Compare commits
6 Commits
reproducib
...
reproducib
| Author | SHA1 | Date | |
|---|---|---|---|
| 7bfffb32f4 | |||
| b792b738a9 | |||
| 8a2b948d11 | |||
| afd6444635 | |||
| b423efeaef | |||
|
3bc74a3e80 |
@@ -12,7 +12,7 @@ keys:
|
||||
- &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se
|
||||
- &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0
|
||||
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
|
||||
- &machine_fanny age1u6ljjefkyy242xxtpm65v8dl908efnpt4txjkh0c9emvagdv8etqt22wll
|
||||
- &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
|
||||
- &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k
|
||||
#this dummy key is used for testing.
|
||||
- &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:7JromtbrVy9ecNzz+uprYJk43wgWypEeMRpN/Pk4BGxxyUATyQwDRC+EyEwFju44vDLBzzpjZ8/gJJl4CeHJJahc50/n44IR8TmCC1DoKCbZ0KnUkHWijDAnW2hIvabonWoGGBusPJOC99VJ4OFNHJkneg0lPmDU812LGw6tQU34LOLd5CowPdD82yNWfmHCDTAwJU26pmmCntfecBQilLyYEXq0UncqkUuIlKLOLdRXwbFGxqu/POZyKEo5Er3dycnT69yanHRcKAEFlmfJ1lxXvbBG4s2bGOzaEXxkI2GjkHuCx7lPfvWAgbX6pS6UQvn7b7JuAojOjNqsnpaO0DBDeD8IfPimHa16TKubO1wcXaJLFRmw196oPnoVZBkd/aZU4XifSPFWAlS47/nIpeP5MRxmvp1WzHoWWtNinmGxxjGnzOVkn4FdbGeB0Af8OtI2PUFY4ghH92ugOWxgFZucLeJ3AjPkzodr4W38ej1F2rE5QVJdKZltQHm7V64KLh0L9OQ3WjWNa1Bf06uhYtIGLCJj/p9M6C2M,iv:Qlpz/Req6OBwjy7WiPyvdARFydZhiUIbwphpRlxuUdk=,tag:ARhK3X2TvdlStlVeUwgsYQ==,type:str]",
|
||||
"data": "ENC[AES256_GCM,data:dsb1hdpeoH1Rc4Cz10cZMlAKL//GRUKQbTXvGuRcVqMtRVkmiVZonogj1FdpIFOY8m3zIuJKLpQp9i/RuWanRaThyOA4Mqo82N0MTkco0mwLfRhxqA2EbRv1dPgytVQvdNgSrnZI1FXtsQumPgO4KvifwaCG+Wu050NhPDC2Xt8i1U1TyMTkTigk2CKYaYgo+D9xSsA9ymjFUQgvnTn10t3di7cUJi3rBoEiZeOK/EAg1Y3h53AZ4p9SyG1kBflTvtE1NbIZNBYAiFkJNbIhT+Dw67Qv2Uso6oxL/I64IDOljMQz2874wZqpAL1w7W671KdlGtq0murjQ5Sg+g8RYseA1NVmTY7BCaGagNQuU6Ab0BSSdzIuDkH14BL1zGgprCqP0CE8WeWdUzCx5qud9emF24d+VvRKIiawTArSBe34VMnRq05OTKdmtwGZom7kbhD20c1/pwhytiJpzSE08iKy9cYGPGfirNJaxhT7z9XqSoECUg2XPI7Deh75PqoxM8pATLtOtOLp2cYSr2vSrqADMXzmR2M9ixEj,iv:RQH+e6ZADH2XMPqBeuHhMhHiksQg2iR4NUnYhD3pj7w=,tag:wJByTCrYf4cKxJaD2eTCMQ==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
@@ -11,8 +11,8 @@
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOS9jMmZoNWxrRTl6aVFu\nSW9oTTVkV3NiSGpDTDJNT3dmUWNmSURCYkZ3CnZJNFNEVTNWNEpvcS9NRjFTdExy\na0NNeTByblA3T0JFRXJacHlFTmRPcEEKLS0tIDJCa05LZHo2Rk9xek5Ec1hDODNQ\nOEs1Sk5YbTNHZGFtcmpqaDFKdzRpUVEKiUhTrGp4rXW3hHd8HueZ5v31CXpMACFT\nTq2OaVXUW7yTLFO2E405hQH2ZLS7KzkXeHmA4MZfbsq0ZkriXp956A==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-02-22T18:08:12Z",
|
||||
"mac": "ENC[AES256_GCM,data:cieSOz+0E1tFuRTgiIP9M84eV4bH5lgF4x2bwCGUTi3vG8FSlkk0+EVYjqDokLH7LnRysPO75YlZcuntvnUZYFVWPid/yjgCVR0qlfVbLx6ZUCW6GCNq5993Sa97mI6XjbiIO/yZE1lFqPhd+hev9koDqAGm/SbD9unqPzntBvM=,iv:+4xlcKGalNnR9PujjL54h2E3EnONXi+83g5bNAjFUSo=,tag:1O7lWZUPjPc6NtBqJ+nTxg==,type:str]",
|
||||
"lastmodified": "2025-02-25T16:42:28Z",
|
||||
"mac": "ENC[AES256_GCM,data:iJS4wLJwJZRUozNBUBxL8wYOneGI1Et3r9+DtIs3JrQLEKV16n2SeRP0jRFyCO7VNkxyjnjXJwe0/GVbxtQbVCuDFaCWVpj4xNiEH3wMeuydU96E2QgHaWJGvhyj5e/5o3GO85DeF2ueFCa9DQKtTIWH1xPfqJwtZC2PGH5Uqyo=,iv:/TpULYHxSgFfMQyv715jLVY37AhSY/qh1Zn00UN8oOw=,tag:XrOn8ZpgWFYtSjatXn8sxA==,type:str]",
|
||||
"pgp": [
|
||||
{
|
||||
"created_at": "2025-02-22T18:08:12Z",
|
||||
|
||||
@@ -1 +1 @@
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOywBnc5vmhjQbkFZhiL0BAigcMWVSusrwazxgGwXl6C kalipso@celine
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFRuQZweX3r9QQmAFo6oYY9zvrf9V3EIJOl6kFMgyLm kalipso@fanny-initrd
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
{
|
||||
"data": "ENC[AES256_GCM,data:hbYmYjGE+qWLnxB5H2K0MMuvhfmNGawcQm4z42YDHIcO24ZW+PlsEDaTQOxS1gGHvz7AKyL8swVRuf1IQhv0dQLp9nh1+idl0aFgOiky7MS7plchcyu41iZZOq6ScYO8nlTtDyjIMsi5WCflJbF7K+GDAPS6V2jn04760EuXg8wz//+WVKBDNBb9JRbW7nZIUeoLYY8bPhz0/754KBUoxscmthTUrt2C9VQAUCP3D6m7ug828d2XOX/oqbgwfvNu2rEWAlsTZ6DX+wuQGKZFLzwSMvE7YaE/fjxIjaYAXrwciGrDYI9WZn/oEdTAodUAeY9fMWHTogH7mwYHKtSg6pAqEL5kM+5Ssr8wzuit7AmGtq7x8l4ExTCodg+Y47tA++Rhnvf+bJRRUEPY1kNHzECNepSK/anHzPX0iisUxxmBn8yiJlBtiAbF06nuW0/yW/dRE6wLR+Y84JqiDcYK2WKy5q7W+Miw7m3TwJge/mDeezSiNqzROl5gtT58hvGixuYie+M93wO9M7h7EvJWHkN+kl+kcANBcMzF,iv:giFXavSHQsKhN2mES4Ud/wleYLIIELcvH08pCp+vEHw=,tag:xGkXW+0dzci6koXkujCQpw==,type:str]",
|
||||
"data": "ENC[AES256_GCM,data:16SwZ4RZ89+TvwPVgEg+96PmNd63Oai1GnrRipLkxQmzfeAkQvs78emYUEVT/ouAnRFQRNagbhjA4nmfTTq1xGz1u8bacjk1ny1ckd2FmkEOQ7Ry181h8UE61rZP3c8yra2WCgOcsL22oUxUMhg6iswJqEKLImi3cmJ+hASPTc6L3vlZLcP3Vx6FEbDMGrVtfpHEliSicB/rkAOnjVHmxHmVRjx1AI7jfAjCoBGnLwI9X2XREGay9H8Kt36HIhlXA9dK+xkl6WdtkllHIHe3OYHqwd730g+1htMAWtHmyI/DPLLJG48pzITnKv3cQ3aaziUWJGa89WGnBuzxP8ZOagpnC1/wQi1WTR7d/4JYoslz06fCt1ouGT4ttDFh/YqbV0hcXqkASbUnnixicBaYeVrwvSkYvlbwToZ6L+Jc+eqQRrTKXxs5pIZ4qkvImDp85v3U1bDxXT+qhpK9hasmgBqgM9GYjgw8Um/imr9HqDp9ztRsij87mRW/l47vUhxRjrAWpv+J0OlptUIpRiLv,iv:7x+dTHtSbcc47X/ZGz/bcnOxkGDDBu33ZgNrOD1FwDA=,tag:B6s1Jt1KFCitya9oAKvp9w==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
@@ -11,8 +11,8 @@
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIYlgxeXQzNmtEZXZXNytp\nTnRTRi9nRHJ2bEdPVGhPMzdMY1lPOUpGckFFCkJkL3BVSWlIZ1dBVUliemFWNXl4\ndU9DamhTRUp0aGVwamhWUUZJd3dUREkKLS0tIFNkaGNzc1R5aGxxZWV2QytaRFIw\ndC81MDR5SUlESnNQRlhuR3doTWhYL28KMIMs9mPwVuFr5cEvO6goqf3zQALSO5BB\nrY0C8TfkHLvV57999U9kfyLO7Sm0R/RGS4IinQSCRQWEeR+qLxnEWQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2025-02-22T18:08:12Z",
|
||||
"mac": "ENC[AES256_GCM,data:+dXI8Hm1FDsB9bD2jli+YpWmcY9j85ezNnNYrQmCRNuPUp1EqAQ1PuXkgTabzImqq8N6f4DMUAnL9+kVM2Fr0SMk3O4N6DbMTIkIBh2jos543DUR4tcE+KCeU4+tqzghArODeRtOzV1jDW6sW89pUfGpSZ2JTRfz+QcybySWQXY=,iv:1jzlnQrUDoENp6+nlsxdDsdeeYg+J03KAm7lRw1bi64=,tag:3QvMHCGTZJdHv0r/eX/JQQ==,type:str]",
|
||||
"lastmodified": "2025-02-25T16:43:40Z",
|
||||
"mac": "ENC[AES256_GCM,data:dZJc0aqSD7dhe4Egih3z8QHIbwYDCGYU0DaOczkqHd/yMdcVNrNrcIR6yshArqCLl9jj5Zw3fIO75X09mvuvUCyszbjQyzSmTACp7K3skHuDRJ/yh5vaw6XNeJ3w26Dimfd0WfL1XC519DW532icrDiy2lCZ1qdcYwpqQUBKM/Q=,iv:4vx48jXxKLDOKfK6yYJWW28UaKl+EyqjeRAzV0WayEk=,tag:oO4cAVAv7N5aDAmK5V84mw==,type:str]",
|
||||
"pgp": [
|
||||
{
|
||||
"created_at": "2025-02-22T18:08:12Z",
|
||||
|
||||
@@ -1 +1 @@
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvdnpvwSD1EEStciMitKahPlysD4L95bcwOuY4wV/6I kalipso@celine
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqp2/YiiIhai7wyScGZJ20gtrzY+lp4N/8unyRs4qhc root@fanny
|
||||
|
||||
@@ -105,135 +105,135 @@ rec {
|
||||
inputsMod = inputs // { malobeo = self; };
|
||||
|
||||
|
||||
vmMicroVMOverwrites = hostname: options: {
|
||||
microvm = rec {
|
||||
mem = pkgs.lib.mkForce 4096;
|
||||
hypervisor = pkgs.lib.mkForce "qemu";
|
||||
socket = pkgs.lib.mkForce null;
|
||||
vmMicroVMOverwrites = hostname: options: {
|
||||
microvm = rec {
|
||||
mem = pkgs.lib.mkForce 4096;
|
||||
hypervisor = pkgs.lib.mkForce "qemu";
|
||||
socket = pkgs.lib.mkForce null;
|
||||
|
||||
|
||||
#needed for hosts that deploy imperative microvms (for example fanny)
|
||||
writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store";
|
||||
volumes = pkgs.lib.mkIf options.writableStore [ {
|
||||
image = "nix-store-overlay.img";
|
||||
mountPoint = writableStoreOverlay;
|
||||
size = 2048;
|
||||
} ];
|
||||
#needed for hosts that deploy imperative microvms (for example fanny)
|
||||
writableStoreOverlay = pkgs.lib.mkIf options.writableStore "/nix/.rw-store";
|
||||
volumes = pkgs.lib.mkIf options.writableStore [ {
|
||||
image = "nix-store-overlay.img";
|
||||
mountPoint = writableStoreOverlay;
|
||||
size = 2048;
|
||||
} ];
|
||||
|
||||
shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [
|
||||
{
|
||||
tag = "ro-store";
|
||||
source = "/nix/store";
|
||||
mountPoint = "/nix/.ro-store";
|
||||
}
|
||||
] ++ pkgs.lib.optionals (options.varPath != "") [
|
||||
{
|
||||
source = "${options.varPath}";
|
||||
securityModel = "mapped";
|
||||
mountPoint = "/var";
|
||||
tag = "var";
|
||||
}
|
||||
]);
|
||||
shares = pkgs.lib.mkForce (pkgs.lib.optionals (!options.writableStore) [
|
||||
{
|
||||
tag = "ro-store";
|
||||
source = "/nix/store";
|
||||
mountPoint = "/nix/.ro-store";
|
||||
}
|
||||
] ++ pkgs.lib.optionals (options.varPath != "") [
|
||||
{
|
||||
source = "${options.varPath}";
|
||||
securityModel = "mapped";
|
||||
mountPoint = "/var";
|
||||
tag = "var";
|
||||
}
|
||||
]);
|
||||
|
||||
interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
|
||||
type = "user";
|
||||
id = "eth0";
|
||||
mac = "02:23:de:ad:be:ef";
|
||||
}]);
|
||||
interfaces = pkgs.lib.mkIf (!options.withNetworking) (pkgs.lib.mkForce [{
|
||||
type = "user";
|
||||
id = "eth0";
|
||||
mac = "02:23:de:ad:be:ef";
|
||||
}]);
|
||||
|
||||
#if networking is disabled forward port 80 to still have access to webservices
|
||||
forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [
|
||||
{ from = "host"; host.port = options.fwdPort; guest.port = 80; }
|
||||
]);
|
||||
#if networking is disabled forward port 80 to still have access to webservices
|
||||
forwardPorts = pkgs.lib.mkIf (!options.withNetworking && options.fwdPort != 0) (pkgs.lib.mkForce [
|
||||
{ from = "host"; host.port = options.fwdPort; guest.port = 80; }
|
||||
]);
|
||||
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
"/".fsType = pkgs.lib.mkForce "tmpfs";
|
||||
|
||||
# prometheus uses a memory mapped file which doesnt seem supported by 9p shares
|
||||
# therefore we mount a tmpfs inside the datadir
|
||||
"/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce {
|
||||
fsType = pkgs.lib.mkForce "tmpfs";
|
||||
});
|
||||
};
|
||||
|
||||
boot.isContainer = pkgs.lib.mkForce false;
|
||||
services.timesyncd.enable = false;
|
||||
users.users.root.password = "";
|
||||
services.getty.helpLine = ''
|
||||
Log in as "root" with an empty password.
|
||||
Use "reboot" to shut qemu down.
|
||||
'';
|
||||
};
|
||||
|
||||
vmDiskoOverwrites = {
|
||||
boot.initrd = {
|
||||
secrets = pkgs.lib.mkForce {};
|
||||
network.ssh.enable = pkgs.lib.mkForce false;
|
||||
};
|
||||
fileSystems = {
|
||||
"/".fsType = pkgs.lib.mkForce "tmpfs";
|
||||
|
||||
malobeo.disks.enable = pkgs.lib.mkForce false;
|
||||
networking.hostId = "a3c3101f";
|
||||
};
|
||||
|
||||
vmSopsOverwrites = host: {
|
||||
sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml;
|
||||
|
||||
environment.etc = {
|
||||
devHostKey = {
|
||||
source = ../secrets/devkey_ed25519;
|
||||
mode = "0600";
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.hostKeys = [{
|
||||
path = "/etc/devHostKey";
|
||||
type = "ed25519";
|
||||
}];
|
||||
};
|
||||
|
||||
vmNestedMicroVMOverwrites = host: sopsDummy: {
|
||||
|
||||
services.malobeo.microvm.deployHosts = pkgs.lib.mkForce [];
|
||||
microvm.vms =
|
||||
let
|
||||
# Map the values to each hostname to then generate an Attrset using listToAttrs
|
||||
mapperFunc = name: { inherit name; value = {
|
||||
specialArgs.inputs = inputsMod;
|
||||
specialArgs.self = self;
|
||||
config = {
|
||||
imports = (makeMicroVM "${name}"
|
||||
"${hosts.malobeo.hosts.${name}.network.address}"
|
||||
"${hosts.malobeo.hosts.${name}.network.mac}" [
|
||||
../${name}/configuration.nix
|
||||
(vmMicroVMOverwrites name {
|
||||
withNetworking = true;
|
||||
varPath = "";
|
||||
writableStore = false; })
|
||||
(if sopsDummy then (vmSopsOverwrites name) else {})
|
||||
]);
|
||||
};
|
||||
}; };
|
||||
in
|
||||
builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
|
||||
};
|
||||
|
||||
buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
|
||||
modules = [
|
||||
(vmMicroVMOverwrites host {
|
||||
withNetworking = networking;
|
||||
varPath = "${varPath}";
|
||||
writableStore = writableStore;
|
||||
fwdPort = fwdPort; })
|
||||
(if sopsDummy then (vmSopsOverwrites host) else {})
|
||||
(if disableDisko then vmDiskoOverwrites else {})
|
||||
] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [
|
||||
inputs.microvm.nixosModules.microvm
|
||||
] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [
|
||||
(vmNestedMicroVMOverwrites host sopsDummy)
|
||||
];
|
||||
# prometheus uses a memory mapped file which doesnt seem supported by 9p shares
|
||||
# therefore we mount a tmpfs inside the datadir
|
||||
"/var/lib/prometheus2/data" = pkgs.lib.mkIf (hostname == "overwatch" && options.varPath != "") (pkgs.lib.mkForce {
|
||||
fsType = pkgs.lib.mkForce "tmpfs";
|
||||
});
|
||||
};
|
||||
|
||||
boot.isContainer = pkgs.lib.mkForce false;
|
||||
services.timesyncd.enable = false;
|
||||
users.users.root.password = "";
|
||||
services.getty.helpLine = ''
|
||||
Log in as "root" with an empty password.
|
||||
Use "reboot" to shut qemu down.
|
||||
'';
|
||||
};
|
||||
|
||||
vmDiskoOverwrites = {
|
||||
boot.initrd = {
|
||||
secrets = pkgs.lib.mkForce {};
|
||||
network.ssh.enable = pkgs.lib.mkForce false;
|
||||
};
|
||||
|
||||
malobeo.disks.enable = pkgs.lib.mkForce false;
|
||||
networking.hostId = "a3c3101f";
|
||||
};
|
||||
|
||||
vmSopsOverwrites = host: {
|
||||
sops.defaultSopsFile = pkgs.lib.mkForce ../${host}/dummy.yaml;
|
||||
|
||||
environment.etc = {
|
||||
devHostKey = {
|
||||
source = ../secrets/devkey_ed25519;
|
||||
mode = "0600";
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.hostKeys = [{
|
||||
path = "/etc/devHostKey";
|
||||
type = "ed25519";
|
||||
}];
|
||||
};
|
||||
|
||||
vmNestedMicroVMOverwrites = host: sopsDummy: {
|
||||
|
||||
services.malobeo.microvm.deployHosts = pkgs.lib.mkForce [];
|
||||
microvm.vms =
|
||||
let
|
||||
# Map the values to each hostname to then generate an Attrset using listToAttrs
|
||||
mapperFunc = name: { inherit name; value = {
|
||||
specialArgs.inputs = inputsMod;
|
||||
specialArgs.self = self;
|
||||
config = {
|
||||
imports = (makeMicroVM "${name}"
|
||||
"${hosts.malobeo.hosts.${name}.network.address}"
|
||||
"${hosts.malobeo.hosts.${name}.network.mac}" [
|
||||
../${name}/configuration.nix
|
||||
(vmMicroVMOverwrites name {
|
||||
withNetworking = true;
|
||||
varPath = "";
|
||||
writableStore = false; })
|
||||
(if sopsDummy then (vmSopsOverwrites name) else {})
|
||||
]);
|
||||
};
|
||||
}; };
|
||||
in
|
||||
builtins.listToAttrs (map mapperFunc self.nixosConfigurations.${host}.config.services.malobeo.microvm.deployHosts);
|
||||
};
|
||||
|
||||
buildVM = host: networking: sopsDummy: disableDisko: varPath: writableStore: fwdPort: (self.nixosConfigurations.${host}.extendModules {
|
||||
modules = [
|
||||
(vmMicroVMOverwrites host {
|
||||
withNetworking = networking;
|
||||
varPath = "${varPath}";
|
||||
writableStore = writableStore;
|
||||
fwdPort = fwdPort; })
|
||||
(if sopsDummy then (vmSopsOverwrites host) else {})
|
||||
(if disableDisko then vmDiskoOverwrites else {})
|
||||
] ++ pkgs.lib.optionals (hosts.malobeo.hosts.${host}.type != "microvm") [
|
||||
inputs.microvm.nixosModules.microvm
|
||||
] ++ pkgs.lib.optionals (self.nixosConfigurations.${host}.config ? services.malobeo.microvm.deployHosts) [
|
||||
(vmNestedMicroVMOverwrites host sopsDummy)
|
||||
];
|
||||
});
|
||||
|
||||
buildHost = hosts: (builtins.mapAttrs (host: settings: nixosSystem {
|
||||
system = if (settings.type == "rpi") then "aarch64-linux" else "x86_64-linux";
|
||||
|
||||
@@ -16,20 +16,21 @@ if [ ! -e flake.nix ]
|
||||
done
|
||||
fi
|
||||
|
||||
pwpath="machines"
|
||||
hostkey="ssh_host_ed25519_key"
|
||||
initrdkey="initrd_ed25519_key"
|
||||
read -p "Enter new host name: " host
|
||||
read -p "Enter new host name: " hostname
|
||||
|
||||
if [ "$host" = "" ]; then exit 0
|
||||
if [ "$hostname" = "" ]; then exit 0
|
||||
fi
|
||||
|
||||
mkdir -p $pwpath/$host/secrets
|
||||
cd $pwpath/$host/secrets
|
||||
pwpath="machines/$hostname/secrets"
|
||||
hostkey="ssh_host_ed25519_key"
|
||||
initrdkey="initrd_ed25519_key"
|
||||
|
||||
mkdir -p "$pwpath"
|
||||
cd "$pwpath"
|
||||
|
||||
# Generate SSH keys
|
||||
ssh-keygen -f $hostkey -t ed25519 -N ""
|
||||
ssh-keygen -f $initrdkey -t ed25519 -N ""
|
||||
ssh-keygen -f $hostkey -t ed25519 -N "" -C "root@$host"
|
||||
ssh-keygen -f $initrdkey -t ed25519 -N "" -C "root@$host-initrd"
|
||||
|
||||
#encrypt the private keys
|
||||
sops -e -i ./$hostkey
|
||||
@@ -45,6 +46,6 @@ echo "Hier ist der age public key für sops etc:"
|
||||
echo "$(ssh-to-age -i ./"$hostkey".pub)"
|
||||
echo
|
||||
echo "Hier ist eine reproduzierbare mac-addresse:"
|
||||
echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
|
||||
echo "$hostname"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
|
||||
|
||||
exit 0
|
||||
|
||||
@@ -2,7 +2,7 @@ set -o errexit
|
||||
set -o pipefail
|
||||
|
||||
sshoptions="-o StrictHostKeyChecking=no -o ServerAliveInterval=1 -o ServerAliveCountMax=1 -p 222 -T"
|
||||
HOSTNAME=$1
|
||||
hostname=$1
|
||||
|
||||
if [ ! -e flake.nix ]
|
||||
then
|
||||
@@ -19,17 +19,17 @@ if [ ! -e flake.nix ]
|
||||
done
|
||||
fi
|
||||
|
||||
diskkey=$(sops -d machines/$HOSTNAME/secrets/disk.key)
|
||||
diskkey=$(sops -d machines/$hostname/secrets/disk.key)
|
||||
|
||||
echo
|
||||
if [ $# = 1 ]
|
||||
then
|
||||
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
|
||||
echo "$diskkey" | ssh $sshoptions root@$hostname-initrd "systemd-tty-ask-password-agent" #root
|
||||
|
||||
elif [ $# = 2 ]
|
||||
then
|
||||
IP=$2
|
||||
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root
|
||||
ip=$2
|
||||
echo "$diskkey" | ssh $sshoptions root@$ip "systemd-tty-ask-password-agent" #root
|
||||
|
||||
else
|
||||
echo
|
||||
|
||||
Reference in New Issue
Block a user