186 lines
6.1 KiB
Nix
186 lines
6.1 KiB
Nix
{ self
|
|
, utils
|
|
, nixpkgs
|
|
, nixpkgs-unstable
|
|
, nixos-generators
|
|
, sops-nix
|
|
, microvm
|
|
, ...
|
|
} @inputs:
|
|
|
|
# filter i686-liux from defaultSystem to run nix flake check successfully
|
|
let filter_system = name: if name == utils.lib.system.i686-linux then false else true;
|
|
in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems) ( system:
|
|
let
|
|
pkgs-unstable = nixpkgs-unstable.legacyPackages."${system}";
|
|
pkgs = nixpkgs.legacyPackages."${system}";
|
|
|
|
utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; });
|
|
in
|
|
{
|
|
devShells.default =
|
|
let
|
|
sops = sops-nix.packages."${pkgs.system}";
|
|
microvmpkg = microvm.packages."${pkgs.system}";
|
|
installed = builtins.attrNames self.legacyPackages."${pkgs.system}".scripts;
|
|
in
|
|
pkgs.mkShell {
|
|
sopsPGPKeyDirs = [
|
|
"./machines/secrets/keys/hosts"
|
|
"./machines/secrets/keys/users"
|
|
];
|
|
|
|
nativeBuildInputs = [
|
|
sops.ssh-to-pgp
|
|
sops.sops-import-keys-hook
|
|
sops.sops-init-gpg-key
|
|
pkgs.sops
|
|
pkgs.age
|
|
pkgs.python310Packages.grip
|
|
pkgs.mdbook
|
|
microvmpkg.microvm
|
|
];
|
|
|
|
packages = builtins.map (pkgName: self.legacyPackages."${pkgs.system}".scripts.${pkgName}) installed;
|
|
shellHook = ''echo "Available scripts: ${builtins.concatStringsSep " " installed}"'';
|
|
};
|
|
|
|
legacyPackages = {
|
|
scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
|
|
scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
|
|
scripts.run-vm = self.packages.${system}.run-vm;
|
|
};
|
|
|
|
vmBuilder = utils.buildVM;
|
|
|
|
packages = {
|
|
docs = pkgs.stdenv.mkDerivation {
|
|
name = "malobeo-docs";
|
|
phases = [ "buildPhase" ];
|
|
buildInputs = [ pkgs.mdbook ];
|
|
|
|
inputs = pkgs.lib.sourceFilesBySuffices ./doc/. [ ".md" ".toml" ];
|
|
|
|
buildPhase = ''
|
|
dest=$out/share/doc
|
|
mkdir -p $dest
|
|
cp -r --no-preserve=all $inputs/* ./
|
|
mdbook build
|
|
ls
|
|
cp -r ./book/* $dest
|
|
'';
|
|
};
|
|
|
|
run-vm = pkgs.writeShellScriptBin "run-vm" ''
|
|
usage() {
|
|
echo "Usage: run-vm <hostname> [--networking] [--dummy-secrets] [--no-disko]"
|
|
echo "ATTENTION: This script must be run from the flakes root directory"
|
|
echo "--networking setup interfaces. requires root and hostbridge enabled on the host"
|
|
echo "--dummy-secrets run vm with dummy sops secrets"
|
|
echo "--no-disko disable disko and initrd secrets. needed for real hosts like fanny"
|
|
echo "--var path to directory that should be shared as /var. may require root otherwise some systemd units fail within vm. if dir is empty vm will populate"
|
|
exit 1
|
|
}
|
|
|
|
# check at least one arg was given
|
|
if [ "$#" -lt 1 ]; then
|
|
usage
|
|
fi
|
|
|
|
HOSTNAME=$1
|
|
|
|
# Optionale Argumente
|
|
NETWORK=false
|
|
DUMMY_SECRETS=false
|
|
NO_DISKO=false
|
|
VAR_PATH=""
|
|
|
|
# check argws
|
|
shift
|
|
while [[ "$#" -gt 0 ]]; do
|
|
case $1 in
|
|
--networking) NETWORK=true ;;
|
|
--dummy-secrets) DUMMY_SECRETS=true ;;
|
|
--no-disko) NO_DISKO=true ;;
|
|
--var)
|
|
if [[ -n "$2" && ! "$2" =~ ^- ]]; then
|
|
VAR_PATH="$2"
|
|
shift
|
|
else
|
|
echo "Error: --var requires a non-empty string argument."
|
|
usage
|
|
fi
|
|
;;
|
|
*) echo "Unknown argument: $1"; usage ;;
|
|
esac
|
|
shift
|
|
done
|
|
echo "starting host $HOSTNAME"
|
|
echo "enable networking: $NETWORK"
|
|
echo "deploy dummy secrets: $DUMMY_SECRETS"
|
|
echo "disable disko and initrd secrets: $NO_DISKO"
|
|
if [ -n "$VAR_PATH" ]; then
|
|
echo "sharing var directory: $VAR_PATH"
|
|
fi
|
|
|
|
${pkgs.nix}/bin/nix run --show-trace --impure --expr "((builtins.getFlake \"$(pwd)\").vmBuilder.x86_64-linux \"$HOSTNAME\" $NETWORK $DUMMY_SECRETS $NO_DISKO \"$VAR_PATH\")"
|
|
'';
|
|
};
|
|
|
|
apps = {
|
|
docs = {
|
|
type = "app";
|
|
program = builtins.toString (pkgs.writeShellScript "docs" ''
|
|
${pkgs.xdg-utils}/bin/xdg-open "${self.packages.${system}.docs}/share/doc/index.html"
|
|
'');
|
|
};
|
|
|
|
|
|
docsDev = {
|
|
type = "app";
|
|
program = builtins.toString (pkgs.writeShellScript "docs" ''
|
|
echo "needs to run from infrastuctre root folder"
|
|
${pkgs.mdbook}/bin/mdbook serve --open ./doc
|
|
'');
|
|
};
|
|
|
|
run-vm = {
|
|
type = "app";
|
|
program = "${self.packages.${system}.run-vm}/bin/run-vm";
|
|
};
|
|
};
|
|
|
|
})) // (
|
|
let
|
|
utils = import ./machines/modules/host_builder.nix ( inputs // { inherit inputs; self = self; });
|
|
hosts = import ./machines/hosts.nix ( inputs // { inherit inputs; self = self; });
|
|
in
|
|
{
|
|
nixosConfigurations = utils.buildHost hosts.malobeo.hosts;
|
|
#nixosConfigurations = import ./machines/configuration.nix (inputs // {
|
|
# inherit inputs;
|
|
# self = self;
|
|
#});
|
|
|
|
nixosModules.malobeo = {
|
|
host.imports = [ ./machines/durruti/host_config.nix ];
|
|
microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
|
|
vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
|
|
initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
|
|
metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
|
|
disko.imports = [ ./machines/modules/disko ];
|
|
};
|
|
|
|
hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
|
|
let
|
|
getBuildEntry = name: nixosSystem:
|
|
if (nixpkgs.lib.hasPrefix "sdImage" name) then
|
|
nixosSystem.config.system.build.sdImage
|
|
else
|
|
nixosSystem.config.system.build.toplevel;
|
|
in
|
|
nixpkgs.lib.mapAttrs getBuildEntry self.nixosConfigurations
|
|
|
|
);
|
|
})
|