2020-11-14 10:15:41 +01:00
|
|
|
|
let
|
|
|
|
|
|
sources = import ./nix/sources.nix;
|
|
|
|
|
|
pkgs = import sources.nixpkgs { };
|
2020-08-22 17:44:39 +02:00
|
|
|
|
|
2020-11-14 10:15:41 +01:00
|
|
|
|
nix-pre-commit-hooks = import sources."pre-commit-hooks.nix";
|
|
|
|
|
|
|
|
|
|
|
|
pre-commit-check = nix-pre-commit-hooks.run {
|
|
|
|
|
|
src = ./.;
|
|
|
|
|
|
hooks = {
|
|
|
|
|
|
nixpkgs-fmt.enable = true;
|
|
|
|
|
|
};
|
|
|
|
|
|
};
|
2020-12-13 16:02:55 +01:00
|
|
|
|
|
2020-12-13 16:10:18 +01:00
|
|
|
|
scripts = {
|
|
|
|
|
|
update-sources = ''
|
|
|
|
|
|
set -e
|
|
|
|
|
|
git diff --exit-code -s nix/sources.json || (echo "File nix/sources.json has unstaged changes, refusing to update." >&2 && exit 1)
|
|
|
|
|
|
git diff --cached --exit-code -s nix/sources.json || (echo "File nix/sources.json has staged changes, refusing to update." >&2 && exit 1)
|
|
|
|
|
|
niv update
|
|
|
|
|
|
git diff --exit-code -s nix/sources.json && echo "Already up to date." && exit 0
|
|
|
|
|
|
git commit -m "Update sources" nix/sources.json
|
|
|
|
|
|
'';
|
2020-12-17 11:27:53 +01:00
|
|
|
|
|
|
|
|
|
|
deploy = ''
|
|
|
|
|
|
set -e
|
2021-01-29 16:04:38 +01:00
|
|
|
|
# If a deployment to localhost introduces an evaluation error, future
|
|
|
|
|
|
# deployments will fail since the overlay compat can’t parse the
|
|
|
|
|
|
# configuration. Overlays aren’t needed to build the krops deploy script.
|
|
|
|
|
|
export NIX_PATH="$(sed 's/:nixpkgs-overlays=[^:]*//' <<< "$NIX_PATH")"
|
2020-12-17 11:27:53 +01:00
|
|
|
|
$(nix-build --no-out-link deploy.nix -A "$1")
|
|
|
|
|
|
'';
|
2021-01-28 19:02:19 +01:00
|
|
|
|
|
|
|
|
|
|
unlock = ''
|
|
|
|
|
|
set -eo pipefail
|
|
|
|
|
|
machine="$1"
|
|
|
|
|
|
hostname="$(nix-instantiate --eval --json machines -A "$1".target | ${pkgs.jq}/bin/jq -r . | cut -d@ -f2)"
|
2021-02-16 15:54:22 +01:00
|
|
|
|
# opening luks fails if gpg-agent is not unlocked yet
|
|
|
|
|
|
pass "devices/$machine/luks" >/dev/null
|
2021-01-28 19:02:19 +01:00
|
|
|
|
ssh \
|
|
|
|
|
|
-4 \
|
|
|
|
|
|
-p 2222 \
|
|
|
|
|
|
"root@$hostname" \
|
|
|
|
|
|
"cat > /crypt-ramfs/passphrase" < <(pass "devices/$machine/luks")
|
|
|
|
|
|
'';
|
2021-03-01 15:27:18 +01:00
|
|
|
|
|
|
|
|
|
|
show-key-fingerprint = ''
|
|
|
|
|
|
gpg --with-fingerprint --with-colons --show-key "$1" | awk -F: '$1 == "fpr" { print $10; exit }'
|
|
|
|
|
|
'';
|
2020-12-13 16:10:18 +01:00
|
|
|
|
};
|
2020-11-14 10:15:41 +01:00
|
|
|
|
in
|
2020-08-22 17:44:39 +02:00
|
|
|
|
pkgs.mkShell {
|
2020-12-13 16:03:34 +01:00
|
|
|
|
buildInputs = (with pkgs; [
|
2020-11-14 10:15:41 +01:00
|
|
|
|
git
|
|
|
|
|
|
niv
|
2020-08-22 17:44:39 +02:00
|
|
|
|
nixpkgs-fmt
|
2021-03-01 15:27:18 +01:00
|
|
|
|
sops
|
|
|
|
|
|
ssh-to-pgp
|
2021-02-27 19:55:12 +01:00
|
|
|
|
]) ++ (pkgs.lib.mapAttrsToList pkgs.writeShellScriptBin scripts);
|
2021-03-01 15:27:18 +01:00
|
|
|
|
|
2020-10-02 17:15:46 +02:00
|
|
|
|
shellHook = ''
|
2020-11-14 10:15:41 +01:00
|
|
|
|
${pre-commit-check.shellHook}
|
2021-03-01 15:27:18 +01:00
|
|
|
|
|
|
|
|
|
|
find ${./. + "/keys"} -type f -print0 | xargs -0 gpg --quiet --import
|
2020-08-22 17:44:39 +02:00
|
|
|
|
'';
|
|
|
|
|
|
}
|
