Merge remote-tracking branch 'lass/master'

author: makefu <github@syntax-fehler.de> 2023-01-10 13:20:04 +0100
committer: makefu <github@syntax-fehler.de> 2023-01-10 13:20:04 +0100
commit: c691e94c45e6c5bdac531186374b185ea1790311 (patch)
tree: 024f2e5b8aed015687f03b31b6e7c1ce743f009c /lass/5pkgs
parent: 1929733c03dbff92f830cb81b57cf4ccf859d364 (diff)
parent: 2818476f710410f1c752ce12becce10be0a8a293 (diff)
3 files changed, 90 insertions, 65 deletions
diff --git a/lass/5pkgs/bruellwuerfel/default.nix b/lass/5pkgs/bruellwuerfel/default.nix
deleted file mode 100644
index cb8f08fa8..000000000
--- a/lass/5pkgs/bruellwuerfel/default.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ yarn2nix-moretea, fetchFromGitHub, nodePackages, nodejs }: let
-  #src = ~/src/bruellwuerfel;
-  src = fetchFromGitHub {
-    owner = "krebs";
-    repo = "bruellwuerfel";
-    rev = "57e20e630f732ce4e15b495ec5f9bf72a121b959";
-    sha256 = "08zwwl24sq21r497a03lqpy2x10az8frrsh6d38xm92snd1yf85b";
-  };
-
-in yarn2nix-moretea.mkYarnModules rec {
-  pname = "bruellwuerfel";
-  version = "1.0";
-  name = "${pname}-${version}";
-  packageJSON = "${src}/package.json";
-  yarnLock = "${src}/yarn.lock";
-  postBuild = ''
-    cp -r ${src}/{src,tsconfig.json} $out/
-    cd $out
-    ${nodePackages.typescript}/bin/tsc || :
-    mkdir -p $out/bin
-    echo '#!/bin/sh' > $out/bin/bruellwuerfel
-    echo "export NODE_PATH=$out/dist" >> $out/bin/bruellwuerfel
-    echo "${nodejs}/bin/node $out/dist/index.js" >> $out/bin/bruellwuerfel
-    chmod +x $out/bin/bruellwuerfel
-  '';
-}
diff --git a/lass/5pkgs/install-system/default.nix b/lass/5pkgs/install-system/default.nix
new file mode 100644
index 000000000..9a392e669
--- /dev/null
+++ b/lass/5pkgs/install-system/default.nix
@@ -0,0 +1,26 @@
+{ pkgs }:
+pkgs.writers.writeDashBin "install-system" ''
+  set -efux
+  SYSTEM=$1
+  TARGET=$2
+  # format
+  if ! (sshn "$TARGET" -- mountpoint /mnt); then
+    nix run github:numtide/nixos-remote -- --stop-after-disko --store-paths "$(nix-build --no-out-link -I stockholm="$HOME"/sync/stockholm -I nixos-config="$HOME"/sync/stockholm/lass/1systems/"$SYSTEM"/physical.nix '<nixpkgs/nixos>' -A config.system.build.diskoNoDeps)" /dev/null "$TARGET"
+  fi
+
+  # install dependencies
+  sshn "$TARGET" << SSH
+    nix-channel --update
+    nix-env -iA nixos.git
+  SSH
+
+  # populate
+  $(nix-build --no-out-link "$HOME"/sync/stockholm/lass/krops.nix -A populate --argstr name "$SYSTEM" --argstr target "$TARGET"/mnt/var/src --arg force true)
+
+  # install
+  sshn "$TARGET" << SSH
+    ln -s /mnt/var/src /var/src
+    NIXOS_CONFIG=/var/src/nixos-config nixos-install --no-root-password -I /var/src
+    zpool export -fa
+  SSH
+''
diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix
index d999a4334..27e59bb96 100644
--- a/lass/5pkgs/l-gen-secrets/default.nix
+++ b/lass/5pkgs/l-gen-secrets/default.nix
@@ -1,57 +1,82 @@
 { pkgs }:
-pkgs.writeDashBin "l-gen-secrets" ''
-  HOSTNAME="$1"
+pkgs.writers.writeDashBin "l-gen-secrets" ''
+  set -efu
+  HOSTNAME=$1
   TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
+  if [ "''${DRYRUN-n}" = "n" ]; then
+    trap 'rm -rf $TMPDIR' EXIT
+  else
+    echo "$TMPDIR"
+    set -x
+  fi
+  mkdir -p $TMPDIR/out
+
   PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1)
   HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null
 
+  # ssh
   ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
-  ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null
-  ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
-  ${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/wiregrill.key
-  ${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub
-  cat <<EOF > $TMPDIR/hashedPasswords.nix
+  ${pkgs.coreutils}/bin/mv $TMPDIR/ssh.id_ed25519 $TMPDIR/out/
+
+  # tor
+  ${pkgs.coreutils}/bin/timeout 1 ${pkgs.tor}/bin/tor --HiddenServiceDir $TMPDIR/tor --HiddenServicePort 1 --SocksPort 0 >/dev/null || :
+  ${pkgs.coreutils}/bin/mv $TMPDIR/tor/hs_ed25519_secret_key $TMPDIR/out/ssh-tor.priv
+
+  # tinc
+  ${pkgs.coreutils}/bin/mkdir -p $TMPDIR/tinc
+  ${pkgs.tinc_pre}/bin/tinc --config $TMPDIR/tinc generate-keys 4096 </dev/null
+  ${pkgs.coreutils}/bin/mv $TMPDIR/tinc/ed25519_key.priv $TMPDIR/out/retiolum.ed25519_key.priv
+  ${pkgs.coreutils}/bin/mv $TMPDIR/tinc/rsa_key.priv $TMPDIR/out/retiolum.rsa_key.priv
+
+  # wireguard
+  ${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/out/wiregrill.key
+  ${pkgs.coreutils}/bin/cat $TMPDIR/out/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub
+
+  # system passwords
+  cat <<EOF > $TMPDIR/out/hashedPasswords.nix
   {
     root = "$HASHED_PASSWORD";
     mainUser = "$HASHED_PASSWORD";
   }
   EOF
 
-  cd $TMPDIR
-  for x in *; do
-    ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null
-  done
-  echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null
+  set +f
+  if [ "''${DRYRUN-n}" = "n" ]; then
+    cd $TMPDIR/out
+    for x in *; do
+      ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null
+    done
+    echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null
+    ${pkgs.coreutils}/bin/cat $TMPDIR/tor/hostname | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/torname > /dev/null
+  fi
+  set -f
 
   cat <<EOF
-    $HOSTNAME = {
-      cores = 1;
-      nets = {
-        retiolum = {
-          ip4.addr = "10.243.0.changeme";
-          ip6.addr = r6 "changeme";
-          aliases = [
-            "$HOSTNAME.r"
-          ];
-          tinc.pubkey = ${"''"}
-  $(cat $TMPDIR/retiolum.rsa_key.pub)
-          ${"''"};
-        };
-        wiregrill = {
-          ip6.addr = w6 "changeme";
-          aliases = [
-            "$HOSTNAME.w"
-          ];
-          wireguard.pubkey = ${"''"}
-  $(cat $TMPDIR/wiregrill.pub)
-          ${"''"};
-        };
+  { r6, w6, ... }:
+  {
+    nets = {
+      retiolum = {
+        ip4.addr = "10.243.0.changeme";
+        ip6.addr = r6 "changeme";
+        aliases = [
+          "$HOSTNAME.r"
+        ];
+        tinc.pubkey = ${"''"}
+  $(cat $TMPDIR/tinc/rsa_key.pub | sed 's/^/        /')
+        ${"''"};
+        tinc.pubkey_ed25519 = "$(cat $TMPDIR/tinc/ed25519_key.pub | ${pkgs.gnused}/bin/sed 's/.* = //')";
+      };
+      wiregrill = {
+        ip6.addr = w6 "changeme";
+        aliases = [
+          "$HOSTNAME.w"
+        ];
+        wireguard.pubkey = ${"''"}
+          $(cat $TMPDIR/wiregrill.pub)
+        ${"''"};
       };
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
-      ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
     };
+    ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
+  }
   EOF
-
-  rm -rf $TMPDIR
 ''
-
author	makefu <github@syntax-fehler.de>	2023-01-10 13:20:04 +0100
committer	makefu <github@syntax-fehler.de>	2023-01-10 13:20:04 +0100
commit	c691e94c45e6c5bdac531186374b185ea1790311 (patch)
tree	024f2e5b8aed015687f03b31b6e7c1ce743f009c /lass/5pkgs
parent	1929733c03dbff92f830cb81b57cf4ccf859d364 (diff)
parent	2818476f710410f1c752ce12becce10be0a8a293 (diff)