diff --git a/flake.nix b/flake.nix index 81ec93b..aa15219 100644 --- a/flake.nix +++ b/flake.nix @@ -26,7 +26,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let + outputs = { self, agenix, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let helper = (import ./lib/flake-helper.nix) inputs; in { clerie.hosts = { @@ -86,6 +86,12 @@ pkgs = import nixpkgs { overlays = [ (import ./pkgs/overlay.nix) + (_: _: { + inherit (agenix.packages."x86_64-linux") + agenix; + inherit (chaosevents.packages."x86_64-linux") + chaosevents; + }) ]; system = "x86_64-linux"; }; @@ -94,7 +100,10 @@ anycast_healthchecker flask-excel iot-data + nixfiles-add-secret + nixfiles-generate-backup-secrets nixfiles-updated-inputs + nixfiles-update-ssh-host-keys pyexcel-xlsx pyexcel-webio uptimestatus diff --git a/pkgs/nixfiles/nixfiles-add-secret.nix b/pkgs/nixfiles/nixfiles-add-secret.nix new file mode 100644 index 0000000..05cc0e5 --- /dev/null +++ b/pkgs/nixfiles/nixfiles-add-secret.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: + +pkgs.writeShellApplication { + name = "nixfiles-add-secret"; + text = builtins.readFile ./nixfiles-add-secret.sh; + runtimeInputs = with pkgs; [ + agenix + git + ]; +} + diff --git a/pkgs/nixfiles/nixfiles-add-secret.sh b/pkgs/nixfiles/nixfiles-add-secret.sh index 31d2991..e6345e0 100755 --- a/pkgs/nixfiles/nixfiles-add-secret.sh +++ b/pkgs/nixfiles/nixfiles-add-secret.sh @@ -1,15 +1,15 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail -cd $(git rev-parse --show-toplevel) +cd "$(git rev-parse --show-toplevel)" -host=$1 -secret=$2 +host="$1" +secret="$2" -mkdir -p hosts/${host}/secrets +mkdir -p "hosts/${host}/secrets" -nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new +agenix -e "hosts/${host}/secrets/new" -mv hosts/${host}/secrets/new hosts/${host}/secrets/${secret}.age +mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/${secret}.age" diff --git a/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix b/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix new file mode 100644 index 0000000..9c2885e --- /dev/null +++ b/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: + +pkgs.writeShellApplication { + name = "nixfiles-generate-backup-secrets"; + text = builtins.readFile ./nixfiles-generate-backup-secrets.sh; + runtimeInputs = with pkgs; [ + agenix + apacheHttpd + git + pwgen + ]; +} + diff --git a/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh b/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh index f09af98..28dcb42 100755 --- a/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh +++ b/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh @@ -1,32 +1,32 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail -cd $(git rev-parse --show-toplevel) +cd "$(git rev-parse --show-toplevel)" -host=$1 +host="$1" -job_main=$(nix run nixpkgs#pwgen -- -1 64 1) -target_cyan=$(nix run nixpkgs#pwgen -- -1 64 1) -target_cyan_htpasswd=$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbB ${host} ${target_cyan}) -target_magenta=$(nix run nixpkgs#pwgen -- -1 64 1) -target_magenta_htpasswd=$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbB ${host} ${target_magenta}) +job_main="$(pwgen -1 64 1)" +target_cyan="$(pwgen -1 64 1)" +target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")" +target_magenta="$(pwgen -1 64 1)" +target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")" -mkdir -p hosts/${host}/secrets +mkdir -p "hosts/${host}/secrets" -echo "$job_main" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new -mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-job-main.age +echo "$job_main" | agenix -e "hosts/${host}/secrets/new" +mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-job-main.age" -echo "$target_cyan" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new -mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-target-cyan.age +echo "$target_cyan" | agenix -e "hosts/${host}/secrets/new" +mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-cyan.age" -echo "$target_magenta" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new -mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-target-magenta.age +echo "$target_magenta" | agenix -e "hosts/${host}/secrets/new" +mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-magenta.age" -prev_htpasswd_cyan=$(nix run github:ryantm/agenix -- -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age) -cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | nix run github:ryantm/agenix -- -e hosts/clerie-backup/secrets/new -mv hosts/clerie-backup/secrets/new hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age +prev_htpasswd_cyan="$(agenix -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)" +cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | agenix -e "hosts/clerie-backup/secrets/new" +mv "hosts/clerie-backup/secrets/new" "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age" -prev_htpasswd_magenta=$(nix run github:ryantm/agenix -- -d hosts/backup-4/secrets/restic-server-magenta-htpasswd.age) -cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | nix run github:ryantm/agenix -- -e hosts/backup-4/secrets/new -mv hosts/backup-4/secrets/new hosts/backup-4/secrets/restic-server-magenta-htpasswd.age +prev_htpasswd_magenta="$(agenix -d "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age")" +cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | agenix -e "hosts/backup-4/secrets/new" +mv "hosts/backup-4/secrets/new" "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age" diff --git a/pkgs/nixfiles/nixfiles-update-ssh-host-keys.nix b/pkgs/nixfiles/nixfiles-update-ssh-host-keys.nix new file mode 100644 index 0000000..960763b --- /dev/null +++ b/pkgs/nixfiles/nixfiles-update-ssh-host-keys.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: + +pkgs.writeShellApplication { + name = "nixfiles-update-ssh-host-keys"; + text = builtins.readFile ./nixfiles-update-ssh-host-keys.sh; + runtimeInputs = with pkgs; [ + git + nix + openssh + ]; +} + diff --git a/pkgs/nixfiles/nixfiles-update-ssh-host-keys.sh b/pkgs/nixfiles/nixfiles-update-ssh-host-keys.sh index 33ab4a3..e1298f4 100755 --- a/pkgs/nixfiles/nixfiles-update-ssh-host-keys.sh +++ b/pkgs/nixfiles/nixfiles-update-ssh-host-keys.sh @@ -1,8 +1,8 @@ -#!/bin/bash +#!/usr/bin/env bash -cd $(git rev-parse --show-toplevel) +cd "$(git rev-parse --show-toplevel)" for host in $(nix eval --apply 'attrs: builtins.concatStringsSep "\n" (builtins.filter (name: (builtins.substring 0 1 name) != "_") (builtins.attrNames attrs))' --raw .#clerie.hosts); do - echo $host - ssh-keyscan -t ed25519 ${host}.net.clerie.de 2>/dev/null | sed -E 's/(\S+) (.+)/\2/g' > hosts/${host}/ssh.pub + echo "$host" + ssh-keyscan -t ed25519 "${host}.net.clerie.de" 2>/dev/null | sed -E 's/(\S+) (.+)/\2/g' > "hosts/${host}/ssh.pub" done diff --git a/pkgs/nixfiles/default.nix b/pkgs/nixfiles/nixfiles-updated-inputs.nix similarity index 100% rename from pkgs/nixfiles/default.nix rename to pkgs/nixfiles/nixfiles-updated-inputs.nix diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index b4514a6..6bcabf7 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -2,7 +2,10 @@ self: super: { anycast_healthchecker = self.python3.pkgs.callPackage ./anycast_healthchecker {}; flask-excel = self.python3.pkgs.callPackage ./flask-excel {}; iot-data = self.python3.pkgs.callPackage ./iot-data {}; - nixfiles-updated-inputs = self.callPackage ./nixfiles {}; + nixfiles-add-secret = self.callPackage ./nixfiles/nixfiles-add-secret.nix {}; + nixfiles-generate-backup-secrets = self.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {}; + nixfiles-updated-inputs = self.callPackage ./nixfiles/nixfiles-updated-inputs.nix {}; + nixfiles-update-ssh-host-keys = self.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {}; pyexcel-xlsx = self.python3.pkgs.callPackage ./pyexcel-xlsx {}; pyexcel-webio = self.python3.pkgs.callPackage ./pyexcel-webio {}; uptimestatus = self.python3.pkgs.callPackage ./uptimestatus {};