polish conf script a bit
parent
14e76af3f0
commit
24db36af0c
64
nixos/conf
64
nixos/conf
|
@ -1,55 +1,67 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
set -xeuo pipefail
|
set -euo pipefail
|
||||||
if ! [ -e secrets.nix ]
|
cd "$( dirname "${BASH_SOURCE[0]}" )"
|
||||||
then
|
export NIX_PATH=
|
||||||
git crypt unlock
|
|
||||||
fi
|
|
||||||
export NIX_PATH=yori-nix=$PWD
|
|
||||||
host=$1
|
host=$1
|
||||||
TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
|
|
||||||
TARGET_HOST=$(ssh $TARGET_HOST ip --json r get 1.1.1.1 | jq -r '.[0].prefsrc')
|
|
||||||
COPY_USER=yorick
|
COPY_USER=yorick
|
||||||
|
decrypt() {
|
||||||
|
if ! [ -e secrets.nix ]
|
||||||
|
then
|
||||||
|
git crypt unlock
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
get_target_host() {
|
||||||
|
TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
|
||||||
|
TARGET_HOST=$(ssh $TARGET_HOST ip --json r get 1.1.1.1 | jq -r '.[0].prefsrc')
|
||||||
|
}
|
||||||
|
peek() {
|
||||||
|
echo $ "$@" > /dev/stderr
|
||||||
|
command "$@"
|
||||||
|
}
|
||||||
|
nix() {
|
||||||
|
decrypt
|
||||||
|
peek nix "$@"
|
||||||
|
}
|
||||||
|
nix-build() {
|
||||||
|
decrypt
|
||||||
|
peek nix-build "$@"
|
||||||
|
}
|
||||||
case $2 in
|
case $2 in
|
||||||
copy-keys)
|
copy-keys)
|
||||||
nix build -f ../. yorick.machine."$host".config.deployment.keys-copy --out-link copy-keys
|
nix build -f ../. yorick.machine."$host".config.deployment.keys-copy --out-link copy-keys
|
||||||
./copy-keys/bin/copy-keys "$TARGET_HOST"
|
get_target_host
|
||||||
|
peek ./copy-keys/bin/copy-keys "$TARGET_HOST"
|
||||||
# rm ./copy-keys
|
# rm ./copy-keys
|
||||||
;;
|
;;
|
||||||
exec)
|
|
||||||
CHANNEL=$(jq -r ".$2.pkgs"<servers.json)
|
|
||||||
channel_url=$(get_channel "$CHANNEL")
|
|
||||||
export NIX_PATH="$channel_url:nixos-config=$PWD/logical/$2.nix:$NIX_PATH"
|
|
||||||
"${@:3}"
|
|
||||||
;;
|
|
||||||
ssh)
|
ssh)
|
||||||
ssh root@"$TARGET_HOST"
|
get_target_host
|
||||||
|
peek ssh root@"$TARGET_HOST"
|
||||||
;;
|
;;
|
||||||
repl)
|
|
||||||
exec "$0" exec "$2" nix repl '<nixpkgs>' '<nixpkgs/nixos>'
|
|
||||||
;;
|
|
||||||
build)
|
build)
|
||||||
nix build -f servers.nix "$host" --show-trace
|
nix build -f servers.nix "$host" --show-trace
|
||||||
;;
|
;;
|
||||||
copy)
|
copy)
|
||||||
|
get_target_host
|
||||||
nix copy -f servers.nix "$host" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST"
|
nix copy -f servers.nix "$host" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST"
|
||||||
;;
|
;;
|
||||||
test)
|
test)
|
||||||
|
get_target_host
|
||||||
outPath=$(nix-build servers.nix -A "$host")
|
outPath=$(nix-build servers.nix -A "$host")
|
||||||
nix copy -f servers.nix "$host" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST"
|
nix copy -f servers.nix "$host" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST"
|
||||||
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration test
|
peek ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration test
|
||||||
;;
|
;;
|
||||||
boot)
|
boot)
|
||||||
|
get_target_host
|
||||||
outPath=$(nix-build servers.nix -A "$host")
|
outPath=$(nix-build servers.nix -A "$host")
|
||||||
nix copy "$outPath" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST"
|
nix copy "$outPath" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST"
|
||||||
ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
|
peek ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
|
||||||
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration boot
|
peek ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration boot
|
||||||
;;
|
;;
|
||||||
switch)
|
switch)
|
||||||
|
get_target_host
|
||||||
outPath=$(nix-build servers.nix -A "$host")
|
outPath=$(nix-build servers.nix -A "$host")
|
||||||
nix copy "$outPath" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST"
|
nix copy "$outPath" --show-trace --to "ssh://$COPY_USER@$TARGET_HOST"
|
||||||
ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
|
peek ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
|
||||||
ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration switch
|
peek ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration switch
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
|
||||||
esac
|
esac
|
||||||
|
|
|
@ -89,7 +89,7 @@ in {
|
||||||
};
|
};
|
||||||
"media.yori.cc" = sslforward "http://${vpn.ips.frumar}:32001";
|
"media.yori.cc" = sslforward "http://${vpn.ips.frumar}:32001";
|
||||||
};
|
};
|
||||||
deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
|
deployment.keyys = [ ../keys/http.muflax.key ];
|
||||||
networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
|
networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
|
||||||
networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList
|
networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList
|
||||||
(machine: publicKey: {
|
(machine: publicKey: {
|
||||||
|
|
|
@ -104,7 +104,7 @@ in {
|
||||||
ipv6 = true;
|
ipv6 = true;
|
||||||
hostName = machine;
|
hostName = machine;
|
||||||
};
|
};
|
||||||
deployment.keyys = [ (<yori-nix/keys> + "/wg.${machine}.key") ];
|
deployment.keyys = [ (../keys + "/wg.${machine}.key") ];
|
||||||
networking.wireguard.interfaces.wg-y = {
|
networking.wireguard.interfaces.wg-y = {
|
||||||
privateKeyFile = "/root/keys/wg.${machine}.key";
|
privateKeyFile = "/root/keys/wg.${machine}.key";
|
||||||
ips = [ vpn.ips.${machine} ];
|
ips = [ vpn.ips.${machine} ];
|
||||||
|
|
|
@ -7,7 +7,7 @@ in {
|
||||||
namespace = mkOption { type = types.str; };
|
namespace = mkOption { type = types.str; };
|
||||||
};
|
};
|
||||||
config = {
|
config = {
|
||||||
deployment.keyys = [ (<yori-nix/keys> + "/wg.${cfg.name}.key") ];
|
deployment.keyys = [ (../keys + "/wg.${cfg.name}.key") ];
|
||||||
networking.wireguard.interfaces.${cfg.name} = {
|
networking.wireguard.interfaces.${cfg.name} = {
|
||||||
# curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")'
|
# curl -s https://api.mullvad.net/www/relays/all/ | jq '.[] | select(.type == "wireguard" and .country_code == "nl")'
|
||||||
ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ];
|
ips = [ "10.66.30.26/32" "fc00:bbbb:bbbb:bb01::3:1e19/128" ];
|
||||||
|
|
Loading…
Reference in New Issue