From 0b2342ff137fe49deac2a21802be98e9f9898401 Mon Sep 17 00:00:00 2001 From: muon Date: Mon, 4 Aug 2025 20:11:49 +0000 Subject: [PATCH] Fix install script --- hosts/muin/configuration.nix | 9 +++ hosts/muin/hardware-configuration.nix | 33 ++++----- hosts/muin/home.nix | 96 ++++++++++++++++++--------- modules/nixos/sops/default.nix | 47 +++++++------ modules/nixos/sops/secrets.yaml | 5 +- 5 files changed, 121 insertions(+), 69 deletions(-) diff --git a/hosts/muin/configuration.nix b/hosts/muin/configuration.nix index dc20c2e..bce8b8b 100644 --- a/hosts/muin/configuration.nix +++ b/hosts/muin/configuration.nix @@ -1,6 +1,8 @@ { inputs, system, + config, + lib, ... }: { # Hardware @@ -10,6 +12,13 @@ + "/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix") ]; + # Install + environment.etc.sops-key = { + source = "/home/muon/.config/sops-nix/secrets/sops-key"; + target = "sops-nix/key.txt"; + }; + sops.age.keyFile = lib.mkForce "/etc/sops-nix/key.txt"; + # System mods.user.name = "muon"; networking.hostName = "murk"; diff --git a/hosts/muin/hardware-configuration.nix b/hosts/muin/hardware-configuration.nix index 54d8a67..5c632b0 100644 --- a/hosts/muin/hardware-configuration.nix +++ b/hosts/muin/hardware-configuration.nix @@ -8,24 +8,25 @@ modulesPath, ... }: { - # imports = - # [ (modulesPath + "/installer/scan/not-detected.nix") - # ]; - # - # hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + boot.supportedFilesystems = ["btrfs"]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; networking.useDHCP = lib.mkForce true; - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - virtualisation.vmVariant = { - # following configuration is added only when building VM with build-vm - virtualisation = { - memorySize = 4096; # Use 2048MiB memory. - cores = 3; - }; - }; + # imports = [ + # (modulesPath + "/profiles/qemu-guest.nix") + # ]; + # + # virtualisation.vmVariant = { + # # following configuration is added only when building VM with build-vm + # virtualisation = { + # memorySize = 4096; # Use 2048MiB memory. + # cores = 3; + # }; + # }; } diff --git a/hosts/muin/home.nix b/hosts/muin/home.nix index 0c1400a..6e9de07 100644 --- a/hosts/muin/home.nix +++ b/hosts/muin/home.nix @@ -10,53 +10,85 @@ installScript = pkgs.writeShellApplication { name = "install-flake"; text = '' - echo "Cloning config..." - git clone https://codeberg.org/muon/home + msg() { + printf "\033[01;32minstall-flake: \033[0m%s\n" "$1" + } + + msg "Cloning config..." + if [[ ! "$PWD" == "$HOME" ]]; then + cd + fi + if [[ ! -d "home" ]]; then + git clone https://codeberg.org/muon/home + else + msg "Already cloned!" + fi cd home nvim hosts/"$(hostname)"/disk-config.nix - echo "Running disko..." - sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/"$(hostname)"/disk-config.nix + msg "Running disko..." + if ! mount | grep "on /mnt" ; then + sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount hosts/"$(hostname)"/disk-config.nix + else + msg "Already mounted!" + fi - echo "Making blank root snapshot..." + msg "Making blank root snapshot..." sudo mkdir -p /tmp/mnt sudo mount /dev/mapper/crypted /tmp/mnt - sudo btrfs subvolume snapshot -r /tmp/mnt/root /tmp/mnt/root-blank + if [[ ! -e /tmp/mnt/root-blank ]]; then + sudo btrfs subvolume snapshot -r /tmp/mnt/root /tmp/mnt/root-blank + else + msg "Already snapshotted!" + fi sudo umount /tmp/mnt - echo "Retrieving sops key..." - rbw config set email admin@muon.host - rbw config set base_url https://vault.muon.host - rbw login + msg "Retrieving sops key..." + sudo mkdir -p /mnt/persist/var/lib/sops-nix + if [[ ! -e /mnt/persist/var/lib/sops-nix/key.txt ]]; then + rbw config set email admin@muon.host + rbw config set base_url https://vault.muon.host + rbw login + rbw get sops | sudo tee /mnt/persist/var/lib/sops-nix/key.txt + # sudo cp /etc/sops-nix/key.txt /mnt/persist/var/lib/sops-nix/key.txt + sudo chown muon:users /mnt/persist/var/lib/sops-nix -R + else + msg "Already retrieved!" + fi - sudo mkdir -p /persist/var/lib/sops-nix - rbw get sops > /mnt/persist/var/lib/sops-nix/key.txt - sudo chown muon:users /mnt/persist/var/lib/sops-nix -R - - echo "Setting hardware config..." + msg "Setting hardware config..." sudo nixos-generate-config --no-filesystems --root /mnt cp /mnt/etc/nixos/hardware-configuration.nix hosts/"$(hostname)"/hardware-configuration.nix - echo "Installing NixOS config..." + msg "Installing NixOS config..." sudo nixos-install --root /mnt --no-root-passwd --flake .#"$(hostname)" - echo "Edit persistent filesystem..." - PERSIST="$HOME/persist" + msg "Edit persistent filesystem..." + PERSIST="$HOME/persist.sh" + if [[ ! -e $PERSIST ]]; then + sudo cp "$HOME/persist.txt" "$PERSIST" + sudo chmod +w "$PERSIST" + fi nvim "$PERSIST" - echo "Copying persistent filesystem..." + msg "Copying persistent filesystem..." make_persist() { - F="/mnt$1" - P="/mnt/persist$1" - if [[ -d "$F" ]]; then - mkdir -p "$F" "$P" - elif [[ -f "$F" ]]; then - mkdir -p "$(dirname "$F")" "$(dirname "$P")" + F="$1" + P="/mnt/persist''${1#/mnt}" + echo "$P" + if [[ -e "$F" ]]; then + sudo mkdir -p "$(dirname "$P")" else - echo "Error: $F does not exist!" - return 1 + msg "Error: $F does not exist!" + return 0 + fi + if [[ -d "$F" ]]; then + if [[ -n "$( ls -A "$F")" ]]; then + sudo cp -r "$F/"* "$P" + fi + elif [[ -f "$F" ]]; then + sudo cp "$F" "$P" fi - cp -r "$F" "$P" } grep -v '^#' "$PERSIST" | while read -r file ; do make_persist "$file" @@ -65,14 +97,16 @@ }; in { # Install + # sops.age.keyFile = lib.mkForce "/etc/sops-nix/key.txt"; + programs.atuin.enable = lib.mkForce false; home.file.persist = { target = "persist.txt"; text = '' - /var/lib/nixos - /var/lib/systemd/coredump + /mnt/var/lib/nixos + /mnt/var/lib/systemd/coredump + /mnt/etc/machine-id /etc/NetworkManager /var/lib/NetworkManager - /etc/machine-id ''; }; home.packages = with pkgs; diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix index e021207..7aba11d 100644 --- a/modules/nixos/sops/default.nix +++ b/modules/nixos/sops/default.nix @@ -1,21 +1,28 @@ -{ pkgs, lib, config, inputs, system, ... }: -let cfg = config.mods; -in with lib; { - imports = [ inputs.sops-nix.nixosModules.sops ]; - sops = { - age.keyFile = "/persist/var/lib/sops-nix/key.txt"; - defaultSopsFile = ./secrets.yaml; - secrets.muon-password.neededForUsers = true; - secrets.zipline-secret = mkIf cfg.server.share.enable { - owner = "zipline"; - group = "zipline"; +{ + pkgs, + lib, + config, + inputs, + system, + ... +}: let + cfg = config.mods; +in + with lib; { + imports = [inputs.sops-nix.nixosModules.sops]; + sops = { + age.keyFile = "/persist/var/lib/sops-nix/key.txt"; + defaultSopsFile = ./secrets.yaml; + secrets.muon-password.neededForUsers = true; + secrets.zipline-secret = mkIf cfg.server.share.enable { + owner = "zipline"; + group = "zipline"; + }; + secrets.htpasswd = mkIf cfg.server.cal.enable { + owner = "radicale"; + group = "radicale"; + }; + secrets.lemmy-password = mkIf cfg.server.lemmy.enable {}; + secrets.sops-key = {}; }; - secrets.htpasswd = mkIf cfg.server.cal.enable { - owner = "radicale"; - group = "radicale"; - }; - secrets.lemmy-password = mkIf cfg.server.lemmy.enable { - - }; - }; -} + } diff --git a/modules/nixos/sops/secrets.yaml b/modules/nixos/sops/secrets.yaml index 882964c..af4ed6a 100644 --- a/modules/nixos/sops/secrets.yaml +++ b/modules/nixos/sops/secrets.yaml @@ -2,6 +2,7 @@ muon-password: ENC[AES256_GCM,data:K2ifHvs8hQXK4//FXf3vfDliiklx0dTn8gpirTBT07Q1X zipline-secret: ENC[AES256_GCM,data:cdqPWBUg6FZkBrUYNkm7imntc2hXUAxDjd1Ymr3j9y763cbXDYEu44wJF0W1Ng==,iv:sdjV4SkRCTO04AvXqtoPOPyASlitrS4nS+M0Z2lZURA=,tag:gNcOdJvg9PtrRlm84CdbsQ==,type:str] htpasswd: ENC[AES256_GCM,data:YbDNElLsvRtC1ezgxIYI6U+ZZES1Lr6BXamNdbxQibj0NfC9oobP7ed8MQpFTlhhJZx5I5Xa6XtFrvjdo13NtdU=,iv:P98P1XxtdCp7+TuAwKybzjcWGF1OQtnAuQs4ObZct7o=,tag:gXrQaBxUvuVSB5yYhWcihA==,type:str] lemmy-password: ENC[AES256_GCM,data:VVPbhW6l+VYSUfmlySPSwITwonKQHaIY,iv:XcwM7Sz2novn3cHt4EK5HAZkYVPfPqwIcGtTWMQPByg=,tag:0b8epk98eTcx7b57yGcjpw==,type:str] +sops-key: ENC[AES256_GCM,data:CT2FJnxRV0nVccCS+bofjIDqoVnJKMs63BVdmC4KEXEJAdsiyINTNJ+19aMqIkr2eosvXX1+nvV6oeBvNv1uN9xCrrzu4Qj0yRA=,iv:w9Fp68KK8hnUirlDGOYKSQwlfp3OBWU4XWqliZn/apc=,tag:XZdhC65WpcazSol1mbdp5A==,type:str] sops: age: - recipient: age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc @@ -40,7 +41,7 @@ sops: VFdIbUg1WjlldFFNbGx3dytQNXBsMDgKuU/86fojKVJ5X8+9OIf3k7ud6bujjyFI HQoONJgXGoQJtkPsmJbMUuMjo/znK+tdCd/uAwxK1Nk670NVxGmJYA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-17T09:59:07Z" - mac: ENC[AES256_GCM,data:ewURL+W/C0XnEJiXipeSXr5F5hItD3LPMdThjBg1ObY/N7Tb28Tm18vCOpbr37H0gDWnDjNu2rzVN3+XjrbVzXe7n4YUzN2sZa2zZEJhHDTyQWdiPtMpApXeu1Va621EQymDyTm7N2hJz3MvadiWYIv/ft685FPY7qRX7pluUFc=,iv:FIoClE4hX8+PBHY5LOFeSowxSrAHIaDPFblD6Pkakes=,tag:FepKajXRusCbLTlJGPKm6g==,type:str] + lastmodified: "2025-08-04T09:14:07Z" + mac: ENC[AES256_GCM,data:Qu5kuhV2c31S9l01e7IWCrjLKU8eBepK42eR1nEvPpoHqXxbIT3vcDbxJdcn2Ay6Z4pARYqmHctVDOCiilxFyYfzF8mP91u6NhsZC5kHMdP7GI5Pl5FXSCMxQbbBWgXxJXruq/NkrlrLnFTWyzBRLa4wTBZdDMZ2CGo6jLi7G0o=,iv:q3WG536FkLpYEp8AAcW0agYq6rDIhzzt47l7grDvGyo=,tag:T5msy2cSZ/bZ9HvbxTw0Rg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2