diff --git a/nixos/conf b/nixos/conf index 611a17e..e2238cc 100755 --- a/nixos/conf +++ b/nixos/conf @@ -1,55 +1,67 @@ #!/usr/bin/env bash -set -xeuo pipefail -if ! [ -e secrets.nix ] -then - git crypt unlock -fi -export NIX_PATH=yori-nix=$PWD +set -euo pipefail +cd "$( dirname "${BASH_SOURCE[0]}" )" +export NIX_PATH= host=$1 -TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host) -TARGET_HOST=$(ssh $TARGET_HOST ip --json r get 1.1.1.1 | jq -r '.[0].prefsrc') COPY_USER=yorick +decrypt() { + if ! [ -e secrets.nix ] + then + git crypt unlock + fi +} +get_target_host() { + TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host) + TARGET_HOST=$(ssh $TARGET_HOST ip --json r get 1.1.1.1 | jq -r '.[0].prefsrc') +} +peek() { + echo $ "$@" > /dev/stderr + command "$@" +} +nix() { + decrypt + peek nix "$@" +} +nix-build() { + decrypt + peek nix-build "$@" +} case $2 in copy-keys) nix build -f ../. yorick.machine."$host".config.deployment.keys-copy --out-link copy-keys - ./copy-keys/bin/copy-keys "$TARGET_HOST" + get_target_host + peek ./copy-keys/bin/copy-keys "$TARGET_HOST" # rm ./copy-keys ;; - exec) - CHANNEL=$(jq -r ".$2.pkgs"' '' - ;; build) nix build -f servers.nix "$host" --show-trace ;; copy) + get_target_host nix copy -f servers.nix "$host" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST" ;; test) + get_target_host outPath=$(nix-build servers.nix -A "$host") nix copy -f servers.nix "$host" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST" - ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration test + peek ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration test ;; boot) + get_target_host outPath=$(nix-build servers.nix -A "$host") nix copy "$outPath" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST" - ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath" - ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration boot + peek ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath" + peek ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration boot ;; switch) + get_target_host outPath=$(nix-build servers.nix -A "$host") nix copy "$outPath" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST" - ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath" - ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration switch + peek ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath" + peek ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration switch ;; - - esac diff --git a/nixos/logical/pennyworth.nix b/nixos/logical/pennyworth.nix index bf30863..821ee9c 100644 --- a/nixos/logical/pennyworth.nix +++ b/nixos/logical/pennyworth.nix @@ -89,7 +89,7 @@ in { }; "media.yori.cc" = sslforward "http://${vpn.ips.frumar}:32001"; }; - deployment.keyys = [ ]; + deployment.keyys = [ ../keys/http.muflax.key ]; networking.firewall.allowedUDPPorts = [ 31790 ]; # wg networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList (machine: publicKey: { diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 1d51d9a..aa77df5 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -104,7 +104,7 @@ in { ipv6 = true; hostName = machine; }; - deployment.keyys = [ ( + "/wg.${machine}.key") ]; + deployment.keyys = [ (../keys + "/wg.${machine}.key") ]; networking.wireguard.interfaces.wg-y = { privateKeyFile = "/root/keys/wg.${machine}.key"; ips = [ vpn.ips.${machine} ]; diff --git a/nixos/services/torrent-wg.nix b/nixos/services/torrent-wg.nix index 78198d6..e8001e8 100644 --- a/nixos/services/torrent-wg.nix +++ b/nixos/services/torrent-wg.nix @@ -7,7 +7,7 @@ in { namespace = mkOption { type = types.str; }; }; config = { - deployment.keyys = [ ( + "/wg.${cfg.name}.key") ]; + deployment.keyys = [ (../keys + "/wg.${cfg.name}.key") ]; networking.wireguard.interfaces.${cfg.name} = { # curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")' ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ];