pkgs/nixfiles: Package nixfiles utility scripts

2023-09-01 17:23:53 +02:00
parent cf63ea90ac
commit 6322949026
9 changed files with 82 additions and 34 deletions
--- a/pkgs/nixfiles/nixfiles-add-secret.nix
+++ b/pkgs/nixfiles/nixfiles-add-secret.nix
@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "nixfiles-add-secret";
+  text = builtins.readFile ./nixfiles-add-secret.sh;
+  runtimeInputs = with pkgs; [
+    agenix
+    git
+  ];
+}
+
--- a/pkgs/nixfiles/nixfiles-add-secret.sh
+++ b/pkgs/nixfiles/nixfiles-add-secret.sh
@@ -1,15 +1,15 @@
-#!/bin/bash
+#!/usr/bin/env bash

 set -euo pipefail

-cd $(git rev-parse --show-toplevel)
+cd "$(git rev-parse --show-toplevel)"

-host=$1
-secret=$2
+host="$1"
+secret="$2"

-mkdir -p hosts/${host}/secrets
+mkdir -p "hosts/${host}/secrets"

-nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
+agenix -e "hosts/${host}/secrets/new"

-mv hosts/${host}/secrets/new hosts/${host}/secrets/${secret}.age
+mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/${secret}.age"

--- a/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix
+++ b/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "nixfiles-generate-backup-secrets";
+  text = builtins.readFile ./nixfiles-generate-backup-secrets.sh;
+  runtimeInputs = with pkgs; [
+    agenix
+    apacheHttpd
+    git
+    pwgen
+  ];
+}
+
--- a/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
+++ b/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
@@ -1,32 +1,32 @@
-#!/bin/bash
+#!/usr/bin/env bash

 set -euo pipefail

-cd $(git rev-parse --show-toplevel)
+cd "$(git rev-parse --show-toplevel)"

-host=$1
+host="$1"

-job_main=$(nix run nixpkgs#pwgen -- -1 64 1)
-target_cyan=$(nix run nixpkgs#pwgen -- -1 64 1)
-target_cyan_htpasswd=$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbB ${host} ${target_cyan})
-target_magenta=$(nix run nixpkgs#pwgen -- -1 64 1)
-target_magenta_htpasswd=$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbB ${host} ${target_magenta})
+job_main="$(pwgen -1 64 1)"
+target_cyan="$(pwgen -1 64 1)"
+target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
+target_magenta="$(pwgen -1 64 1)"
+target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"

-mkdir -p hosts/${host}/secrets
+mkdir -p "hosts/${host}/secrets"

-echo "$job_main" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
-mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-job-main.age
+echo "$job_main" | agenix -e "hosts/${host}/secrets/new"
+mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-job-main.age"

-echo "$target_cyan" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
-mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-target-cyan.age
+echo "$target_cyan" | agenix -e "hosts/${host}/secrets/new"
+mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-cyan.age"

-echo "$target_magenta" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
-mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-target-magenta.age
+echo "$target_magenta" | agenix -e "hosts/${host}/secrets/new"
+mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-magenta.age"

-prev_htpasswd_cyan=$(nix run github:ryantm/agenix -- -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)
-cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | nix run github:ryantm/agenix -- -e hosts/clerie-backup/secrets/new
-mv hosts/clerie-backup/secrets/new hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age
+prev_htpasswd_cyan="$(agenix -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)"
+cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | agenix -e "hosts/clerie-backup/secrets/new"
+mv "hosts/clerie-backup/secrets/new" "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age"

-prev_htpasswd_magenta=$(nix run github:ryantm/agenix -- -d hosts/backup-4/secrets/restic-server-magenta-htpasswd.age)
-cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | nix run github:ryantm/agenix -- -e hosts/backup-4/secrets/new
-mv hosts/backup-4/secrets/new hosts/backup-4/secrets/restic-server-magenta-htpasswd.age
+prev_htpasswd_magenta="$(agenix -d "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age")"
+cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | agenix -e "hosts/backup-4/secrets/new"
+mv "hosts/backup-4/secrets/new" "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age"
--- a/pkgs/nixfiles/nixfiles-update-ssh-host-keys.nix
+++ b/pkgs/nixfiles/nixfiles-update-ssh-host-keys.nix
@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+
+pkgs.writeShellApplication {
+  name = "nixfiles-update-ssh-host-keys";
+  text = builtins.readFile ./nixfiles-update-ssh-host-keys.sh;
+  runtimeInputs = with pkgs; [
+    git
+    nix
+    openssh
+  ];
+}
+
--- a/pkgs/nixfiles/nixfiles-update-ssh-host-keys.sh
+++ b/pkgs/nixfiles/nixfiles-update-ssh-host-keys.sh
@@ -1,8 +1,8 @@
-#!/bin/bash
+#!/usr/bin/env bash

-cd $(git rev-parse --show-toplevel)
+cd "$(git rev-parse --show-toplevel)"

 for host in $(nix eval --apply 'attrs: builtins.concatStringsSep "\n" (builtins.filter (name: (builtins.substring 0 1 name) != "_") (builtins.attrNames attrs))' --raw .#clerie.hosts); do
-	echo $host
-	ssh-keyscan -t ed25519 ${host}.net.clerie.de 2>/dev/null | sed -E 's/(\S+) (.+)/\2/g' > hosts/${host}/ssh.pub
+	echo "$host"
+	ssh-keyscan -t ed25519 "${host}.net.clerie.de" 2>/dev/null | sed -E 's/(\S+) (.+)/\2/g' > "hosts/${host}/ssh.pub"
 done
--- a/pkgs/nixfiles/nixfiles-updated-inputs.nix
+++ b/pkgs/nixfiles/nixfiles-updated-inputs.nix