nixos/justfile

# export NIXPKGS_ALLOW_UNFREE := "1"

nixcmd := "nix --experimental-features 'nix-command flakes'"

@_default:
    just --list

[group('vm')]
vm-build:
    git add .
    echo "Building VM..."
    {{ nixcmd }} build .#vm
    echo "VM built."
    sudo chmod 777 result/nixos.qcow2
    echo "VM permissions set."

[group('vm')]
vm-reload:
    echo "Reloading VM..."
    virsh destroy nixos
    virsh start nixos
    echo "VM reloaded."

[group('vm')]
vm-switch: vm-build vm-reload

[group('vm')]
vm-init:
    virsh pool-define-as nixos dir - - - - $HOME/.local/libvirt/images/nixos
    virsh pool-build nixos
    virsh pool-start nixos
    virt-install  \
        --name nixos \
        --os-variant=nixos-24.05 \
        --memory 8192 \
        --vcpus=4,maxvcpus=8 \
        --cpu host \
        --disk result/nixos.qcow2 \
        --network user \
        --virt-type kvm \
        --import \
        --graphics spice

[group('vm')]
vm-destroy:
    virsh destroy nixos
    virsh pool-destroy nixos
    virsh pool-undefine nixos

[doc('Wrapper for nixos-facter')]
[group('deploy')]
factor hostname target='':
    #!/usr/bin/env -S bash -e
    target="{{ target }}"
    if [ -z "$target" ]; then
        {{ nixcmd }} run nixpkgs#nixos-facter -- -o hosts/{{ hostname }}/facter.json
    else
        {{ nixcmd }} run github:nix-community/nixos-anywhere -- \
            --flake .#{{ hostname }} \
            --target-host {{ target }} \
            --generate-hardware-config nixos-facter \
            ./hosts/{{ hostname }}/facter.json
    fi

[doc('Wrapper for nixos-rebuild switch')]
[group("deploy")]
switch hostname target='':
    #!/usr/bin/env -S bash -e
    target="{{ target }}"
    if [ -z "$target" ]; then
        {{ nixcmd }} run nixpkgs#nixos-rebuild -- switch --flake .#{{ hostname }} 
    else
        {{ nixcmd }} run nixpkgs#nixos-rebuild -- switch \
            --flake .#{{ hostname }} \
            --target-host {{ target }} \
            --use-remote-sudo
    fi

[doc('Use nixos-anywhere to deploy to a remote host')]
[group('deploy')]
deploy-remote hostname target:
    #!/usr/bin/env -S bash -e
    git add .

    temp=$(mktemp -d)
    trap "rm -rf $temp" EXIT


    install -d -m755 "$temp/etc/ssh"

    # Copy ssh key to decrypt agenix secrets    
    just age -d "./secrets/hosts/{{ hostname }}/id_ed25519.age" > "$temp/etc/ssh/ssh_host_ed25519_key"
    chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"

    cp "./secrets/hosts/{{ hostname }}/id_ed25519.pub" "$temp/etc/ssh/ssh_host_ed25519_key.pub"

    # Deploy
    {{ nixcmd }} run github:nix-community/nixos-anywhere -- \
        --flake .#{{ hostname }} \
        --disk-encryption-keys /luks-password <(just age -d ./secrets/luks-password.age) \
        --extra-files "$temp" \
        --target-host "{{ target }}"

[doc('A wrapper disko-install')]
[group('deploy')]
disko-install hostname disk="/dev/sda":
    sudo {{ nixcmd }} run 'github:nix-community/disko/latest#disko-install' -- --flake .#{{ hostname }} --disk main {{ disk }}

[doc('Build an install ISO for a host')]
[group('deploy')]
iso hostname:
    {{ nixcmd }} build .#nixosConfigurations.{{ hostname }}.config.formats.install-iso

[doc('Runs (r)age with yubikey identity')]
[group('secret')]
age *ARGS="--help":
    @{{ nixcmd }} shell nixpkgs#rage nixpkgs#age-plugin-yubikey --command rage {{ ARGS }} -i ./secrets/yubikey-identity.pub

[doc('Decrypt a file to stdout')]
[group('secret')]
decrypt file:
    just age -d {{ file }}

[doc('Edit an encrypted file in $EDITOR')]
[group('secret')]
secret-edit name:
    {{ nixcmd }} run .#agenix-rekey.x86_64-linux.edit {{ name }}

[doc('Rekey all secrets - needed when adding secrets/hosts')]
[group('secret')]
secret-rekey:
    {{ nixcmd }} run .#agenix-rekey.x86_64-linux.rekey

[doc("Sets up configuration + SSH keys for a new host")]
new-host hostname username:
    #!/usr/bin/env -S bash -e
    temp=$(mktemp -d)
    trap "rm -rf $temp" EXIT

    echo "Setting up folders"
    mkdir -p "secrets/hosts/{{ hostname }}"
    mkdir -p "hosts/{{ hostname }}"

    echo "Generating SSH key for {{ username }}@{{ hostname }}"
    ssh-keygen -q -t ed25519 -f "$temp/id_ed25519" -C "{{ username }}@{{ hostname }}" -N ""
    cp "$temp/id_ed25519.pub" "secrets/hosts/{{ hostname }}/id_ed25519.pub"

    echo "Encrypting SSH key"
    just age -e "$temp/id_ed25519" -o "secrets/hosts/{{ hostname }}/id_ed25519.age"

    echo "Remember to update ./hosts/default.nix eg:"

    # Bold with no newline
    cat <<EOF
    {{ BOLD }}{{ hostname }} = mkSystem {
      hostname = "{{ hostname }}";
      username = "{{ username }}";
      modules = [
        ../modules/required.nix
        ../modules/shell.nix
        ../modules/graphical.nix
        ../modules/devenv.nix
      ];
    };
    EOF
complete rework v3 2025-02-18 20:17:57 +01:00			`# export NIXPKGS_ALLOW_UNFREE := "1"`

update 2025-02-20 22:50:06 +01:00			`nixcmd := "nix --experimental-features 'nix-command flakes'"`

			`@_default:`
			`just --list`

complete rework v2 2025-02-03 07:55:17 +01:00			`[group('vm')]`
			`vm-build:`
			`git add .`
complete rework 2025-01-31 15:13:22 +01:00			`echo "Building VM..."`
update 2025-02-20 22:50:06 +01:00			`{{ nixcmd }} build .#vm`
complete rework 2025-01-31 15:13:22 +01:00			`echo "VM built."`
complete rework v2 2025-02-03 07:55:17 +01:00			`sudo chmod 777 result/nixos.qcow2`
complete rework 2025-01-31 15:13:22 +01:00			`echo "VM permissions set."`

complete rework v2 2025-02-03 07:55:17 +01:00			`[group('vm')]`
			`vm-reload:`
complete rework 2025-01-31 15:13:22 +01:00			`echo "Reloading VM..."`
complete rework v2 2025-02-03 07:55:17 +01:00			`virsh destroy nixos`
complete rework 2025-01-31 15:13:22 +01:00			`virsh start nixos`
			`echo "VM reloaded."`

complete rework v2 2025-02-03 07:55:17 +01:00			`[group('vm')]`
			`vm-switch: vm-build vm-reload`

			`[group('vm')]`
			`vm-init:`
complete rework 2025-01-31 15:13:22 +01:00			`virsh pool-define-as nixos dir - - - - $HOME/.local/libvirt/images/nixos`
			`virsh pool-build nixos`
			`virsh pool-start nixos`
			`virt-install \`
			`--name nixos \`
			`--os-variant=nixos-24.05 \`
			`--memory 8192 \`
			`--vcpus=4,maxvcpus=8 \`
			`--cpu host \`
			`--disk result/nixos.qcow2 \`
			`--network user \`
			`--virt-type kvm \`
			`--import \`
			`--graphics spice`
complete rework v2 2025-02-03 07:55:17 +01:00
			`[group('vm')]`
			`vm-destroy:`
			`virsh destroy nixos`
			`virsh pool-destroy nixos`
			`virsh pool-undefine nixos`

update 2025-02-20 22:50:06 +01:00			`[doc('Wrapper for nixos-facter')]`
complete rework v2 2025-02-03 07:55:17 +01:00			`[group('deploy')]`
update 2025-02-20 22:50:06 +01:00			`factor hostname target='':`
complete rework v3 2025-02-18 20:17:57 +01:00			`#!/usr/bin/env -S bash -e`
			`target="{{ target }}"`
			`if [ -z "$target" ]; then`
update 2025-02-20 22:50:06 +01:00			`{{ nixcmd }} run nixpkgs#nixos-facter -- -o hosts/{{ hostname }}/facter.json`
complete rework v3 2025-02-18 20:17:57 +01:00			`else`
update 2025-02-20 22:50:06 +01:00			`{{ nixcmd }} run github:nix-community/nixos-anywhere -- \`
complete rework v3 2025-02-18 20:17:57 +01:00			`--flake .#{{ hostname }} \`
			`--target-host {{ target }} \`
			`--generate-hardware-config nixos-facter \`
update 2025-02-20 22:50:06 +01:00			`./hosts/{{ hostname }}/facter.json`
complete rework v3 2025-02-18 20:17:57 +01:00			`fi`
complete rework v2 2025-02-03 07:55:17 +01:00
update 2025-02-20 22:50:06 +01:00			`[doc('Wrapper for nixos-rebuild switch')]`
desktop deploy 2025-02-19 20:08:25 +00:00			`[group("deploy")]`
update 2025-02-20 22:50:06 +01:00			`switch hostname target='':`
			`#!/usr/bin/env -S bash -e`
			`target="{{ target }}"`
			`if [ -z "$target" ]; then`
			`{{ nixcmd }} run nixpkgs#nixos-rebuild -- switch --flake .#{{ hostname }}`
			`else`
			`{{ nixcmd }} run nixpkgs#nixos-rebuild -- switch \`
			`--flake .#{{ hostname }} \`
			`--target-host {{ target }} \`
			`--use-remote-sudo`
			`fi`
desktop deploy 2025-02-19 20:08:25 +00:00
update 2025-02-20 22:50:06 +01:00			`[doc('Use nixos-anywhere to deploy to a remote host')]`
complete rework v2 2025-02-03 07:55:17 +01:00			`[group('deploy')]`
desktop deploy 2025-02-19 20:08:25 +00:00			`deploy-remote hostname target:`
complete rework v2 2025-02-03 07:55:17 +01:00			`#!/usr/bin/env -S bash -e`
			`git add .`

update 2025-02-20 22:50:06 +01:00			`temp=$(mktemp -d)`
			`trap "rm -rf $temp" EXIT`


			`install -d -m755 "$temp/etc/ssh"`
complete rework v2 2025-02-03 07:55:17 +01:00
update 2025-02-20 22:50:06 +01:00			`# Copy ssh key to decrypt agenix secrets`
			`just age -d "./secrets/hosts/{{ hostname }}/id_ed25519.age" > "$temp/etc/ssh/ssh_host_ed25519_key"`
			`chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"`

			`cp "./secrets/hosts/{{ hostname }}/id_ed25519.pub" "$temp/etc/ssh/ssh_host_ed25519_key.pub"`
complete rework v2 2025-02-03 07:55:17 +01:00
			`# Deploy`
update 2025-02-20 22:50:06 +01:00			`{{ nixcmd }} run github:nix-community/nixos-anywhere -- \`
complete rework v2 2025-02-03 07:55:17 +01:00			`--flake .#{{ hostname }} \`
update 2025-02-20 22:50:06 +01:00			`--disk-encryption-keys /luks-password <(just age -d ./secrets/luks-password.age) \`
			`--extra-files "$temp" \`
			`--target-host "{{ target }}"`
complete rework v2 2025-02-03 07:55:17 +01:00
update 2025-02-20 22:50:06 +01:00			`[doc('A wrapper disko-install')]`
complete rework v2 2025-02-03 07:55:17 +01:00			`[group('deploy')]`
update 2025-02-20 22:50:06 +01:00			`disko-install hostname disk="/dev/sda":`
			`sudo {{ nixcmd }} run 'github:nix-community/disko/latest#disko-install' -- --flake .#{{ hostname }} --disk main {{ disk }}`
complete rework v2 2025-02-03 07:55:17 +01:00
update 2025-02-20 22:50:06 +01:00			`[doc('Build an install ISO for a host')]`
complete rework v3 2025-02-18 20:17:57 +01:00			`[group('deploy')]`
update 2025-02-20 22:50:06 +01:00			`iso hostname:`
			`{{ nixcmd }} build .#nixosConfigurations.{{ hostname }}.config.formats.install-iso`
complete rework v2 2025-02-03 07:55:17 +01:00
update 2025-02-20 22:50:06 +01:00			`[doc('Runs (r)age with yubikey identity')]`
complete rework v2 2025-02-03 07:55:17 +01:00			`[group('secret')]`
update 2025-02-20 22:50:06 +01:00			`age *ARGS="--help":`
			`@{{ nixcmd }} shell nixpkgs#rage nixpkgs#age-plugin-yubikey --command rage {{ ARGS }} -i ./secrets/yubikey-identity.pub`
complete rework v2 2025-02-03 07:55:17 +01:00
update 2025-02-20 22:50:06 +01:00			`[doc('Decrypt a file to stdout')]`
			`[group('secret')]`
			`decrypt file:`
			`just age -d {{ file }}`
complete rework v2 2025-02-03 07:55:17 +01:00
update 2025-02-20 22:50:06 +01:00			`[doc('Edit an encrypted file in $EDITOR')]`
complete rework v2 2025-02-03 07:55:17 +01:00			`[group('secret')]`
update 2025-02-20 22:50:06 +01:00			`secret-edit name:`
			`{{ nixcmd }} run .#agenix-rekey.x86_64-linux.edit {{ name }}`
complete rework v2 2025-02-03 07:55:17 +01:00
update 2025-02-20 22:50:06 +01:00			`[doc('Rekey all secrets - needed when adding secrets/hosts')]`
complete rework v2 2025-02-03 07:55:17 +01:00			`[group('secret')]`
			`secret-rekey:`
update 2025-02-20 22:50:06 +01:00			`{{ nixcmd }} run .#agenix-rekey.x86_64-linux.rekey`
complete rework v2 2025-02-03 07:55:17 +01:00
update 2025-02-20 22:50:06 +01:00			`[doc("Sets up configuration + SSH keys for a new host")]`
			`new-host hostname username:`
			`#!/usr/bin/env -S bash -e`
			`temp=$(mktemp -d)`
			`trap "rm -rf $temp" EXIT`

			`echo "Setting up folders"`
			`mkdir -p "secrets/hosts/{{ hostname }}"`
			`mkdir -p "hosts/{{ hostname }}"`

			`echo "Generating SSH key for {{ username }}@{{ hostname }}"`
			`ssh-keygen -q -t ed25519 -f "$temp/id_ed25519" -C "{{ username }}@{{ hostname }}" -N ""`
			`cp "$temp/id_ed25519.pub" "secrets/hosts/{{ hostname }}/id_ed25519.pub"`

			`echo "Encrypting SSH key"`
			`just age -e "$temp/id_ed25519" -o "secrets/hosts/{{ hostname }}/id_ed25519.age"`

			`echo "Remember to update ./hosts/default.nix eg:"`

			`# Bold with no newline`
			`cat <<EOF`
			`{{ BOLD }}{{ hostname }} = mkSystem {`
			`hostname = "{{ hostname }}";`
			`username = "{{ username }}";`
			`modules = [`
			`../modules/required.nix`
			`../modules/shell.nix`
			`../modules/graphical.nix`
			`../modules/devenv.nix`
			`];`
			`};`
			`EOF`