From a6ac329a69667abb530d75a1e8ed05a02e727814 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Sun, 22 Sep 2024 16:31:40 +0800 Subject: [PATCH] infra: add installer --- flake.nix | 1 + hosts/vultr/sin0/anti-feature.nix | 8 ++---- infra/.gitignore | 1 + infra/justfile | 45 +++++++++++++++++++++++++++++++ infra/vultr.tf | 3 ++- treefmt.nix | 4 +++ 6 files changed, 55 insertions(+), 7 deletions(-) create mode 100644 infra/justfile diff --git a/flake.nix b/flake.nix index 234c903..5219d60 100644 --- a/flake.nix +++ b/flake.nix @@ -126,6 +126,7 @@ ] )) colmena + just sops ]; }; diff --git a/hosts/vultr/sin0/anti-feature.nix b/hosts/vultr/sin0/anti-feature.nix index 390a2d7..7d0b179 100644 --- a/hosts/vultr/sin0/anti-feature.nix +++ b/hosts/vultr/sin0/anti-feature.nix @@ -2,15 +2,11 @@ { nixpkgs.config = { allowNonSource = false; - allowNonSourcePredicate = - pkg: - lib.elem (lib.getName pkg) [ - ]; + allowNonSourcePredicate = pkg: lib.elem (lib.getName pkg) [ ]; allowUnfree = false; allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [ ]; - permittedInsecurePackages = [ - ]; + permittedInsecurePackages = [ ]; }; } diff --git a/infra/.gitignore b/infra/.gitignore index 30700b4..255b673 100644 --- a/infra/.gitignore +++ b/infra/.gitignore @@ -1,3 +1,4 @@ /.terraform /terraform.tfstate.* /.terraform.lock.hcl +/output diff --git a/infra/justfile b/infra/justfile new file mode 100644 index 0000000..46f7a9b --- /dev/null +++ b/infra/justfile @@ -0,0 +1,45 @@ +[private] +@default: + just --list + +[private] +nix-build NAME ATTR: + nix build ..#nixosConfigurations.{{ NAME }}.config.system.build.{{ ATTR }} --out-link ./output/{{ ATTR }} + +[private] +nix-copy HOST ATTR: + nix copy --substitute-on-destination --no-check-sigs --to 'ssh-ng://{{ HOST }}' ./output/{{ ATTR }} + +# partition disk using disko +disko NAME HOST: + @just nix-build {{ NAME }} diskoScript + @just nix-copy {{ HOST }} diskoScript + ssh {{ HOST }} $(realpath ./output/diskoScript) + +# generate ssh keys +ssh-keygen _NAME HOST: + ssh {{ HOST }} mkdir -m 0755 -p /mnt/persist/etc/ssh + ssh {{ HOST }} ssh-keygen -t "rsa" -b 4096 -f "/mnt/persist/etc/ssh/ssh_host_rsa_key" -N \"\" + ssh {{ HOST }} ssh-keygen -t "ed25519" -f "/mnt/persist/etc/ssh/ssh_host_ed25519_key" -N \"\" + ssh {{ HOST }} cat /mnt/persist/etc/ssh/ssh_host_ed25519_key.pub | nix run nixpkgs#ssh-to-age + + # FIXME: + # https://askubuntu.com/questions/1110828/ssh-failed-to-start-missing-privilege-separation-directory-var-run-sshd + ssh {{ HOST }} mkdir -m 0755 -p /mnt/persist/var/run/sshd + +# build system configuration +build NAME HOST: + @just nix-build {{ NAME }} toplevel + @just nix-copy {{ HOST }}?remote-store=local?root=/mnt toplevel + +# run nixos-install +install _NAME HOST: + ssh {{ HOST }} nixos-install --root /mnt --system $(realpath ./output/toplevel) --no-channel-copy --no-root-passwd + +# reboot +reboot _NAME HOST: + ssh {{ HOST }} reboot + +# cleanup files +cleanup _NAME HOST: + rm -r ./output diff --git a/infra/vultr.tf b/infra/vultr.tf index 1900787..b3560f6 100644 --- a/infra/vultr.tf +++ b/infra/vultr.tf @@ -8,13 +8,14 @@ locals { } } +# https://github.com/NickCao/netboot resource "vultr_startup_script" "script" { name = "nixos" type = "pxe" script = base64encode(<