swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 00:57:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: improve bootstrapping toolchain

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-11-25 19:54:01 +01:00
parent 4780f50bd1
commit dcbca0f082
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
3 changed files with 42 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

42
files/scripts/swarsel-bootstrap.sh
View file

@ -8,6 +8,8 @@ target_user="swarsel"
ssh_port="22" ssh_port="22"
persist_dir="" persist_dir=""
disk_encryption=0 disk_encryption=0
disk_encryption_args=""
no_disko_deps="false"
temp=$(mktemp -d) temp=$(mktemp -d)
function help_and_exit() { function help_and_exit() {
@ -27,6 +29,7 @@ function help_and_exit() {
echo " Default='${target_user}'." echo " Default='${target_user}'."
echo " --port <ssh_port> specify the ssh port to use for remote access. Default=${ssh_port}." echo " --port <ssh_port> specify the ssh port to use for remote access. Default=${ssh_port}."
echo " --debug Enable debug mode." echo " --debug Enable debug mode."
echo " --no-disko-deps Upload only disk script and not dependencies (for use on low ram)."
echo " -h | --help Print this help." echo " -h | --help Print this help."
exit 0 exit 0
} }
@ -80,14 +83,14 @@ function update_sops_file() {
SOPS_FILE=".sops.yaml" SOPS_FILE=".sops.yaml"
sed -i "{ sed -i "{
# Remove any * and & entries for this host # Remove any * and & entries for this host
/[*&]$key_name/ d; /[*&]$key_name/ d;
# Inject a new age: entry # Inject a new age: entry
# n matches the first line following age: and p prints it, then we transform it while reusing the spacing # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
/age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; /age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
# Inject a new hosts or user: entry # Inject a new hosts or user: entry
/&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
}" $SOPS_FILE }" $SOPS_FILE
green "Updating .sops.yaml" green "Updating .sops.yaml"
cd - cd -
} }
@ -114,6 +117,9 @@ while [[ $# -gt 0 ]]; do
shift shift
ssh_port=$1 ssh_port=$1
;; ;;
--no-disko-deps)
no_disko_deps="true"
;;
--debug) --debug)
set -x set -x
;; ;;
@ -131,6 +137,12 @@ if [[ $target_arch == "" || $target_destination == "" || $target_hostname == ""
help_and_exit help_and_exit
fi fi
LOCKED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.node.lockFromBootstrapping)"
if [[ $LOCKED == "true" ]]; then
red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING"
exit
fi
green "~SwarselSystems~ remote installer" green "~SwarselSystems~ remote installer"
green "Reading system information for $target_hostname ..." green "Reading system information for $target_hostname ..."
@ -141,6 +153,11 @@ CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.sw
if [[ $CRYPTED == "true" ]]; then if [[ $CRYPTED == "true" ]]; then
green "Encryption: ✓" green "Encryption: ✓"
disk_encryption=1 disk_encryption=1
disk_encryption_args=(
--disk-encryption-keys
/tmp/disko-password
/tmp/disko-password
)
else else
red "Encryption: X" red "Encryption: X"
disk_encryption=0 disk_encryption=0
@ -233,7 +250,14 @@ $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "$
# ------------------------ # ------------------------
green "Deploying minimal NixOS installation on $target_destination" green "Deploying minimal NixOS installation on $target_destination"
nix run github:nix-community/nixos-anywhere/1.10.0 -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
if [[ $no_disko_deps == "true" ]]; then
green "Building without disko dependencies (using custom kexec)"
nix run github:nix-community/nixos-anywhere/1.10.0 -- "${disk_encryption_args[@]}" --no-disko-deps --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" --kexec "$(nix build --print-out-paths .#packages."$target_arch".swarsel-kexec)/swarsel-kexec-$target_arch.tar.gz" root@"$target_destination"
else
green "Building with disko dependencies (using nixos-images kexec)"
nix run github:nix-community/nixos-anywhere/1.10.0 -- "${disk_encryption_args[@]}" --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
fi
echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts" echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true

7
justfile
View file

@ -23,5 +23,8 @@ dd DRIVE ISO:
sync USER HOST: sync USER HOST:
rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/ rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/
bootstrap DEST CONFIG ARCH="x86_64-linux": secrets USER HOST:
nix develop .#deploy --command zsh -c "swarsel-bootstrap -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}" rsync -rltv -e "ssh -l {{USER}}" /var/tmp/nix-import-encrypted/1000/ {{USER}}@{{HOST}}:/var/tmp/nix-import-encrypted/0
bootstrap DEST CONFIG ARCH="x86_64-linux" NODISKODEPS="":
nix develop .#deploy --command zsh -c "swarsel-bootstrap {{NODISKODEPS}} -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}"

4
modules/nixos/common/meta.nix
View file

@ -11,6 +11,10 @@
description = "Node Name."; description = "Node Name.";
type = lib.types.str; type = lib.types.str;
}; };
lockFromBootstrapping = lib.mkOption {
description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
type = lib.types.bool;
};
}; };
}; };
} }