infra: add installer
This commit is contained in:
parent
d784867779
commit
a6ac329a69
6 changed files with 55 additions and 7 deletions
|
@ -126,6 +126,7 @@
|
||||||
]
|
]
|
||||||
))
|
))
|
||||||
colmena
|
colmena
|
||||||
|
just
|
||||||
sops
|
sops
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -2,15 +2,11 @@
|
||||||
{
|
{
|
||||||
nixpkgs.config = {
|
nixpkgs.config = {
|
||||||
allowNonSource = false;
|
allowNonSource = false;
|
||||||
allowNonSourcePredicate =
|
allowNonSourcePredicate = pkg: lib.elem (lib.getName pkg) [ ];
|
||||||
pkg:
|
|
||||||
lib.elem (lib.getName pkg) [
|
|
||||||
];
|
|
||||||
|
|
||||||
allowUnfree = false;
|
allowUnfree = false;
|
||||||
allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [ ];
|
allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [ ];
|
||||||
|
|
||||||
permittedInsecurePackages = [
|
permittedInsecurePackages = [ ];
|
||||||
];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
1
infra/.gitignore
vendored
1
infra/.gitignore
vendored
|
@ -1,3 +1,4 @@
|
||||||
/.terraform
|
/.terraform
|
||||||
/terraform.tfstate.*
|
/terraform.tfstate.*
|
||||||
/.terraform.lock.hcl
|
/.terraform.lock.hcl
|
||||||
|
/output
|
||||||
|
|
45
infra/justfile
Normal file
45
infra/justfile
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
[private]
|
||||||
|
@default:
|
||||||
|
just --list
|
||||||
|
|
||||||
|
[private]
|
||||||
|
nix-build NAME ATTR:
|
||||||
|
nix build ..#nixosConfigurations.{{ NAME }}.config.system.build.{{ ATTR }} --out-link ./output/{{ ATTR }}
|
||||||
|
|
||||||
|
[private]
|
||||||
|
nix-copy HOST ATTR:
|
||||||
|
nix copy --substitute-on-destination --no-check-sigs --to 'ssh-ng://{{ HOST }}' ./output/{{ ATTR }}
|
||||||
|
|
||||||
|
# partition disk using disko
|
||||||
|
disko NAME HOST:
|
||||||
|
@just nix-build {{ NAME }} diskoScript
|
||||||
|
@just nix-copy {{ HOST }} diskoScript
|
||||||
|
ssh {{ HOST }} $(realpath ./output/diskoScript)
|
||||||
|
|
||||||
|
# generate ssh keys
|
||||||
|
ssh-keygen _NAME HOST:
|
||||||
|
ssh {{ HOST }} mkdir -m 0755 -p /mnt/persist/etc/ssh
|
||||||
|
ssh {{ HOST }} ssh-keygen -t "rsa" -b 4096 -f "/mnt/persist/etc/ssh/ssh_host_rsa_key" -N \"\"
|
||||||
|
ssh {{ HOST }} ssh-keygen -t "ed25519" -f "/mnt/persist/etc/ssh/ssh_host_ed25519_key" -N \"\"
|
||||||
|
ssh {{ HOST }} cat /mnt/persist/etc/ssh/ssh_host_ed25519_key.pub | nix run nixpkgs#ssh-to-age
|
||||||
|
|
||||||
|
# FIXME:
|
||||||
|
# https://askubuntu.com/questions/1110828/ssh-failed-to-start-missing-privilege-separation-directory-var-run-sshd
|
||||||
|
ssh {{ HOST }} mkdir -m 0755 -p /mnt/persist/var/run/sshd
|
||||||
|
|
||||||
|
# build system configuration
|
||||||
|
build NAME HOST:
|
||||||
|
@just nix-build {{ NAME }} toplevel
|
||||||
|
@just nix-copy {{ HOST }}?remote-store=local?root=/mnt toplevel
|
||||||
|
|
||||||
|
# run nixos-install
|
||||||
|
install _NAME HOST:
|
||||||
|
ssh {{ HOST }} nixos-install --root /mnt --system $(realpath ./output/toplevel) --no-channel-copy --no-root-passwd
|
||||||
|
|
||||||
|
# reboot
|
||||||
|
reboot _NAME HOST:
|
||||||
|
ssh {{ HOST }} reboot
|
||||||
|
|
||||||
|
# cleanup files
|
||||||
|
cleanup _NAME HOST:
|
||||||
|
rm -r ./output
|
|
@ -8,13 +8,14 @@ locals {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# https://github.com/NickCao/netboot
|
||||||
resource "vultr_startup_script" "script" {
|
resource "vultr_startup_script" "script" {
|
||||||
name = "nixos"
|
name = "nixos"
|
||||||
type = "pxe"
|
type = "pxe"
|
||||||
script = base64encode(<<EOT
|
script = base64encode(<<EOT
|
||||||
#!ipxe
|
#!ipxe
|
||||||
set cmdline sshkey="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/"
|
set cmdline sshkey="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/"
|
||||||
chain https://github.com/NickCao/netboot/releases/download/latest/ipxe
|
chain http://nixos.icu
|
||||||
EOT
|
EOT
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
|
|
||||||
programs = {
|
programs = {
|
||||||
deadnix.enable = true;
|
deadnix.enable = true;
|
||||||
|
just.enable = true;
|
||||||
nixfmt.enable = true;
|
nixfmt.enable = true;
|
||||||
prettier.enable = true;
|
prettier.enable = true;
|
||||||
statix.enable = true;
|
statix.enable = true;
|
||||||
|
@ -11,8 +12,11 @@
|
||||||
|
|
||||||
settings.formatter.nixfmt.options = [ "--strict" ];
|
settings.formatter.nixfmt.options = [ "--strict" ];
|
||||||
|
|
||||||
|
settings.formatter.just.includes = [ "infra/justfile" ];
|
||||||
|
|
||||||
settings.formatter.prettier.excludes = [
|
settings.formatter.prettier.excludes = [
|
||||||
"**/secrets.yaml"
|
"**/secrets.yaml"
|
||||||
"infra/data.json"
|
"infra/data.json"
|
||||||
|
"secrets.yaml"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue