diff --git a/bin/add-secret.sh b/bin/add-secret.sh deleted file mode 100755 index 31d2991..0000000 --- a/bin/add-secret.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -cd $(git rev-parse --show-toplevel) - -host=$1 -secret=$2 - -mkdir -p hosts/${host}/secrets - -nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new - -mv hosts/${host}/secrets/new hosts/${host}/secrets/${secret}.age - diff --git a/bin/generate-backup-secrets.sh b/bin/generate-backup-secrets.sh deleted file mode 100755 index f09af98..0000000 --- a/bin/generate-backup-secrets.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -cd $(git rev-parse --show-toplevel) - -host=$1 - -job_main=$(nix run nixpkgs#pwgen -- -1 64 1) -target_cyan=$(nix run nixpkgs#pwgen -- -1 64 1) -target_cyan_htpasswd=$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbB ${host} ${target_cyan}) -target_magenta=$(nix run nixpkgs#pwgen -- -1 64 1) -target_magenta_htpasswd=$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbB ${host} ${target_magenta}) - -mkdir -p hosts/${host}/secrets - -echo "$job_main" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new -mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-job-main.age - -echo "$target_cyan" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new -mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-target-cyan.age - -echo "$target_magenta" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new -mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-target-magenta.age - -prev_htpasswd_cyan=$(nix run github:ryantm/agenix -- -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age) -cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | nix run github:ryantm/agenix -- -e hosts/clerie-backup/secrets/new -mv hosts/clerie-backup/secrets/new hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age - -prev_htpasswd_magenta=$(nix run github:ryantm/agenix -- -d hosts/backup-4/secrets/restic-server-magenta-htpasswd.age) -cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | nix run github:ryantm/agenix -- -e hosts/backup-4/secrets/new -mv hosts/backup-4/secrets/new hosts/backup-4/secrets/restic-server-magenta-htpasswd.age diff --git a/flake.nix b/flake.nix index 81ec93b..aa15219 100644 --- a/flake.nix +++ b/flake.nix @@ -26,7 +26,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let + outputs = { self, agenix, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let helper = (import ./lib/flake-helper.nix) inputs; in { clerie.hosts = { @@ -86,6 +86,12 @@ pkgs = import nixpkgs { overlays = [ (import ./pkgs/overlay.nix) + (_: _: { + inherit (agenix.packages."x86_64-linux") + agenix; + inherit (chaosevents.packages."x86_64-linux") + chaosevents; + }) ]; system = "x86_64-linux"; }; @@ -94,7 +100,10 @@ anycast_healthchecker flask-excel iot-data + nixfiles-add-secret + nixfiles-generate-backup-secrets nixfiles-updated-inputs + nixfiles-update-ssh-host-keys pyexcel-xlsx pyexcel-webio uptimestatus diff --git a/hosts/osmium/configuration.nix b/hosts/osmium/configuration.nix index dc437dc..592b3e2 100644 --- a/hosts/osmium/configuration.nix +++ b/hosts/osmium/configuration.nix @@ -5,6 +5,8 @@ [ ./hardware-configuration.nix ../../configuration/proxmox-vm + + ./nixfiles-updated-inputs.nix ]; boot.loader.grub.enable = true; diff --git a/hosts/osmium/nixfiles-updated-inputs.nix b/hosts/osmium/nixfiles-updated-inputs.nix new file mode 100644 index 0000000..cff6766 --- /dev/null +++ b/hosts/osmium/nixfiles-updated-inputs.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + systemd.services.nixfiles-updated-inputs = { + environment = { + GIT_SSH_COMMAND = "ssh -o UserKnownHostsFile=${pkgs.writeText "known_hosts" "git.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHQDwfRlw6L+pkLjXDgW2BUWlY1zNEDtVhNEsClgqaL"} -i %d/nixfiles-updated-inputs-ssh"; + # nix likes a home directory to place the cache there + HOME = "/var/lib/nixfiles-updated-inputs"; + }; + serviceConfig = { + Type = "oneshot"; + ExecStart = pkgs.nixfiles-updated-inputs + "/bin/nixfiles-updated-inputs"; + StateDirectory = "nixfiles-updated-inputs"; + WorkingDirectory = "/var/lib/nixfiles-updated-inputs"; + DynamicUser = true; + # this sets the correct file permissions for the ssh key because we use DynamicUser + LoadCredential = "nixfiles-updated-inputs-ssh:${config.age.secrets."nixfiles-updated-inputs-ssh".path}"; + }; + startAt = "*-*-* 03:03:00"; + }; +} diff --git a/hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age b/hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age new file mode 100644 index 0000000..497a234 Binary files /dev/null and b/hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age differ diff --git a/pkgs/nixfiles/nixfiles-add-secret.nix b/pkgs/nixfiles/nixfiles-add-secret.nix new file mode 100644 index 0000000..05cc0e5 --- /dev/null +++ b/pkgs/nixfiles/nixfiles-add-secret.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: + +pkgs.writeShellApplication { + name = "nixfiles-add-secret"; + text = builtins.readFile ./nixfiles-add-secret.sh; + runtimeInputs = with pkgs; [ + agenix + git + ]; +} + diff --git a/pkgs/nixfiles/nixfiles-add-secret.sh b/pkgs/nixfiles/nixfiles-add-secret.sh new file mode 100755 index 0000000..e6345e0 --- /dev/null +++ b/pkgs/nixfiles/nixfiles-add-secret.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +set -euo pipefail + +cd "$(git rev-parse --show-toplevel)" + +host="$1" +secret="$2" + +mkdir -p "hosts/${host}/secrets" + +agenix -e "hosts/${host}/secrets/new" + +mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/${secret}.age" + diff --git a/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix b/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix new file mode 100644 index 0000000..9c2885e --- /dev/null +++ b/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: + +pkgs.writeShellApplication { + name = "nixfiles-generate-backup-secrets"; + text = builtins.readFile ./nixfiles-generate-backup-secrets.sh; + runtimeInputs = with pkgs; [ + agenix + apacheHttpd + git + pwgen + ]; +} + diff --git a/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh b/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh new file mode 100755 index 0000000..28dcb42 --- /dev/null +++ b/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +set -euo pipefail + +cd "$(git rev-parse --show-toplevel)" + +host="$1" + +job_main="$(pwgen -1 64 1)" +target_cyan="$(pwgen -1 64 1)" +target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")" +target_magenta="$(pwgen -1 64 1)" +target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")" + +mkdir -p "hosts/${host}/secrets" + +echo "$job_main" | agenix -e "hosts/${host}/secrets/new" +mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-job-main.age" + +echo "$target_cyan" | agenix -e "hosts/${host}/secrets/new" +mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-cyan.age" + +echo "$target_magenta" | agenix -e "hosts/${host}/secrets/new" +mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-magenta.age" + +prev_htpasswd_cyan="$(agenix -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)" +cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | agenix -e "hosts/clerie-backup/secrets/new" +mv "hosts/clerie-backup/secrets/new" "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age" + +prev_htpasswd_magenta="$(agenix -d "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age")" +cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | agenix -e "hosts/backup-4/secrets/new" +mv "hosts/backup-4/secrets/new" "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age" diff --git a/pkgs/nixfiles/nixfiles-update-ssh-host-keys.nix b/pkgs/nixfiles/nixfiles-update-ssh-host-keys.nix new file mode 100644 index 0000000..960763b --- /dev/null +++ b/pkgs/nixfiles/nixfiles-update-ssh-host-keys.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: + +pkgs.writeShellApplication { + name = "nixfiles-update-ssh-host-keys"; + text = builtins.readFile ./nixfiles-update-ssh-host-keys.sh; + runtimeInputs = with pkgs; [ + git + nix + openssh + ]; +} + diff --git a/bin/update-ssh-host-keys.sh b/pkgs/nixfiles/nixfiles-update-ssh-host-keys.sh similarity index 50% rename from bin/update-ssh-host-keys.sh rename to pkgs/nixfiles/nixfiles-update-ssh-host-keys.sh index 33ab4a3..e1298f4 100755 --- a/bin/update-ssh-host-keys.sh +++ b/pkgs/nixfiles/nixfiles-update-ssh-host-keys.sh @@ -1,8 +1,8 @@ -#!/bin/bash +#!/usr/bin/env bash -cd $(git rev-parse --show-toplevel) +cd "$(git rev-parse --show-toplevel)" for host in $(nix eval --apply 'attrs: builtins.concatStringsSep "\n" (builtins.filter (name: (builtins.substring 0 1 name) != "_") (builtins.attrNames attrs))' --raw .#clerie.hosts); do - echo $host - ssh-keyscan -t ed25519 ${host}.net.clerie.de 2>/dev/null | sed -E 's/(\S+) (.+)/\2/g' > hosts/${host}/ssh.pub + echo "$host" + ssh-keyscan -t ed25519 "${host}.net.clerie.de" 2>/dev/null | sed -E 's/(\S+) (.+)/\2/g' > "hosts/${host}/ssh.pub" done diff --git a/pkgs/nixfiles/default.nix b/pkgs/nixfiles/nixfiles-updated-inputs.nix similarity index 53% rename from pkgs/nixfiles/default.nix rename to pkgs/nixfiles/nixfiles-updated-inputs.nix index 20353ce..bab538a 100644 --- a/pkgs/nixfiles/default.nix +++ b/pkgs/nixfiles/nixfiles-updated-inputs.nix @@ -1,10 +1,12 @@ { pkgs, ... }: pkgs.writeShellApplication { - name = "nixfiles-updated-inputs.sh"; + name = "nixfiles-updated-inputs"; text = builtins.readFile ./nixfiles-updated-inputs.sh; - runtimeInputs = [ - pkgs.git + runtimeInputs = with pkgs; [ + git + nix + openssh ]; } diff --git a/pkgs/nixfiles/nixfiles-updated-inputs.sh b/pkgs/nixfiles/nixfiles-updated-inputs.sh index b8a2806..282cef4 100755 --- a/pkgs/nixfiles/nixfiles-updated-inputs.sh +++ b/pkgs/nixfiles/nixfiles-updated-inputs.sh @@ -4,10 +4,15 @@ set -euo pipefail NOW="$(date --utc --iso-8601=minutes)" -git fetch origin master +git status || git clone gitea@git.clerie.de:clerie/nixfiles.git . +echo "[!] Download changes" +git fetch --all git checkout updated-inputs -git merge -s ort -X theirs origin/master -m "Update from master ${NOW}" +git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" merge -s ort -X theirs origin/master -m "Update from master ${NOW}" +echo "[!] Update inputs" nix flake update +echo "[!] Commit changes" git add flake.lock -git commit -m "Flake update ${NOW}" || true +git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" commit -m "Flake update ${NOW}" || true +echo "[!] Publish" git push origin updated-inputs diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index b4514a6..6bcabf7 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -2,7 +2,10 @@ self: super: { anycast_healthchecker = self.python3.pkgs.callPackage ./anycast_healthchecker {}; flask-excel = self.python3.pkgs.callPackage ./flask-excel {}; iot-data = self.python3.pkgs.callPackage ./iot-data {}; - nixfiles-updated-inputs = self.callPackage ./nixfiles {}; + nixfiles-add-secret = self.callPackage ./nixfiles/nixfiles-add-secret.nix {}; + nixfiles-generate-backup-secrets = self.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {}; + nixfiles-updated-inputs = self.callPackage ./nixfiles/nixfiles-updated-inputs.nix {}; + nixfiles-update-ssh-host-keys = self.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {}; pyexcel-xlsx = self.python3.pkgs.callPackage ./pyexcel-xlsx {}; pyexcel-webio = self.python3.pkgs.callPackage ./pyexcel-webio {}; uptimestatus = self.python3.pkgs.callPackage ./uptimestatus {};