From bff6acc5b58eec5265182dce7b905d5a5b98976a Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sun, 6 Jun 2021 21:25:39 +0200
Subject: rebuild-machines: major cleanup

---
 system-profiles/rebuild-machines/default.nix       | 119 ++++++++++++++-------
 .../rebuild-machines/rebuild-machine.zsh           |   7 +-
 .../ssh-pub/git.yggdrasil.li-ed25519.pub           |   1 +
 .../ssh-pub/git.yggdrasil.li-rsa.pub               |   1 +
 4 files changed, 88 insertions(+), 40 deletions(-)
 create mode 100644 system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-ed25519.pub
 create mode 100644 system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-rsa.pub

(limited to 'system-profiles/rebuild-machines')

diff --git a/system-profiles/rebuild-machines/default.nix b/system-profiles/rebuild-machines/default.nix
index 53bba06b..e2a15aae 100644
--- a/system-profiles/rebuild-machines/default.nix
+++ b/system-profiles/rebuild-machines/default.nix
@@ -1,5 +1,21 @@
-{ pkgs, hostName, ... }:
+{ config, pkgs, hostName, lib, ... }:
+
+with lib;
+
 let
+  cfg = config.system.rebuild-machine;
+
+  sshConfig = pkgs.writeText "config" ''
+    UserKnownHostsFile ${knownHostsFile}
+
+    Host ${cfg.repoHost}
+      User ${cfg.repoUser}
+      IdentityFile ${if isNull cfg.sopsConfig then cfg.repoPrivkey else config.sops.secrets."${cfg.sopsName}".path}
+      IdentitiesOnly yes
+  '';
+
+  knownHostsFile = pkgs.writeText "known_hosts" (concatMapStringsSep "\n" (kPath: cfg.repoHost + " " + readFile kPath) (attrValues cfg.repoPubkeys));
+  
   rebuildScript = pkgs.stdenv.mkDerivation {
     name = "rebuild-${hostName}";
 
@@ -9,8 +25,11 @@ let
 
     phases = [ "buildPhase" "installPhase" ];
 
-    inherit (pkgs) zsh;
-    inherit hostName;
+    inherit (pkgs) zsh coreutils openssh;
+    inherit (cfg) flake scriptName;
+    nixosRebuild = config.system.build.nixos-rebuild;
+    inherit (config.security) wrapperDir;
+    inherit sshConfig;
 
     buildPhase = ''
       substituteAll $src rebuild-machine.zsh
@@ -18,49 +37,75 @@ let
 
     installPhase = ''
       mkdir -p $out/bin
-      install -m 0755 rebuild-machine.zsh $out/bin/rebuild-${hostName}
+      install -m 0755 rebuild-machine.zsh $out/bin/${cfg.scriptName}
     '';
   };
 in {
-  home-manager.users."root" = {
-    programs.ssh = {
-      enable = true;
-      matchBlocks = {
-        "machines" = {
-          hostname = "git.yggdrasil.li";
-          user = "gitolite";
-          identityFile = "/root/.ssh/machines";
-        };
+  options = {
+    system.rebuild-machine = {
+      scriptName = mkOption {
+        type = types.str;
+        default = "rebuild-${hostName}";
+        description = ''
+          Name of the script wrapping <literal>nixos-rebuild</literal>
+        '';
+      };
+      
+      flake = mkOption {
+        type = types.nullOr types.str;
+        default = "git+ssh://${cfg.repoHost}/nixos?ref=flakes#${hostName}";
+        description = ''
+          The Flake URI of the NixOS configuration to build.
+        '';
       };
-    };
-  };
 
-  sops.secrets = {
-    rebuild-machines = {
-      path = "/root/.ssh/machines";
-      sopsFile = ./ssh + "/${hostName}/private";
-      format = "binary";
-    };
-  };
+      repoHost = mkOption {
+        type = types.str;
+        default = "git.yggdrasil.li";
+      };
+      
+      repoUser = mkOption {
+        type = types.str;
+        default = "gitolite";
+      };
 
-  system.activationScripts.rebuild-machines-publickey = ''
-    install -m 0644 ${./ssh + "/${hostName}/public"} /root/.ssh/machines.pub
-  '';
+      repoPubkeys = mkOption {
+        type = types.attrsOf types.path;
+        default = genAttrs ["rsa" "ed25519"] (kType: ./ssh-pub + "/${cfg.repoHost}-${kType}.pub");
+      };
 
-  environment.systemPackages = [ rebuildScript ];
+      repoPrivkey = mkOption {
+        type = types.path;
+        default = ./ssh + "/${hostName}/private";
+      };
 
-  services.openssh.knownHosts = {
-    rsa = {
-      hostNames = [ "git.yggdrasil.li" ];
-      publicKey = ''
-        ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw==
-      '';
+      sopsName = mkOption {
+        type = types.nullOr types.str;
+        default = "rebuild-machines";
+      };
+
+      sopsConfig = mkOption {
+        type = types.nullOr types.attrs;
+        default = {
+          format = "binary";
+        };
+      };
     };
-    ed25519 = {
-      hostNames = [ "git.yggdrasil.li" ];
-      publicKey = ''
-        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD
-      '';
+  };
+  
+  config = {
+    assertions = [
+      { assertion = isNull cfg.sopsConfig || (!(isNull cfg.sopsName));
+        message = "If option sopsConfig is not null option sopsName may not be null";
+      }
+    ];
+    
+    sops.secrets = lib.mkIf (!(isNull cfg.sopsConfig)) {
+      "${cfg.sopsName}" = {
+        sopsFile = cfg.repoPrivkey;
+      } // cfg.sopsConfig;
     };
+
+    environment.systemPackages = [ rebuildScript ];
   };
 }
diff --git a/system-profiles/rebuild-machines/rebuild-machine.zsh b/system-profiles/rebuild-machines/rebuild-machine.zsh
index 59df8999..e9e1655f 100644
--- a/system-profiles/rebuild-machines/rebuild-machine.zsh
+++ b/system-profiles/rebuild-machines/rebuild-machine.zsh
@@ -1,7 +1,8 @@
 #!@zsh@/bin/zsh -e
 
-if [[ $(whoami) != "root" ]]; then
-    exec sudo -H -- $0 $@
+if [[ $(@coreutils@/bin/whoami) != "root" ]]; then
+    exec @wrapperDir@/sudo -H -- @out@/bin/@scriptName@ $@
 fi
 
-exec -- nixos-rebuild --refresh --flake 'git+ssh://machines/nixos?ref=flakes#@hostName@' ${@:-switch}
+export NIX_SSHOPTS="-F @sshConfig@" GIT_SSH_COMMAND="@openssh@/bin/ssh -F @sshConfig@"
+exec -- @nixosRebuild@/bin/nixos-rebuild --refresh --flake '@flake@' ${@:-switch}
diff --git a/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-ed25519.pub b/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-ed25519.pub
new file mode 100644
index 00000000..aaf4b012
--- /dev/null
+++ b/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD
diff --git a/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-rsa.pub b/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-rsa.pub
new file mode 100644
index 00000000..7748d3a1
--- /dev/null
+++ b/system-profiles/rebuild-machines/ssh-pub/git.yggdrasil.li-rsa.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw==
-- 
cgit v1.2.3