infra: add installer

2024-09-22 16:31:40 +08:00 · 2024-09-22 16:31:40 +08:00 · a6ac329a69
commit a6ac329a69
parent d784867779
6 changed files with 55 additions and 7 deletions
--- a/flake.nix
+++ b/flake.nix
@ -126,6 +126,7 @@
              ]
            ))
            colmena
+            just
            sops
          ];
        };
--- a/hosts/vultr/sin0/anti-feature.nix
+++ b/hosts/vultr/sin0/anti-feature.nix
@ -2,15 +2,11 @@
 {
  nixpkgs.config = {
    allowNonSource = false;
-    allowNonSourcePredicate =
-      pkg:
-      lib.elem (lib.getName pkg) [
-      ];
+    allowNonSourcePredicate = pkg: lib.elem (lib.getName pkg) [ ];

    allowUnfree = false;
    allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [ ];

-    permittedInsecurePackages = [
-    ];
+    permittedInsecurePackages = [ ];
  };
 }
--- a/infra/.gitignore
+++ b/infra/.gitignore
@ -1,3 +1,4 @@
 /.terraform
 /terraform.tfstate.*
 /.terraform.lock.hcl
+/output
--- a/infra/justfile
+++ b/infra/justfile
@ -0,0 +1,45 @@
+[private]
+@default:
+    just --list
+
+[private]
+nix-build NAME ATTR:
+    nix build ..#nixosConfigurations.{{ NAME }}.config.system.build.{{ ATTR }} --out-link ./output/{{ ATTR }}
+
+[private]
+nix-copy HOST ATTR:
+    nix copy --substitute-on-destination --no-check-sigs --to 'ssh-ng://{{ HOST }}' ./output/{{ ATTR }}
+
+# partition disk using disko
+disko NAME HOST:
+    @just nix-build {{ NAME }} diskoScript
+    @just nix-copy {{ HOST }} diskoScript
+    ssh {{ HOST }} $(realpath ./output/diskoScript)
+
+# generate ssh keys
+ssh-keygen _NAME HOST:
+    ssh {{ HOST }} mkdir -m 0755 -p /mnt/persist/etc/ssh
+    ssh {{ HOST }} ssh-keygen -t "rsa" -b 4096 -f "/mnt/persist/etc/ssh/ssh_host_rsa_key" -N \"\"
+    ssh {{ HOST }} ssh-keygen -t "ed25519" -f "/mnt/persist/etc/ssh/ssh_host_ed25519_key" -N \"\"
+    ssh {{ HOST }} cat /mnt/persist/etc/ssh/ssh_host_ed25519_key.pub | nix run nixpkgs#ssh-to-age
+
+    # FIXME:
+    # https://askubuntu.com/questions/1110828/ssh-failed-to-start-missing-privilege-separation-directory-var-run-sshd
+    ssh {{ HOST }} mkdir -m 0755 -p /mnt/persist/var/run/sshd
+
+# build system configuration
+build NAME HOST:
+    @just nix-build {{ NAME }} toplevel
+    @just nix-copy {{ HOST }}?remote-store=local?root=/mnt toplevel
+
+# run nixos-install
+install _NAME HOST:
+    ssh {{ HOST }} nixos-install --root /mnt --system $(realpath ./output/toplevel) --no-channel-copy --no-root-passwd
+
+# reboot
+reboot _NAME HOST:
+    ssh {{ HOST }} reboot
+
+# cleanup files
+cleanup _NAME HOST:
+    rm -r ./output
--- a/infra/vultr.tf
+++ b/infra/vultr.tf
@ -8,13 +8,14 @@ locals {
  }
 }

+# https://github.com/NickCao/netboot
 resource "vultr_startup_script" "script" {
  name = "nixos"
  type = "pxe"
  script = base64encode(<<EOT
 #!ipxe
 set cmdline sshkey="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/"
-chain https://github.com/NickCao/netboot/releases/download/latest/ipxe
+chain http://nixos.icu
 EOT
  )
 }
--- a/treefmt.nix
+++ b/treefmt.nix
@ -3,6 +3,7 @@

  programs = {
    deadnix.enable = true;
+    just.enable = true;
    nixfmt.enable = true;
    prettier.enable = true;
    statix.enable = true;
@ -11,8 +12,11 @@

  settings.formatter.nixfmt.options = [ "--strict" ];

+  settings.formatter.just.includes = [ "infra/justfile" ];
+
  settings.formatter.prettier.excludes = [
    "**/secrets.yaml"
    "infra/data.json"
+    "secrets.yaml"
  ];
 }