fancy new runner

2025-11-25 15:24:59 -05:00 · 2025-11-25 15:24:59 -05:00 · 8e5d215275
commit 8e5d215275
parent d28ec06ae9
5 changed files with 117 additions and 61 deletions
--- a/shell.nix
+++ b/shell.nix
@ -0,0 +1,85 @@
+{
+  pkgs ?
+  # If pkgs is not defined, instantiate nixpkgs from locked commit
+  # yoinked from (github.com/EmergentMind/nix-config)
+  let
+    lock = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.nixpkgs.locked;
+    nixpkgs = builtins.fetchTarball {
+      url = "https://github.com/${lock.owner}/${lock.repo}/archive/${lock.rev}.tar.gz";
+      sha256 = lock.narHash;
+    };
+  in
+    builtins.import nixpkgs { overlays = [ ]; },
+  ...
+}:
+pkgs.mkShell {
+  nativeBuildInputs = with pkgs.buildPackages; [
+    git
+    openssh
+    ssh-to-age
+    nixos-anywhere
+
+    (pkgs.writeShellScriptBin "-sops" "sops updatekeys secrets.yaml")
+
+    (pkgs.writeShellScriptBin "-init" ''
+    USER="root"
+    if [ -z "$1" ] || [ -z "$2" ]; then
+      echo "the 1st argument must be the ip address"
+      echo "the 2nd argument must be the new hostname (the nix flake host)"
+      echo "the 3rd argument may be the user to ssh with if unset the default is root"
+      exit 0
+    fi
+
+    IP=$1
+    HOST=$2
+    if [ -n "$3" ]; then
+      USER=$3
+    fi
+
+    # get the remote systems ssh key
+    key=$(ssh $(USER)@$(IP) 'cat /etc/ssh/ssh_host_ed25519_key.pub' | ssh-to-age)
+    if [ -z "$key" ]; then
+      echo "failed to get the remote systems ssh pubkey"
+      exit 1
+    fi
+
+    # add the new sops key to the .sops.yaml
+    sed -i '/# new-host marker/i\    - &$(HOST) $(key)' .sops.yaml
+    sed -i '/# new-host ptr marker/i\        - *$(HOST)' .sops.yaml
+
+    # update the keys
+    sops updatekeys secrets.yaml
+
+    # push the flake to the remote system
+    nixos-anywhere --\
+    --flake .#$(HOST)\
+    --build-on remote\
+    --generate-hardware-config nixos-generate-config ./hosts/$(HOST)/hardware-configuration.nix\
+    --target-host $(USER)@$(IP)
+    '')
+
+    (pkgs.writeShellScriptBin "-deploy" ''
+    # there shall be no impurity
+    if [ -n "$(git diff)" ]; then
+      git add .
+      git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`"
+    fi
+
+    # push flake config to a remote server(s)
+    nix run github:serokell/deploy-rs . # this needs to be the same version that the flake is using
+    '')
+  ];
+
+  shellHook = ''
+  cat << EOF
+  # This is my tiny nix shell to create new machines and update existing ones
+  # it requires you to have nix and sops installed to correctly setup a new
+  # system and nix to deploy to an existing one.
+  #
+  # Available commands:
+  # '-sops' -> updates your sops secret file
+  # '-init' -> initializes a new system with nix-anywhere
+  # '-deploy' -> deploys the existing flake to all nodes using deploy-rs
+  EOF
+  '';
+}