summaryrefslogtreecommitdiff
path: root/system-profiles/rebuild-machines
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2021-05-15 20:00:21 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2021-05-15 20:00:21 +0200
commit76daf3ac0aa3399d7fcfbadc35c14ed2d0bbe952 (patch)
tree2ebed0a431186d2bdad9fd79c6b9b6410de405b2 /system-profiles/rebuild-machines
parent4ab2a5cb512cfdda47e67ed54a8f1f283c32999b (diff)
downloadnixos-76daf3ac0aa3399d7fcfbadc35c14ed2d0bbe952.tar
nixos-76daf3ac0aa3399d7fcfbadc35c14ed2d0bbe952.tar.gz
nixos-76daf3ac0aa3399d7fcfbadc35c14ed2d0bbe952.tar.bz2
nixos-76daf3ac0aa3399d7fcfbadc35c14ed2d0bbe952.tar.xz
nixos-76daf3ac0aa3399d7fcfbadc35c14ed2d0bbe952.zip
rebuild-machines
Diffstat (limited to 'system-profiles/rebuild-machines')
-rw-r--r--system-profiles/rebuild-machines/default.nix66
-rw-r--r--system-profiles/rebuild-machines/rebuild-machine.zsh9
-rw-r--r--system-profiles/rebuild-machines/ssh/surtr/private26
-rw-r--r--system-profiles/rebuild-machines/ssh/surtr/public1
4 files changed, 102 insertions, 0 deletions
diff --git a/system-profiles/rebuild-machines/default.nix b/system-profiles/rebuild-machines/default.nix
new file mode 100644
index 00000000..53bba06b
--- /dev/null
+++ b/system-profiles/rebuild-machines/default.nix
@@ -0,0 +1,66 @@
1{ pkgs, hostName, ... }:
2let
3 rebuildScript = pkgs.stdenv.mkDerivation {
4 name = "rebuild-${hostName}";
5
6 src = ./rebuild-machine.zsh;
7
8 buildInputs = with pkgs; [ makeWrapper ];
9
10 phases = [ "buildPhase" "installPhase" ];
11
12 inherit (pkgs) zsh;
13 inherit hostName;
14
15 buildPhase = ''
16 substituteAll $src rebuild-machine.zsh
17 '';
18
19 installPhase = ''
20 mkdir -p $out/bin
21 install -m 0755 rebuild-machine.zsh $out/bin/rebuild-${hostName}
22 '';
23 };
24in {
25 home-manager.users."root" = {
26 programs.ssh = {
27 enable = true;
28 matchBlocks = {
29 "machines" = {
30 hostname = "git.yggdrasil.li";
31 user = "gitolite";
32 identityFile = "/root/.ssh/machines";
33 };
34 };
35 };
36 };
37
38 sops.secrets = {
39 rebuild-machines = {
40 path = "/root/.ssh/machines";
41 sopsFile = ./ssh + "/${hostName}/private";
42 format = "binary";
43 };
44 };
45
46 system.activationScripts.rebuild-machines-publickey = ''
47 install -m 0644 ${./ssh + "/${hostName}/public"} /root/.ssh/machines.pub
48 '';
49
50 environment.systemPackages = [ rebuildScript ];
51
52 services.openssh.knownHosts = {
53 rsa = {
54 hostNames = [ "git.yggdrasil.li" ];
55 publicKey = ''
56 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw==
57 '';
58 };
59 ed25519 = {
60 hostNames = [ "git.yggdrasil.li" ];
61 publicKey = ''
62 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD
63 '';
64 };
65 };
66}
diff --git a/system-profiles/rebuild-machines/rebuild-machine.zsh b/system-profiles/rebuild-machines/rebuild-machine.zsh
new file mode 100644
index 00000000..80cc7a2f
--- /dev/null
+++ b/system-profiles/rebuild-machines/rebuild-machine.zsh
@@ -0,0 +1,9 @@
1#!@zsh@/bin/zsh
2
3set -o errexit
4
5if [[ $(whoami) != "root" ]]; then
6 exec sudo -H -- $0 $@
7fi
8
9exec nixos-rebuild --refresh --flake 'git+ssh://machines/nixos?ref=flakes#@hostName@' ${@:-switch}
diff --git a/system-profiles/rebuild-machines/ssh/surtr/private b/system-profiles/rebuild-machines/ssh/surtr/private
new file mode 100644
index 00000000..40651674
--- /dev/null
+++ b/system-profiles/rebuild-machines/ssh/surtr/private
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:6iBi0nQMKJccWxpWkJcWIdpQ4qitMgewFs0LAUU7PFH268hoCkmiWgfq+ZJ1E4hfgAMqTmiS+FJUnYyAGaHHghPCMjHLaNaoS25GjQM3S0pUFd56zGipP0xkii4HaiEGEpcxmXuGHnfrJgJZIHSsl8KRaLRJUKmIl7uorN0nGo6A2R+DKljExXRpH/ZSZj5dCoTu8tVCwnKxgDh9rDhEKCYIl1XnTKV8U8KeT9M7KJt6VWA5mmYhziv0No2U8g22T1ZQP+ATIqGXzbDUDEjY+kg7q6Om0ZsWBL2mJ7U88V/BBMymeYrJiawxrjXzG1VtsnMC7pn8F5BgHCz8x3lUIi2/wlWdqKEUp+TuKEMeuGLdaAifdeFKG/qnFBtNQLxcScvilXAH4w2L+yjCnJbdKoGk1GdJl1U/a2lEXmzbwSQ7Gxlq2rSDpTRW91Gr6I/JXJS6vpq8XRv1faHDGGW+AuNArP9P85/d/S7Fv/UeRQ7vNi30ePG6LjTN+0ajhqwv2YEocArFj+1I8vY3RSQ0PVj27Cwcc582BBmhRZNccgI7AL8=,iv:IwcMztAFDpOE23dYEzjJiv6qhk9E0/Qb/xgwbtt9xt0=,tag:qYMBaoUtkUDR1taehr7Y/g==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2021-05-15T17:58:53Z",
10 "mac": "ENC[AES256_GCM,data:N/CM/+4b02tRBFqFioX/FRPPj4bG3QGltIg7KZk7BYrl+5rJ/6QKL1g+CqsLTteRAbHiluBNFMT/dUBSmiQ+So95sUTc+rICRNKmxCX5GFxw3Kr5/y4r9W/sw/NOSXQD4+dctkhKmzg9NFR+T4pLM8W4KErtV384Wy3ccAW/g8g=,iv:Rr4rDloQRRsLTErUNbB1OIKbi5qyh2gU1y55sU7ecTY=,tag:sYHPOKcAWNfjz26X+w4r3g==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2021-05-15T17:58:52Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAJOYE8FC5GREn7xoQfuSMvow0GwajGfi4bw+FEydrDhAw\n+F8ryseAyQPgVouzlO2aItBy20dYYNs6zkcfnuZemDdBSpQQmahtXBs5Dt3wGhvg\n0l4BPJeJ3cpuLDQMFnNfTOLJRdoR0kvxVHJBBYJ+Jn4ArPrpiMReJvyLl7i83wDb\nsb+WCcu83IFLM/oInb22cto3shATTLgr30hq65+RwAXlGBNmoAT0HH9MDsgq+VQw\n=nsV9\n-----END PGP MESSAGE-----\n",
15 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
16 },
17 {
18 "created_at": "2021-05-15T17:58:52Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA12ftTan1dZSX50t5H1/LdTse+nhePZS6RxqV7WcRi04w\nyiqJt+C6AFBZl4esCqHQjpPnmkb5pvI2/P9e8bvK8uszIF35KC+r55LAaB2RXkr2\n0l4BX0fPwE6XNtiBn2hQo7KYnci6s25itij+uppRyu6Cnc3Hi4Emro4MFBBJlot8\no773ulk8jmOeR2k9fLDSMQ0EO+3zZbm7zz/fK46SyFzBIAPvCx0fEpXi0ZdLES2k\n=rULf\n-----END PGP MESSAGE-----\n",
20 "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/system-profiles/rebuild-machines/ssh/surtr/public b/system-profiles/rebuild-machines/ssh/surtr/public
new file mode 100644
index 00000000..323e8398
--- /dev/null
+++ b/system-profiles/rebuild-machines/ssh/surtr/public
@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5HJRwdwtmIqx8HRK0AKIq+vSCHvGv98rOmraSGwnTL rebuild-machines@surtr