131 lines
4.3 KiB
Makefile
131 lines
4.3 KiB
Makefile
SOPS_FILE := "../nix-secrets/.sops.yaml"
|
|
|
|
# Define path to helpers
|
|
export HELPERS_PATH := justfile_directory() + "/scripts/helpers.sh"
|
|
|
|
# default recipe to display help information
|
|
default:
|
|
@just --list
|
|
|
|
# Update commonly changing flakes and prep for a rebuild
|
|
rebuild-pre: update-nix-secrets
|
|
@git add --intent-to-add .
|
|
|
|
# Run post-rebuild checks, like if sops is running properly afterwards
|
|
rebuild-post: check-sops
|
|
|
|
# Run a flake check on the config and installer
|
|
check ARGS="":
|
|
NIXPKGS_ALLOW_UNFREE=1 REPO_PATH=$(pwd) nix flake check --impure --keep-going --show-trace {{ARGS}}
|
|
cd nixos-installer && NIXPKGS_ALLOW_UNFREE=1 REPO_PATH=$(pwd) nix flake check --impure --keep-going --show-trace {{ARGS}}
|
|
|
|
# Rebuild the system
|
|
rebuild: rebuild-pre && rebuild-post
|
|
# NOTE: Add --option eval-cache false if you end up caching a failure you cant get around
|
|
scripts/rebuild.sh
|
|
|
|
# Rebuild the system and run a flake check
|
|
rebuild-full: rebuild-pre && rebuild-post
|
|
scripts/rebuild.sh
|
|
just check
|
|
|
|
# Rebuild the system and run a flake check
|
|
rebuild-trace: rebuild-pre && rebuild-post
|
|
scripts/rebuild.sh trace
|
|
just check
|
|
|
|
# Update the flake
|
|
update:
|
|
nix flake update
|
|
|
|
# Update and then rebuild
|
|
rebuild-update: update rebuild
|
|
|
|
# Git diff there entire repo expcept for flake.lock
|
|
diff:
|
|
git diff ':!flake.lock'
|
|
|
|
# Generate a new age key
|
|
age-key:
|
|
nix-shell -p age --run "age-keygen"
|
|
|
|
# Check if sops-nix activated successfully
|
|
check-sops:
|
|
scripts/check-sops.sh
|
|
|
|
# Update nix-secrets flake
|
|
update-nix-secrets:
|
|
@(cd ../nix-secrets && git fetch && git rebase > /dev/null) || true
|
|
nix flake update nix-secrets --timeout 5
|
|
|
|
# Build an iso image for installing new systems and create a symlink for qemu usage
|
|
iso:
|
|
# If we dont remove this folder, libvirtd VM doesnt run with the new iso...
|
|
rm -rf result
|
|
nix build --impure .#nixosConfigurations.iso.config.system.build.isoImage && ln -sf result/iso/*.iso latest.iso
|
|
|
|
# Install the latest iso to a flash drive
|
|
iso-install DRIVE: iso
|
|
sudo dd if=$(eza --sort changed result/iso/*.iso | tail -n1) of={{DRIVE}} bs=4M status=progress oflag=sync
|
|
|
|
# Configure a drive password using disko
|
|
disko DRIVE PASSWORD:
|
|
echo "{{PASSWORD}}" > /tmp/disko-password
|
|
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko -- \
|
|
--mode disko \
|
|
disks/btrfs-luks-impermanence-disko.nix \
|
|
--arg disk '"{{DRIVE}}"' \
|
|
--arg password '"{{PASSWORD}}"'
|
|
rm /tmp/disko-password
|
|
|
|
# Copy all the config files to the remote host
|
|
sync USER HOST PATH:
|
|
rsync -av --filter=':- .gitignore' -e "ssh -l {{USER}} -oport=22" . {{USER}}@{{HOST}}:{{PATH}}/nix-config
|
|
|
|
# Run nixos-rebuild on the remote host
|
|
build-host HOST:
|
|
NIX_SSHOPTS="-p22" nixos-rebuild --target-host {{HOST}} --use-remote-sudo --show-trace --impure --flake .#"{{HOST}}" switch
|
|
|
|
# Called by the rekey recipe
|
|
sops-rekey:
|
|
cd ../nix-secrets && for file in $(ls sops/*.yaml); do \
|
|
sops updatekeys -y $file; \
|
|
done
|
|
|
|
# Update all keys in sops/*.yaml files in nix-secrets to match the creation rules keys
|
|
rekey: sops-rekey
|
|
cd ../nix-secrets && \
|
|
(pre-commit run --all-files || true) && \
|
|
git add -u && (git commit -nm "chore: rekey" || true) && git push
|
|
|
|
# Update an age key anchor or add a new one
|
|
sops-update-age-key FIELD KEYNAME KEY:
|
|
#!/usr/bin/env bash
|
|
source {{HELPERS_PATH}}
|
|
sops_update_age_key {{FIELD}} {{KEYNAME}} {{KEY}}
|
|
|
|
# Update an existing user age key anchor or add a new one
|
|
sops-update-user-age-key USER HOST KEY:
|
|
just sops-update-age-key users {{USER}}_{{HOST}} {{KEY}}
|
|
|
|
# Update an existing host age key anchor or add a new one
|
|
sops-update-host-age-key HOST KEY:
|
|
just sops-update-age-key hosts {{HOST}} {{KEY}}
|
|
|
|
# Automatically create creation rules entries for a <host>.yaml file for host-specific secrets
|
|
sops-add-host-creation-rules USER HOST:
|
|
#!/usr/bin/env bash
|
|
source {{HELPERS_PATH}}
|
|
sops_add_host_creation_rules "{{USER}}" "{{HOST}}"
|
|
|
|
# Automatically create creation rules entries for a shared.yaml file for shared secrets
|
|
sops-add-shared-creation-rules USER HOST:
|
|
#!/usr/bin/env bash
|
|
source {{HELPERS_PATH}}
|
|
sops_add_shared_creation_rules "{{USER}}" "{{HOST}}"
|
|
|
|
# Automatically add the host and user keys to creation rules for shared.yaml and <host>.yaml
|
|
sops-add-creation-rules USER HOST:
|
|
just sops-add-host-creation-rules {{USER}} {{HOST}} && \
|
|
just sops-add-shared-creation-rules {{USER}} {{HOST}}
|