {
    disk.main = {
      device = ""; # TODO: Set this to the device you want to install to
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "esp";
            size = "512M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
              mountOptions = [ "umask=0077" ];
            };
          };
          swap = {
            name = "swap";
            size = ""; # TODO: Set this to the swap size you want
            content = {
              type = "swap";
              resumeDevice = true;
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              name = "main";
              type = "luks";
              passwordFile = "/tmp/keyfile";
              settings = {
                allowDiscards = true;
              };
              content = {
                type = "btrfs";
                extraArgs = [ "-f" ];
                subvolumes =
                  let
                    mountOptions = [
                      "compress=zstd:1"
                      "noatime"
                    ];
                  in
                  {
                    "@" = {
                      mountpoint = "/";
                      inherit mountOptions;
                    };
                    "@persist" = {
                      mountpoint = "/persist";
                      inherit mountOptions;
                    };
                    "@persist/user" = {
                      mountpoint = "/persist/user";
                      inherit mountOptions;
                    };
                    "@persist/state" = {
                      mountpoint = "/persist/state";
                      inherit mountOptions;
                    };
                    "@persist/cache" = {
                      mountpoint = "/persist/cache";
                      inherit mountOptions;
                    };
                    "@nix" = {
                      mountpoint = "/nix";
                      inherit mountOptions;
                    };
                  };
              };
            };
          };
        };
      };
    };
  };
}
EOF

cat <<EOF > "./hosts/$host/default.nix"
{ inputs, ... }:
{
  nixpkgs.overlays = [
    inputs.lib.overlays.default
    inputs.self.overlays.default
    inputs.nur.overlays.default
  ];

  imports = [
    inputs.disko.nixosModules.disko
    ./format.nix
    ./hardware

    ../common/configs/system

    ../common/configs/system/boot
    ../common/configs/system/btrfs
    ../common/configs/system/documentation
    ../common/configs/system/impermanence
    ../common/configs/system/nix
    ../common/configs/system/nix-cleanup
    ../common/configs/system/nixpkgs
    ../common/configs/system/ntp
    ../common/configs/system/sops
    ../common/configs/system/system
    ../common/configs/system/users
    ../common/configs/system/zsh
  ];

  networking.hostName = "$host";
}
EOF

cat <<EOF > "./hosts/$host/README.md"
# $host
EOF

sed -i "/nixosConfigurations = {/a\\
          $host = mkNixosConfiguration inputs system [ ./hosts/$host ];\n" flake.nix

sed -i "/knownHosts = {/a\\    $host.publicKeyFile = \"\${inputs.secrets}/$host/ssh_host_ed25519_key.pub\";" ./hosts/common/configs/system/ssh/default.nix

new_entry="| \`$host\` | [hosts/$host/README.md](./hosts/$host/README.md) |"
last_table_line=$(grep -n "^| " README.md | tail -n 1 | cut -d: -f1)
sed -i "${last_table_line}a$new_entry" README.md

nix fmt

echo "Host $host has been successfully added."
echo "Age Public Key: $age_key"
echo
echo "If you need user-level SSH keys, generate them like this:"
echo "  ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_${host}_<user>"