nixos-config/shell.nix

53 lines
1.6 KiB
Nix

let
sources = import ./nix/sources.nix;
pkgs = import sources.nixpkgs { };
nix-pre-commit-hooks = import sources."pre-commit-hooks.nix";
pre-commit-check = nix-pre-commit-hooks.run {
src = ./.;
hooks = {
nixpkgs-fmt.enable = true;
};
};
scripts = {
update-sources = ''
set -e
git diff --exit-code -s nix/sources.json || (echo "File nix/sources.json has unstaged changes, refusing to update." >&2 && exit 1)
git diff --cached --exit-code -s nix/sources.json || (echo "File nix/sources.json has staged changes, refusing to update." >&2 && exit 1)
niv update
git diff --exit-code -s nix/sources.json && echo "Already up to date." && exit 0
git commit -m "Update sources" nix/sources.json
'';
deploy = ''
set -e
$(nix-build --no-out-link deploy.nix -A "$1")
'';
unlock = ''
set -eo pipefail
machine="$1"
hostname="$(nix-instantiate --eval --json machines -A "$1".target | ${pkgs.jq}/bin/jq -r . | cut -d@ -f2)"
ssh \
-oStrictHostKeyChecking=no \
-oGlobalKnownHostsFile=<(echo "[$hostname]:2222 ssh-ed25519 $(ssh-keygen -l -f <(ssh-keygen -y -f<(pass "nixos/machines/$machine/initrd-ssh-host-key")) | cut -d' ' -f2)") \
-4 \
-p 2222 \
"root@$hostname" \
"cat > /crypt-ramfs/passphrase" < <(pass "devices/$machine/luks")
'';
};
in
pkgs.mkShell {
buildInputs = (with pkgs; [
git
niv
nixpkgs-fmt
]) ++ (builtins.attrValues (builtins.mapAttrs pkgs.writeShellScriptBin scripts));
shellHook = ''
${pre-commit-check.shellHook}
'';
}