infra: add installer

This commit is contained in:
Guanran Wang 2024-09-22 16:31:40 +08:00
parent d784867779
commit a6ac329a69
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
6 changed files with 55 additions and 7 deletions

View file

@ -126,6 +126,7 @@
] ]
)) ))
colmena colmena
just
sops sops
]; ];
}; };

View file

@ -2,15 +2,11 @@
{ {
nixpkgs.config = { nixpkgs.config = {
allowNonSource = false; allowNonSource = false;
allowNonSourcePredicate = allowNonSourcePredicate = pkg: lib.elem (lib.getName pkg) [ ];
pkg:
lib.elem (lib.getName pkg) [
];
allowUnfree = false; allowUnfree = false;
allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [ ]; allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [ ];
permittedInsecurePackages = [ permittedInsecurePackages = [ ];
];
}; };
} }

1
infra/.gitignore vendored
View file

@ -1,3 +1,4 @@
/.terraform /.terraform
/terraform.tfstate.* /terraform.tfstate.*
/.terraform.lock.hcl /.terraform.lock.hcl
/output

45
infra/justfile Normal file
View file

@ -0,0 +1,45 @@
[private]
@default:
just --list
[private]
nix-build NAME ATTR:
nix build ..#nixosConfigurations.{{ NAME }}.config.system.build.{{ ATTR }} --out-link ./output/{{ ATTR }}
[private]
nix-copy HOST ATTR:
nix copy --substitute-on-destination --no-check-sigs --to 'ssh-ng://{{ HOST }}' ./output/{{ ATTR }}
# partition disk using disko
disko NAME HOST:
@just nix-build {{ NAME }} diskoScript
@just nix-copy {{ HOST }} diskoScript
ssh {{ HOST }} $(realpath ./output/diskoScript)
# generate ssh keys
ssh-keygen _NAME HOST:
ssh {{ HOST }} mkdir -m 0755 -p /mnt/persist/etc/ssh
ssh {{ HOST }} ssh-keygen -t "rsa" -b 4096 -f "/mnt/persist/etc/ssh/ssh_host_rsa_key" -N \"\"
ssh {{ HOST }} ssh-keygen -t "ed25519" -f "/mnt/persist/etc/ssh/ssh_host_ed25519_key" -N \"\"
ssh {{ HOST }} cat /mnt/persist/etc/ssh/ssh_host_ed25519_key.pub | nix run nixpkgs#ssh-to-age
# FIXME:
# https://askubuntu.com/questions/1110828/ssh-failed-to-start-missing-privilege-separation-directory-var-run-sshd
ssh {{ HOST }} mkdir -m 0755 -p /mnt/persist/var/run/sshd
# build system configuration
build NAME HOST:
@just nix-build {{ NAME }} toplevel
@just nix-copy {{ HOST }}?remote-store=local?root=/mnt toplevel
# run nixos-install
install _NAME HOST:
ssh {{ HOST }} nixos-install --root /mnt --system $(realpath ./output/toplevel) --no-channel-copy --no-root-passwd
# reboot
reboot _NAME HOST:
ssh {{ HOST }} reboot
# cleanup files
cleanup _NAME HOST:
rm -r ./output

View file

@ -8,13 +8,14 @@ locals {
} }
} }
# https://github.com/NickCao/netboot
resource "vultr_startup_script" "script" { resource "vultr_startup_script" "script" {
name = "nixos" name = "nixos"
type = "pxe" type = "pxe"
script = base64encode(<<EOT script = base64encode(<<EOT
#!ipxe #!ipxe
set cmdline sshkey="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/" set cmdline sshkey="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/"
chain https://github.com/NickCao/netboot/releases/download/latest/ipxe chain http://nixos.icu
EOT EOT
) )
} }

View file

@ -3,6 +3,7 @@
programs = { programs = {
deadnix.enable = true; deadnix.enable = true;
just.enable = true;
nixfmt.enable = true; nixfmt.enable = true;
prettier.enable = true; prettier.enable = true;
statix.enable = true; statix.enable = true;
@ -11,8 +12,11 @@
settings.formatter.nixfmt.options = [ "--strict" ]; settings.formatter.nixfmt.options = [ "--strict" ];
settings.formatter.just.includes = [ "infra/justfile" ];
settings.formatter.prettier.excludes = [ settings.formatter.prettier.excludes = [
"**/secrets.yaml" "**/secrets.yaml"
"infra/data.json" "infra/data.json"
"secrets.yaml"
]; ];
} }