2025-02-18 20:17:57 +01:00
|
|
|
# export NIXPKGS_ALLOW_UNFREE := "1"
|
|
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
nixcmd := "nix --experimental-features 'nix-command flakes'"
|
2025-03-09 19:19:03 +01:00
|
|
|
nix_output_monitor := "--log-format internal-json |& nix --experimental-features 'nix-command flakes' run nixpkgs#nix-output-monitor -- --json"
|
2025-02-20 22:50:06 +01:00
|
|
|
|
|
|
|
|
@_default:
|
|
|
|
|
just --list
|
|
|
|
|
|
2025-02-23 23:04:41 +01:00
|
|
|
[doc("Build a flake output")]
|
2025-02-24 22:20:16 +01:00
|
|
|
build target *ARGS="":
|
2025-02-24 22:52:19 +01:00
|
|
|
@{{ nixcmd }} run {{ ARGS }} nixpkgs#nix-output-monitor -- build {{ justfile_directory() }}#{{ target }}
|
2025-02-23 23:04:41 +01:00
|
|
|
|
|
|
|
|
[doc('Build a nixos configuration')]
|
|
|
|
|
[group('deploy')]
|
2025-02-24 22:20:16 +01:00
|
|
|
build-system hostname=`hostname -s` *ARGS="":
|
|
|
|
|
@just build nixosConfigurations."{{ hostname }}".config.system.build.toplevel {{ ARGS }}
|
2025-02-23 23:04:41 +01:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
[doc('Wrapper for nixos-facter')]
|
2025-02-03 07:55:17 +01:00
|
|
|
[group('deploy')]
|
2025-02-23 23:04:41 +01:00
|
|
|
factor hostname=`hostname -s` target='':
|
2025-02-18 20:17:57 +01:00
|
|
|
#!/usr/bin/env -S bash -e
|
|
|
|
|
target="{{ target }}"
|
|
|
|
|
if [ -z "$target" ]; then
|
2025-02-23 23:04:41 +01:00
|
|
|
sudo {{ nixcmd }} run nixpkgs#nixos-facter -- -o hosts/{{ hostname }}/facter.json
|
2025-02-18 20:17:57 +01:00
|
|
|
else
|
2025-02-20 22:50:06 +01:00
|
|
|
{{ nixcmd }} run github:nix-community/nixos-anywhere -- \
|
2025-02-18 20:17:57 +01:00
|
|
|
--flake .#{{ hostname }} \
|
|
|
|
|
--target-host {{ target }} \
|
|
|
|
|
--generate-hardware-config nixos-facter \
|
2025-02-20 22:50:06 +01:00
|
|
|
./hosts/{{ hostname }}/facter.json
|
2025-02-18 20:17:57 +01:00
|
|
|
fi
|
2025-02-03 07:55:17 +01:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
[doc('Wrapper for nixos-rebuild switch')]
|
2025-02-19 20:08:25 +00:00
|
|
|
[group("deploy")]
|
2025-03-09 19:19:03 +01:00
|
|
|
switch hostname=`hostname -s` target='':
|
2025-02-20 22:50:06 +01:00
|
|
|
#!/usr/bin/env -S bash -e
|
|
|
|
|
target="{{ target }}"
|
|
|
|
|
if [ -z "$target" ]; then
|
2025-12-12 04:02:55 +01:00
|
|
|
sudo {{ nixcmd }} run nixpkgs#nixos-rebuild -- switch --show-trace --fast --flake .#{{ hostname }}
|
2025-02-20 22:50:06 +01:00
|
|
|
else
|
|
|
|
|
{{ nixcmd }} run nixpkgs#nixos-rebuild -- switch \
|
|
|
|
|
--flake .#{{ hostname }} \
|
|
|
|
|
--target-host {{ target }} \
|
2025-03-09 19:19:03 +01:00
|
|
|
--use-remote-sudo {{ nix_output_monitor }}
|
2025-02-20 22:50:06 +01:00
|
|
|
fi
|
2025-02-19 20:08:25 +00:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
[doc('Use nixos-anywhere to deploy to a remote host')]
|
2025-02-03 07:55:17 +01:00
|
|
|
[group('deploy')]
|
2025-03-09 19:19:03 +01:00
|
|
|
deploy-remote hostname target:
|
2025-02-03 07:55:17 +01:00
|
|
|
#!/usr/bin/env -S bash -e
|
|
|
|
|
git add .
|
|
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
temp=$(mktemp -d)
|
|
|
|
|
trap "rm -rf $temp" EXIT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
install -d -m755 "$temp/etc/ssh"
|
2025-02-03 07:55:17 +01:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
# Copy ssh key to decrypt agenix secrets
|
|
|
|
|
just age -d "./secrets/hosts/{{ hostname }}/id_ed25519.age" > "$temp/etc/ssh/ssh_host_ed25519_key"
|
|
|
|
|
chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
|
|
|
|
|
|
|
|
|
|
cp "./secrets/hosts/{{ hostname }}/id_ed25519.pub" "$temp/etc/ssh/ssh_host_ed25519_key.pub"
|
2025-02-03 07:55:17 +01:00
|
|
|
|
|
|
|
|
# Deploy
|
2025-02-20 22:50:06 +01:00
|
|
|
{{ nixcmd }} run github:nix-community/nixos-anywhere -- \
|
2025-02-03 07:55:17 +01:00
|
|
|
--flake .#{{ hostname }} \
|
2025-02-20 22:50:06 +01:00
|
|
|
--disk-encryption-keys /luks-password <(just age -d ./secrets/luks-password.age) \
|
|
|
|
|
--extra-files "$temp" \
|
2025-03-09 20:30:33 +01:00
|
|
|
--target-host "{{ target }}"
|
2025-02-03 07:55:17 +01:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
[doc('A wrapper disko-install')]
|
2025-02-03 07:55:17 +01:00
|
|
|
[group('deploy')]
|
2025-03-09 19:19:03 +01:00
|
|
|
disko-install hostname disk:
|
|
|
|
|
sudo {{ nixcmd }} run 'github:nix-community/disko/latest#disko-install' -- --flake .#{{ hostname }} --disk main {{ disk }} {{ nix_output_monitor }}
|
2025-02-03 07:55:17 +01:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
[doc('Build an install ISO for a host')]
|
2025-02-18 20:17:57 +01:00
|
|
|
[group('deploy')]
|
2025-02-20 22:50:06 +01:00
|
|
|
iso hostname:
|
|
|
|
|
{{ nixcmd }} build .#nixosConfigurations.{{ hostname }}.config.formats.install-iso
|
2025-02-03 07:55:17 +01:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
[doc('Runs (r)age with yubikey identity')]
|
2025-02-03 07:55:17 +01:00
|
|
|
[group('secret')]
|
2025-02-20 22:50:06 +01:00
|
|
|
age *ARGS="--help":
|
|
|
|
|
@{{ nixcmd }} shell nixpkgs#rage nixpkgs#age-plugin-yubikey --command rage {{ ARGS }} -i ./secrets/yubikey-identity.pub
|
2025-02-03 07:55:17 +01:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
[doc('Decrypt a file to stdout')]
|
|
|
|
|
[group('secret')]
|
|
|
|
|
decrypt file:
|
|
|
|
|
just age -d {{ file }}
|
2025-02-03 07:55:17 +01:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
[doc('Edit an encrypted file in $EDITOR')]
|
2025-02-03 07:55:17 +01:00
|
|
|
[group('secret')]
|
2025-02-20 22:50:06 +01:00
|
|
|
secret-edit name:
|
2025-10-18 11:46:19 +02:00
|
|
|
{{ nixcmd }} run .#agenix-rekey.x86_64-linux.edit-view edit {{ name }}
|
2025-02-03 07:55:17 +01:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
[doc('Rekey all secrets - needed when adding secrets/hosts')]
|
2025-02-03 07:55:17 +01:00
|
|
|
[group('secret')]
|
|
|
|
|
secret-rekey:
|
2025-02-20 22:50:06 +01:00
|
|
|
{{ nixcmd }} run .#agenix-rekey.x86_64-linux.rekey
|
2025-02-03 07:55:17 +01:00
|
|
|
|
2025-02-20 22:50:06 +01:00
|
|
|
[doc("Sets up configuration + SSH keys for a new host")]
|
|
|
|
|
new-host hostname username:
|
|
|
|
|
#!/usr/bin/env -S bash -e
|
|
|
|
|
temp=$(mktemp -d)
|
|
|
|
|
trap "rm -rf $temp" EXIT
|
|
|
|
|
|
|
|
|
|
echo "Setting up folders"
|
|
|
|
|
mkdir -p "secrets/hosts/{{ hostname }}"
|
|
|
|
|
mkdir -p "hosts/{{ hostname }}"
|
|
|
|
|
|
|
|
|
|
echo "Generating SSH key for {{ username }}@{{ hostname }}"
|
|
|
|
|
ssh-keygen -q -t ed25519 -f "$temp/id_ed25519" -C "{{ username }}@{{ hostname }}" -N ""
|
|
|
|
|
cp "$temp/id_ed25519.pub" "secrets/hosts/{{ hostname }}/id_ed25519.pub"
|
|
|
|
|
|
|
|
|
|
echo "Encrypting SSH key"
|
|
|
|
|
just age -e "$temp/id_ed25519" -o "secrets/hosts/{{ hostname }}/id_ed25519.age"
|
|
|
|
|
|
|
|
|
|
echo "Remember to update ./hosts/default.nix eg:"
|
|
|
|
|
|
|
|
|
|
# Bold with no newline
|
|
|
|
|
cat <<EOF
|
|
|
|
|
{{ BOLD }}{{ hostname }} = mkSystem {
|
|
|
|
|
hostname = "{{ hostname }}";
|
|
|
|
|
username = "{{ username }}";
|
|
|
|
|
modules = [
|
|
|
|
|
../modules/required.nix
|
|
|
|
|
../modules/shell.nix
|
|
|
|
|
../modules/graphical.nix
|
|
|
|
|
../modules/devenv.nix
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
EOF
|
2025-02-23 23:04:41 +01:00
|
|
|
|
|
|
|
|
[doc("Update flake.lock")]
|
2025-02-24 22:20:16 +01:00
|
|
|
update input='':
|
|
|
|
|
{{ nixcmd }} flake update {{ input }}
|
2025-02-23 23:04:41 +01:00
|
|
|
|
|
|
|
|
[doc("Run nix-tree")]
|
|
|
|
|
[group("tools")]
|
|
|
|
|
tree *ARGS=("--derivation .#nixosConfigurations." + shell("hostname -s") + ".config.system.build.toplevel"):
|
|
|
|
|
{{ nixcmd }} run github:utdemir/nix-tree -- {{ ARGS }}
|
|
|
|
|
|
|
|
|
|
[doc("Run nix-diff between current system")]
|
|
|
|
|
[group("tools")]
|
2025-02-24 17:42:45 +01:00
|
|
|
diff hostname=`hostname -s`: (build-system hostname)
|
2025-02-23 23:04:41 +01:00
|
|
|
{{ nixcmd }} run nixpkgs#nvd -- diff /run/current-system {{ justfile_directory() }}/result
|
|
|
|
|
|
|
|
|
|
[doc("Run nurl")]
|
|
|
|
|
[group("tools")]
|
|
|
|
|
nurl *ARGS="--help":
|
|
|
|
|
{{ nixcmd }} run nixpkgs#nurl -- {{ ARGS }}
|
