-
-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathjustfile
129 lines (102 loc) · 4.24 KB
/
justfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
SOPS_FILE := "../nix-secrets/.sops.yaml"
# Define path to helpers
export HELPERS_PATH := justfile_directory() + "/scripts/helpers.sh"
# default recipe to display help information
default:
@just --list
# Update commonly changing flakes and prep for a rebuild
rebuild-pre: update-nix-secrets
@git add --intent-to-add .
# Run post-rebuild checks, like if sops is running properly afterwards
rebuild-post: check-sops
# Run a flake check on the config and installer
check ARGS="":
NIXPKGS_ALLOW_UNFREE=1 REPO_PATH=$(pwd) nix flake check --impure --keep-going --show-trace {{ARGS}}
cd nixos-installer && nix flake check --keep-going --show-trace {{ARGS}}
# Rebuild the system
rebuild: rebuild-pre && rebuild-post
# NOTE: Add --option eval-cache false if you end up caching a failure you can't get around
scripts/rebuild.sh
# Rebuild the system and run a flake check
rebuild-full: rebuild-pre && rebuild-post
scripts/rebuild.sh
just check
# Rebuild the system and run a flake check
rebuild-trace: rebuild-pre && rebuild-post
scripts/rebuild.sh trace
just check
# Update the flake
update:
nix flake update
# Update and then rebuild
rebuild-update: update rebuild
diff:
git diff ':!flake.lock'
# Generate a new age key
age-key:
nix-shell -p age --run "age-keygen"
# Check if sops-nix activated successfully
check-sops:
scripts/check-sops.sh
# Update nix-secrets flake
update-nix-secrets:
@(cd ~/src/nix/nix-secrets && git fetch && git rebase > /dev/null) || true
nix flake update nix-secrets --timeout 5
# Build an iso image for installing new systems and create a symlink for qemu usage
iso:
# If we dont remove this folder, libvirtd VM doesnt run with the new iso...
rm -rf result
nix build --impure .#nixosConfigurations.iso.config.system.build.isoImage && ln -sf result/iso/*.iso latest.iso
# Install the latest iso to a flash drive
iso-install DRIVE: iso
sudo dd if=$(eza --sort changed result/iso/*.iso | tail -n1) of={{DRIVE}} bs=4M status=progress oflag=sync
# Configure a drive password using disko
disko DRIVE PASSWORD:
echo "{{PASSWORD}}" > /tmp/disko-password
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- \
--mode disko \
disks/btrfs-luks-impermanence-disko.nix \
--arg disk '"{{DRIVE}}"' \
--arg password '"{{PASSWORD}}"'
rm /tmp/disko-password
# Copy all the config files to the remote host
sync USER HOST PATH:
rsync -av --filter=':- .gitignore' -e "ssh -l {{USER}} -oport=22" . {{USER}}@{{HOST}}:{{PATH}}/nix-config
# Run nixos-rebuild on the remote host
build-host HOST:
NIX_SSHOPTS="-p22" nixos-rebuild --target-host {{HOST}} --use-remote-sudo --show-trace --impure --flake .#"{{HOST}}" switch
# ========== Nix-Secrets manipulation recipes ==========
sops-rekey:
cd ../nix-secrets && for file in $(ls sops/*.yaml); do \
sops updatekeys -y $file; \
done
# Update all keys in sops/*.yaml files in nix-secrets to match the creation rules keys
rekey: sops-rekey
cd ../nix-secrets && \
(pre-commit run --all-files || true) && \
git add -u && (git commit -nm "chore: rekey" || true) && git push
# Update an age key anchor or add a new one
update-age-key FIELD KEYNAME KEY:
#!/usr/bin/env bash
source {{HELPERS_PATH}}
sops_update_age_key {{FIELD}} {{KEYNAME}} {{KEY}}
# Update an existing user age key anchor or add a new one
update-user-age-key USER HOST KEY:
just update-age-key users {{USER}}_{{HOST}} {{KEY}}
# Update an existing host age key anchor or add a new one
update-host-age-key HOST KEY:
just update-age-key hosts {{HOST}} {{KEY}}
# Automatically create creation rules entries for a <host>.yaml file for host-specific secrets
sops-add-host-creation-rules USER HOST:
#!/usr/bin/env bash
source {{HELPERS_PATH}}
sops_add_host_creation_rules "{{USER}}" "{{HOST}}"
# Automatically create creation rules entries for a shared.yaml file for shared secrets
sops-add-shared-creation-rules USER HOST:
#!/usr/bin/env bash
source {{HELPERS_PATH}}
sops_add_shared_creation_rules "{{USER}}" "{{HOST}}"
# Automatically add the host and user keys to creation rules for shared.yaml and <host>.yaml
sops-add-creation-rules USER HOST:
just sops-add-host-creation-rules {{USER}} {{HOST}} && \
just sops-add-shared-creation-rules {{USER}} {{HOST}}