1
0

Compare commits

...

5 Commits

Author SHA1 Message Date
Flake Update Bot
d937ce3c5c Flake update 2023-09-02T01:03+00:00 2023-09-02 03:04:05 +02:00
Flake Update Bot
3256b0efc7 Update from master 2023-09-02T01:03+00:00 2023-09-02 03:03:02 +02:00
6322949026 pkgs/nixfiles: Package nixfiles utility scripts 2023-09-01 17:23:53 +02:00
cf63ea90ac pkgs/nixfiles: Move utility scripts to pkgs 2023-09-01 16:44:25 +02:00
553542071d hosts/osmium: deploy nixfiles inputs update script 2023-09-01 16:38:34 +02:00
16 changed files with 149 additions and 71 deletions

View File

@ -1,15 +0,0 @@
#!/bin/bash
set -euo pipefail
cd $(git rev-parse --show-toplevel)
host=$1
secret=$2
mkdir -p hosts/${host}/secrets
nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
mv hosts/${host}/secrets/new hosts/${host}/secrets/${secret}.age

View File

@ -1,32 +0,0 @@
#!/bin/bash
set -euo pipefail
cd $(git rev-parse --show-toplevel)
host=$1
job_main=$(nix run nixpkgs#pwgen -- -1 64 1)
target_cyan=$(nix run nixpkgs#pwgen -- -1 64 1)
target_cyan_htpasswd=$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbB ${host} ${target_cyan})
target_magenta=$(nix run nixpkgs#pwgen -- -1 64 1)
target_magenta_htpasswd=$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbB ${host} ${target_magenta})
mkdir -p hosts/${host}/secrets
echo "$job_main" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-job-main.age
echo "$target_cyan" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-target-cyan.age
echo "$target_magenta" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-target-magenta.age
prev_htpasswd_cyan=$(nix run github:ryantm/agenix -- -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)
cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | nix run github:ryantm/agenix -- -e hosts/clerie-backup/secrets/new
mv hosts/clerie-backup/secrets/new hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age
prev_htpasswd_magenta=$(nix run github:ryantm/agenix -- -d hosts/backup-4/secrets/restic-server-magenta-htpasswd.age)
cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | nix run github:ryantm/agenix -- -e hosts/backup-4/secrets/new
mv hosts/backup-4/secrets/new hosts/backup-4/secrets/restic-server-magenta-htpasswd.age

View File

@ -183,11 +183,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1692952286, "lastModified": 1693588489,
"narHash": "sha256-TsrtPv3+Q1KR0avZxpiJH+b6fX/R/hEQVHbjl1ebotY=", "narHash": "sha256-hUGiONyurfBxmTtRUttdlkdq+ml16L1MiKKAS1047OE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "817e297fc3352fadc15f2c5306909aa9192d7d97", "rev": "fe0ea731b84b10143fc68cd557368ac70f0fb65c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -215,11 +215,11 @@
}, },
"nixpkgs-krypton": { "nixpkgs-krypton": {
"locked": { "locked": {
"lastModified": 1693377291, "lastModified": 1693471703,
"narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=", "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e7f38be3775bab9659575f192ece011c033655f0", "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -231,11 +231,11 @@
}, },
"nixpkgs-schule": { "nixpkgs-schule": {
"locked": { "locked": {
"lastModified": 1693377291, "lastModified": 1693471703,
"narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=", "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e7f38be3775bab9659575f192ece011c033655f0", "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -247,11 +247,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1693377291, "lastModified": 1693471703,
"narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=", "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e7f38be3775bab9659575f192ece011c033655f0", "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -26,7 +26,7 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let outputs = { self, agenix, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let
helper = (import ./lib/flake-helper.nix) inputs; helper = (import ./lib/flake-helper.nix) inputs;
in { in {
clerie.hosts = { clerie.hosts = {
@ -86,6 +86,12 @@
pkgs = import nixpkgs { pkgs = import nixpkgs {
overlays = [ overlays = [
(import ./pkgs/overlay.nix) (import ./pkgs/overlay.nix)
(_: _: {
inherit (agenix.packages."x86_64-linux")
agenix;
inherit (chaosevents.packages."x86_64-linux")
chaosevents;
})
]; ];
system = "x86_64-linux"; system = "x86_64-linux";
}; };
@ -94,7 +100,10 @@
anycast_healthchecker anycast_healthchecker
flask-excel flask-excel
iot-data iot-data
nixfiles-add-secret
nixfiles-generate-backup-secrets
nixfiles-updated-inputs nixfiles-updated-inputs
nixfiles-update-ssh-host-keys
pyexcel-xlsx pyexcel-xlsx
pyexcel-webio pyexcel-webio
uptimestatus uptimestatus

View File

@ -5,6 +5,8 @@
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm ../../configuration/proxmox-vm
./nixfiles-updated-inputs.nix
]; ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;

View File

@ -0,0 +1,21 @@
{ config, pkgs, ... }:
{
systemd.services.nixfiles-updated-inputs = {
environment = {
GIT_SSH_COMMAND = "ssh -o UserKnownHostsFile=${pkgs.writeText "known_hosts" "git.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHQDwfRlw6L+pkLjXDgW2BUWlY1zNEDtVhNEsClgqaL"} -i %d/nixfiles-updated-inputs-ssh";
# nix likes a home directory to place the cache there
HOME = "/var/lib/nixfiles-updated-inputs";
};
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.nixfiles-updated-inputs + "/bin/nixfiles-updated-inputs";
StateDirectory = "nixfiles-updated-inputs";
WorkingDirectory = "/var/lib/nixfiles-updated-inputs";
DynamicUser = true;
# this sets the correct file permissions for the ssh key because we use DynamicUser
LoadCredential = "nixfiles-updated-inputs-ssh:${config.age.secrets."nixfiles-updated-inputs-ssh".path}";
};
startAt = "*-*-* 03:03:00";
};
}

Binary file not shown.

View File

@ -0,0 +1,11 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "nixfiles-add-secret";
text = builtins.readFile ./nixfiles-add-secret.sh;
runtimeInputs = with pkgs; [
agenix
git
];
}

View File

@ -0,0 +1,15 @@
#!/usr/bin/env bash
set -euo pipefail
cd "$(git rev-parse --show-toplevel)"
host="$1"
secret="$2"
mkdir -p "hosts/${host}/secrets"
agenix -e "hosts/${host}/secrets/new"
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/${secret}.age"

View File

@ -0,0 +1,13 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "nixfiles-generate-backup-secrets";
text = builtins.readFile ./nixfiles-generate-backup-secrets.sh;
runtimeInputs = with pkgs; [
agenix
apacheHttpd
git
pwgen
];
}

View File

@ -0,0 +1,32 @@
#!/usr/bin/env bash
set -euo pipefail
cd "$(git rev-parse --show-toplevel)"
host="$1"
job_main="$(pwgen -1 64 1)"
target_cyan="$(pwgen -1 64 1)"
target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
target_magenta="$(pwgen -1 64 1)"
target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"
mkdir -p "hosts/${host}/secrets"
echo "$job_main" | agenix -e "hosts/${host}/secrets/new"
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-job-main.age"
echo "$target_cyan" | agenix -e "hosts/${host}/secrets/new"
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-cyan.age"
echo "$target_magenta" | agenix -e "hosts/${host}/secrets/new"
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-magenta.age"
prev_htpasswd_cyan="$(agenix -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)"
cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | agenix -e "hosts/clerie-backup/secrets/new"
mv "hosts/clerie-backup/secrets/new" "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age"
prev_htpasswd_magenta="$(agenix -d "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age")"
cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | agenix -e "hosts/backup-4/secrets/new"
mv "hosts/backup-4/secrets/new" "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age"

View File

@ -0,0 +1,12 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "nixfiles-update-ssh-host-keys";
text = builtins.readFile ./nixfiles-update-ssh-host-keys.sh;
runtimeInputs = with pkgs; [
git
nix
openssh
];
}

View File

@ -1,8 +1,8 @@
#!/bin/bash #!/usr/bin/env bash
cd $(git rev-parse --show-toplevel) cd "$(git rev-parse --show-toplevel)"
for host in $(nix eval --apply 'attrs: builtins.concatStringsSep "\n" (builtins.filter (name: (builtins.substring 0 1 name) != "_") (builtins.attrNames attrs))' --raw .#clerie.hosts); do for host in $(nix eval --apply 'attrs: builtins.concatStringsSep "\n" (builtins.filter (name: (builtins.substring 0 1 name) != "_") (builtins.attrNames attrs))' --raw .#clerie.hosts); do
echo $host echo "$host"
ssh-keyscan -t ed25519 ${host}.net.clerie.de 2>/dev/null | sed -E 's/(\S+) (.+)/\2/g' > hosts/${host}/ssh.pub ssh-keyscan -t ed25519 "${host}.net.clerie.de" 2>/dev/null | sed -E 's/(\S+) (.+)/\2/g' > "hosts/${host}/ssh.pub"
done done

View File

@ -1,10 +1,12 @@
{ pkgs, ... }: { pkgs, ... }:
pkgs.writeShellApplication { pkgs.writeShellApplication {
name = "nixfiles-updated-inputs.sh"; name = "nixfiles-updated-inputs";
text = builtins.readFile ./nixfiles-updated-inputs.sh; text = builtins.readFile ./nixfiles-updated-inputs.sh;
runtimeInputs = [ runtimeInputs = with pkgs; [
pkgs.git git
nix
openssh
]; ];
} }

View File

@ -4,10 +4,15 @@ set -euo pipefail
NOW="$(date --utc --iso-8601=minutes)" NOW="$(date --utc --iso-8601=minutes)"
git fetch origin master git status || git clone gitea@git.clerie.de:clerie/nixfiles.git .
echo "[!] Download changes"
git fetch --all
git checkout updated-inputs git checkout updated-inputs
git merge -s ort -X theirs origin/master -m "Update from master ${NOW}" git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" merge -s ort -X theirs origin/master -m "Update from master ${NOW}"
echo "[!] Update inputs"
nix flake update nix flake update
echo "[!] Commit changes"
git add flake.lock git add flake.lock
git commit -m "Flake update ${NOW}" || true git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" commit -m "Flake update ${NOW}" || true
echo "[!] Publish"
git push origin updated-inputs git push origin updated-inputs

View File

@ -2,7 +2,10 @@ self: super: {
anycast_healthchecker = self.python3.pkgs.callPackage ./anycast_healthchecker {}; anycast_healthchecker = self.python3.pkgs.callPackage ./anycast_healthchecker {};
flask-excel = self.python3.pkgs.callPackage ./flask-excel {}; flask-excel = self.python3.pkgs.callPackage ./flask-excel {};
iot-data = self.python3.pkgs.callPackage ./iot-data {}; iot-data = self.python3.pkgs.callPackage ./iot-data {};
nixfiles-updated-inputs = self.callPackage ./nixfiles {}; nixfiles-add-secret = self.callPackage ./nixfiles/nixfiles-add-secret.nix {};
nixfiles-generate-backup-secrets = self.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
nixfiles-updated-inputs = self.callPackage ./nixfiles/nixfiles-updated-inputs.nix {};
nixfiles-update-ssh-host-keys = self.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
pyexcel-xlsx = self.python3.pkgs.callPackage ./pyexcel-xlsx {}; pyexcel-xlsx = self.python3.pkgs.callPackage ./pyexcel-xlsx {};
pyexcel-webio = self.python3.pkgs.callPackage ./pyexcel-webio {}; pyexcel-webio = self.python3.pkgs.callPackage ./pyexcel-webio {};
uptimestatus = self.python3.pkgs.callPackage ./uptimestatus {}; uptimestatus = self.python3.pkgs.callPackage ./uptimestatus {};