66 lines
2 KiB
Nix
66 lines
2 KiB
Nix
let
|
||
sources = import ./nix/sources.nix;
|
||
pkgs = import sources.nixpkgs { };
|
||
|
||
nix-pre-commit-hooks = import sources."pre-commit-hooks.nix";
|
||
|
||
pre-commit-check = nix-pre-commit-hooks.run {
|
||
src = ./.;
|
||
hooks = {
|
||
nixpkgs-fmt.enable = true;
|
||
};
|
||
};
|
||
|
||
scripts = {
|
||
update-sources = ''
|
||
set -e
|
||
git diff --exit-code -s nix/sources.json || (echo "File nix/sources.json has unstaged changes, refusing to update." >&2 && exit 1)
|
||
git diff --cached --exit-code -s nix/sources.json || (echo "File nix/sources.json has staged changes, refusing to update." >&2 && exit 1)
|
||
niv update
|
||
git diff --exit-code -s nix/sources.json && echo "Already up to date." && exit 0
|
||
git commit -m "Update sources" nix/sources.json
|
||
'';
|
||
|
||
deploy = ''
|
||
set -e
|
||
# If a deployment to localhost introduces an evaluation error, future
|
||
# deployments will fail since the overlay compat can’t parse the
|
||
# configuration. Overlays aren’t needed to build the krops deploy script.
|
||
export NIX_PATH="$(sed 's/:nixpkgs-overlays=[^:]*//' <<< "$NIX_PATH")"
|
||
$(nix-build --no-out-link deploy.nix -A "$1")
|
||
'';
|
||
|
||
unlock = ''
|
||
set -eo pipefail
|
||
machine="$1"
|
||
hostname="$(nix-instantiate --eval --json machines -A "$1".target | ${pkgs.jq}/bin/jq -r . | cut -d@ -f2)"
|
||
# opening luks fails if gpg-agent is not unlocked yet
|
||
pass "devices/$machine/luks" >/dev/null
|
||
ssh \
|
||
-4 \
|
||
-p 2222 \
|
||
"root@$hostname" \
|
||
"cat > /crypt-ramfs/passphrase" < <(pass "devices/$machine/luks")
|
||
'';
|
||
|
||
show-key-fingerprint = ''
|
||
gpg --with-fingerprint --with-colons --show-key "$1" | awk -F: '$1 == "fpr" { print $10; exit }'
|
||
'';
|
||
};
|
||
in
|
||
pkgs.mkShell {
|
||
buildInputs = (with pkgs; [
|
||
git
|
||
niv
|
||
nixpkgs-fmt
|
||
sops
|
||
ssh-to-pgp
|
||
]) ++ (pkgs.lib.mapAttrsToList pkgs.writeShellScriptBin scripts);
|
||
|
||
shellHook = ''
|
||
${pre-commit-check.shellHook}
|
||
|
||
find ${./. + "/keys"} -type f -print0 | xargs -0 ${pkgs.gnupg}/bin/gpg --quiet --import
|
||
'';
|
||
}
|