flake.nix

   1 {
   2   description = "The deployment flake for the awful.systems cluster";
   3
   4   inputs = {
   5     nixpkgs.url = "nixpkgs/nixos-23.05";
   6     flake-utils.url = "github:numtide/flake-utils";
   7     pkgs-unstable.url = "nixpkgs/nixos-unstable";
   8     sops-nix.url = "github:Mic92/sops-nix";
   9   };
  10
  11   outputs = { self, nixpkgs, flake-utils, sops-nix, ... }@attrs:
  12     {
  13       nixosConfigurations = {
  14         these = nixpkgs.lib.nixosSystem {
  15           specialArgs = attrs;
  16           modules =
  17             [ ./hosts/these/configuration.nix sops-nix.nixosModules.sops ];
  18         };
  19         more = nixpkgs.lib.nixosSystem {
  20           specialArgs = attrs;
  21           modules =
  22             [ ./hosts/more/configuration.nix sops-nix.nixosModules.sops ];
  23         };
  24       };
  25     } // flake-utils.lib.eachDefaultSystem (system:
  26       let
  27         pkgs = nixpkgs.legacyPackages.${system};
  28         deploy = name: target:
  29           pkgs.writeShellScriptBin "deploy-${name}" ''
  30             nixos-rebuild switch --fast --flake .#${name} \
  31             --target-host ${target} \
  32             $@
  33           '';
  34         go = name: target:
  35           pkgs.writeShellScriptBin "go-${name}" ''
  36             ssh ${target} $@
  37           '';
  38         init-secrets = pkgs.writeShellScriptBin "init-secrets" ''
  39           mkdir -p ~/.config/sops/age
  40           cp "$1" /tmp/init-secrets-key &&
  41           ${pkgs.openssh}/bin/ssh-keygen -p -N "" -f /tmp/init-secrets-key &&
  42           ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /tmp/init-secrets-key > ~/.config/sops/age/keys.txt
  43           rm /tmp/init-secrets-key
  44           echo Your age public key is:
  45           ${pkgs.age}/bin/age-keygen -y ~/.config/sops/age/keys.txt
  46         '';
  47         rekey-secrets = pkgs.writeShellScriptBin "rekey-secrets" ''
  48           ${pkgs.sops}/bin/sops updatekeys "$1"
  49         '';
  50       in {
  51         devShells.default = pkgs.mkShell {
  52           buildInputs = [
  53             pkgs.sops
  54             pkgs.ssh-to-age
  55             pkgs.age
  56             (deploy "these" "root@these.awful.systems")
  57             (go "these" "root@these.awful.systems")
  58             (deploy "more" "root@more.awful.systems")
  59             (go "more" "root@more.awful.systems")
  60             init-secrets
  61             pkgs.bashInteractive
  62           ];
  63         };
  64         packages.maint-mode =
  65           (pkgs.callPackage ./maint-mode/site.nix {});
  66       });
  67 }