Compare commits
5 Commits
f99589aa85
...
d937ce3c5c
Author | SHA1 | Date | |
---|---|---|---|
|
d937ce3c5c | ||
|
3256b0efc7 | ||
6322949026 | |||
cf63ea90ac | |||
553542071d |
@ -1,15 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
cd $(git rev-parse --show-toplevel)
|
|
||||||
|
|
||||||
host=$1
|
|
||||||
secret=$2
|
|
||||||
|
|
||||||
mkdir -p hosts/${host}/secrets
|
|
||||||
|
|
||||||
nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
|
|
||||||
|
|
||||||
mv hosts/${host}/secrets/new hosts/${host}/secrets/${secret}.age
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
cd $(git rev-parse --show-toplevel)
|
|
||||||
|
|
||||||
host=$1
|
|
||||||
|
|
||||||
job_main=$(nix run nixpkgs#pwgen -- -1 64 1)
|
|
||||||
target_cyan=$(nix run nixpkgs#pwgen -- -1 64 1)
|
|
||||||
target_cyan_htpasswd=$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbB ${host} ${target_cyan})
|
|
||||||
target_magenta=$(nix run nixpkgs#pwgen -- -1 64 1)
|
|
||||||
target_magenta_htpasswd=$(nix shell nixpkgs#apacheHttpd -c htpasswd -nbB ${host} ${target_magenta})
|
|
||||||
|
|
||||||
mkdir -p hosts/${host}/secrets
|
|
||||||
|
|
||||||
echo "$job_main" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
|
|
||||||
mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-job-main.age
|
|
||||||
|
|
||||||
echo "$target_cyan" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
|
|
||||||
mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-target-cyan.age
|
|
||||||
|
|
||||||
echo "$target_magenta" | nix run github:ryantm/agenix -- -e hosts/${host}/secrets/new
|
|
||||||
mv hosts/${host}/secrets/new hosts/${host}/secrets/clerie-backup-target-magenta.age
|
|
||||||
|
|
||||||
prev_htpasswd_cyan=$(nix run github:ryantm/agenix -- -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)
|
|
||||||
cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | nix run github:ryantm/agenix -- -e hosts/clerie-backup/secrets/new
|
|
||||||
mv hosts/clerie-backup/secrets/new hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age
|
|
||||||
|
|
||||||
prev_htpasswd_magenta=$(nix run github:ryantm/agenix -- -d hosts/backup-4/secrets/restic-server-magenta-htpasswd.age)
|
|
||||||
cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | nix run github:ryantm/agenix -- -e hosts/backup-4/secrets/new
|
|
||||||
mv hosts/backup-4/secrets/new hosts/backup-4/secrets/restic-server-magenta-htpasswd.age
|
|
24
flake.lock
24
flake.lock
@ -183,11 +183,11 @@
|
|||||||
},
|
},
|
||||||
"nixos-hardware": {
|
"nixos-hardware": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1692952286,
|
"lastModified": 1693588489,
|
||||||
"narHash": "sha256-TsrtPv3+Q1KR0avZxpiJH+b6fX/R/hEQVHbjl1ebotY=",
|
"narHash": "sha256-hUGiONyurfBxmTtRUttdlkdq+ml16L1MiKKAS1047OE=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "817e297fc3352fadc15f2c5306909aa9192d7d97",
|
"rev": "fe0ea731b84b10143fc68cd557368ac70f0fb65c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -215,11 +215,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs-krypton": {
|
"nixpkgs-krypton": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1693377291,
|
"lastModified": 1693471703,
|
||||||
"narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=",
|
"narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e7f38be3775bab9659575f192ece011c033655f0",
|
"rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -231,11 +231,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs-schule": {
|
"nixpkgs-schule": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1693377291,
|
"lastModified": 1693471703,
|
||||||
"narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=",
|
"narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e7f38be3775bab9659575f192ece011c033655f0",
|
"rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -247,11 +247,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1693377291,
|
"lastModified": 1693471703,
|
||||||
"narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=",
|
"narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e7f38be3775bab9659575f192ece011c033655f0",
|
"rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
11
flake.nix
11
flake.nix
@ -26,7 +26,7 @@
|
|||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let
|
outputs = { self, agenix, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ... }@inputs: let
|
||||||
helper = (import ./lib/flake-helper.nix) inputs;
|
helper = (import ./lib/flake-helper.nix) inputs;
|
||||||
in {
|
in {
|
||||||
clerie.hosts = {
|
clerie.hosts = {
|
||||||
@ -86,6 +86,12 @@
|
|||||||
pkgs = import nixpkgs {
|
pkgs = import nixpkgs {
|
||||||
overlays = [
|
overlays = [
|
||||||
(import ./pkgs/overlay.nix)
|
(import ./pkgs/overlay.nix)
|
||||||
|
(_: _: {
|
||||||
|
inherit (agenix.packages."x86_64-linux")
|
||||||
|
agenix;
|
||||||
|
inherit (chaosevents.packages."x86_64-linux")
|
||||||
|
chaosevents;
|
||||||
|
})
|
||||||
];
|
];
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
};
|
};
|
||||||
@ -94,7 +100,10 @@
|
|||||||
anycast_healthchecker
|
anycast_healthchecker
|
||||||
flask-excel
|
flask-excel
|
||||||
iot-data
|
iot-data
|
||||||
|
nixfiles-add-secret
|
||||||
|
nixfiles-generate-backup-secrets
|
||||||
nixfiles-updated-inputs
|
nixfiles-updated-inputs
|
||||||
|
nixfiles-update-ssh-host-keys
|
||||||
pyexcel-xlsx
|
pyexcel-xlsx
|
||||||
pyexcel-webio
|
pyexcel-webio
|
||||||
uptimestatus
|
uptimestatus
|
||||||
|
@ -5,6 +5,8 @@
|
|||||||
[
|
[
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../../configuration/proxmox-vm
|
../../configuration/proxmox-vm
|
||||||
|
|
||||||
|
./nixfiles-updated-inputs.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.loader.grub.enable = true;
|
boot.loader.grub.enable = true;
|
||||||
|
21
hosts/osmium/nixfiles-updated-inputs.nix
Normal file
21
hosts/osmium/nixfiles-updated-inputs.nix
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
systemd.services.nixfiles-updated-inputs = {
|
||||||
|
environment = {
|
||||||
|
GIT_SSH_COMMAND = "ssh -o UserKnownHostsFile=${pkgs.writeText "known_hosts" "git.clerie.de ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHQDwfRlw6L+pkLjXDgW2BUWlY1zNEDtVhNEsClgqaL"} -i %d/nixfiles-updated-inputs-ssh";
|
||||||
|
# nix likes a home directory to place the cache there
|
||||||
|
HOME = "/var/lib/nixfiles-updated-inputs";
|
||||||
|
};
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
ExecStart = pkgs.nixfiles-updated-inputs + "/bin/nixfiles-updated-inputs";
|
||||||
|
StateDirectory = "nixfiles-updated-inputs";
|
||||||
|
WorkingDirectory = "/var/lib/nixfiles-updated-inputs";
|
||||||
|
DynamicUser = true;
|
||||||
|
# this sets the correct file permissions for the ssh key because we use DynamicUser
|
||||||
|
LoadCredential = "nixfiles-updated-inputs-ssh:${config.age.secrets."nixfiles-updated-inputs-ssh".path}";
|
||||||
|
};
|
||||||
|
startAt = "*-*-* 03:03:00";
|
||||||
|
};
|
||||||
|
}
|
BIN
hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age
Normal file
BIN
hosts/osmium/secrets/nixfiles-updated-inputs-ssh.age
Normal file
Binary file not shown.
11
pkgs/nixfiles/nixfiles-add-secret.nix
Normal file
11
pkgs/nixfiles/nixfiles-add-secret.nix
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
{ pkgs, ... }:
|
||||||
|
|
||||||
|
pkgs.writeShellApplication {
|
||||||
|
name = "nixfiles-add-secret";
|
||||||
|
text = builtins.readFile ./nixfiles-add-secret.sh;
|
||||||
|
runtimeInputs = with pkgs; [
|
||||||
|
agenix
|
||||||
|
git
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
15
pkgs/nixfiles/nixfiles-add-secret.sh
Executable file
15
pkgs/nixfiles/nixfiles-add-secret.sh
Executable file
@ -0,0 +1,15 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
cd "$(git rev-parse --show-toplevel)"
|
||||||
|
|
||||||
|
host="$1"
|
||||||
|
secret="$2"
|
||||||
|
|
||||||
|
mkdir -p "hosts/${host}/secrets"
|
||||||
|
|
||||||
|
agenix -e "hosts/${host}/secrets/new"
|
||||||
|
|
||||||
|
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/${secret}.age"
|
||||||
|
|
13
pkgs/nixfiles/nixfiles-generate-backup-secrets.nix
Normal file
13
pkgs/nixfiles/nixfiles-generate-backup-secrets.nix
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
{ pkgs, ... }:
|
||||||
|
|
||||||
|
pkgs.writeShellApplication {
|
||||||
|
name = "nixfiles-generate-backup-secrets";
|
||||||
|
text = builtins.readFile ./nixfiles-generate-backup-secrets.sh;
|
||||||
|
runtimeInputs = with pkgs; [
|
||||||
|
agenix
|
||||||
|
apacheHttpd
|
||||||
|
git
|
||||||
|
pwgen
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
32
pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
Executable file
32
pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
Executable file
@ -0,0 +1,32 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
cd "$(git rev-parse --show-toplevel)"
|
||||||
|
|
||||||
|
host="$1"
|
||||||
|
|
||||||
|
job_main="$(pwgen -1 64 1)"
|
||||||
|
target_cyan="$(pwgen -1 64 1)"
|
||||||
|
target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
|
||||||
|
target_magenta="$(pwgen -1 64 1)"
|
||||||
|
target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"
|
||||||
|
|
||||||
|
mkdir -p "hosts/${host}/secrets"
|
||||||
|
|
||||||
|
echo "$job_main" | agenix -e "hosts/${host}/secrets/new"
|
||||||
|
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-job-main.age"
|
||||||
|
|
||||||
|
echo "$target_cyan" | agenix -e "hosts/${host}/secrets/new"
|
||||||
|
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-cyan.age"
|
||||||
|
|
||||||
|
echo "$target_magenta" | agenix -e "hosts/${host}/secrets/new"
|
||||||
|
mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-magenta.age"
|
||||||
|
|
||||||
|
prev_htpasswd_cyan="$(agenix -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)"
|
||||||
|
cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | agenix -e "hosts/clerie-backup/secrets/new"
|
||||||
|
mv "hosts/clerie-backup/secrets/new" "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age"
|
||||||
|
|
||||||
|
prev_htpasswd_magenta="$(agenix -d "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age")"
|
||||||
|
cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | agenix -e "hosts/backup-4/secrets/new"
|
||||||
|
mv "hosts/backup-4/secrets/new" "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age"
|
12
pkgs/nixfiles/nixfiles-update-ssh-host-keys.nix
Normal file
12
pkgs/nixfiles/nixfiles-update-ssh-host-keys.nix
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
{ pkgs, ... }:
|
||||||
|
|
||||||
|
pkgs.writeShellApplication {
|
||||||
|
name = "nixfiles-update-ssh-host-keys";
|
||||||
|
text = builtins.readFile ./nixfiles-update-ssh-host-keys.sh;
|
||||||
|
runtimeInputs = with pkgs; [
|
||||||
|
git
|
||||||
|
nix
|
||||||
|
openssh
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
@ -1,8 +1,8 @@
|
|||||||
#!/bin/bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
cd $(git rev-parse --show-toplevel)
|
cd "$(git rev-parse --show-toplevel)"
|
||||||
|
|
||||||
for host in $(nix eval --apply 'attrs: builtins.concatStringsSep "\n" (builtins.filter (name: (builtins.substring 0 1 name) != "_") (builtins.attrNames attrs))' --raw .#clerie.hosts); do
|
for host in $(nix eval --apply 'attrs: builtins.concatStringsSep "\n" (builtins.filter (name: (builtins.substring 0 1 name) != "_") (builtins.attrNames attrs))' --raw .#clerie.hosts); do
|
||||||
echo $host
|
echo "$host"
|
||||||
ssh-keyscan -t ed25519 ${host}.net.clerie.de 2>/dev/null | sed -E 's/(\S+) (.+)/\2/g' > hosts/${host}/ssh.pub
|
ssh-keyscan -t ed25519 "${host}.net.clerie.de" 2>/dev/null | sed -E 's/(\S+) (.+)/\2/g' > "hosts/${host}/ssh.pub"
|
||||||
done
|
done
|
@ -1,10 +1,12 @@
|
|||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
|
|
||||||
pkgs.writeShellApplication {
|
pkgs.writeShellApplication {
|
||||||
name = "nixfiles-updated-inputs.sh";
|
name = "nixfiles-updated-inputs";
|
||||||
text = builtins.readFile ./nixfiles-updated-inputs.sh;
|
text = builtins.readFile ./nixfiles-updated-inputs.sh;
|
||||||
runtimeInputs = [
|
runtimeInputs = with pkgs; [
|
||||||
pkgs.git
|
git
|
||||||
|
nix
|
||||||
|
openssh
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
@ -4,10 +4,15 @@ set -euo pipefail
|
|||||||
|
|
||||||
NOW="$(date --utc --iso-8601=minutes)"
|
NOW="$(date --utc --iso-8601=minutes)"
|
||||||
|
|
||||||
git fetch origin master
|
git status || git clone gitea@git.clerie.de:clerie/nixfiles.git .
|
||||||
|
echo "[!] Download changes"
|
||||||
|
git fetch --all
|
||||||
git checkout updated-inputs
|
git checkout updated-inputs
|
||||||
git merge -s ort -X theirs origin/master -m "Update from master ${NOW}"
|
git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" merge -s ort -X theirs origin/master -m "Update from master ${NOW}"
|
||||||
|
echo "[!] Update inputs"
|
||||||
nix flake update
|
nix flake update
|
||||||
|
echo "[!] Commit changes"
|
||||||
git add flake.lock
|
git add flake.lock
|
||||||
git commit -m "Flake update ${NOW}" || true
|
git -c "user.name=Flake Update Bot" -c "user.email=flake-update-bot@clerie.de" commit -m "Flake update ${NOW}" || true
|
||||||
|
echo "[!] Publish"
|
||||||
git push origin updated-inputs
|
git push origin updated-inputs
|
||||||
|
@ -2,7 +2,10 @@ self: super: {
|
|||||||
anycast_healthchecker = self.python3.pkgs.callPackage ./anycast_healthchecker {};
|
anycast_healthchecker = self.python3.pkgs.callPackage ./anycast_healthchecker {};
|
||||||
flask-excel = self.python3.pkgs.callPackage ./flask-excel {};
|
flask-excel = self.python3.pkgs.callPackage ./flask-excel {};
|
||||||
iot-data = self.python3.pkgs.callPackage ./iot-data {};
|
iot-data = self.python3.pkgs.callPackage ./iot-data {};
|
||||||
nixfiles-updated-inputs = self.callPackage ./nixfiles {};
|
nixfiles-add-secret = self.callPackage ./nixfiles/nixfiles-add-secret.nix {};
|
||||||
|
nixfiles-generate-backup-secrets = self.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
|
||||||
|
nixfiles-updated-inputs = self.callPackage ./nixfiles/nixfiles-updated-inputs.nix {};
|
||||||
|
nixfiles-update-ssh-host-keys = self.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
|
||||||
pyexcel-xlsx = self.python3.pkgs.callPackage ./pyexcel-xlsx {};
|
pyexcel-xlsx = self.python3.pkgs.callPackage ./pyexcel-xlsx {};
|
||||||
pyexcel-webio = self.python3.pkgs.callPackage ./pyexcel-webio {};
|
pyexcel-webio = self.python3.pkgs.callPackage ./pyexcel-webio {};
|
||||||
uptimestatus = self.python3.pkgs.callPackage ./uptimestatus {};
|
uptimestatus = self.python3.pkgs.callPackage ./uptimestatus {};
|
||||||
|
Loading…
Reference in New Issue
Block a user