mirror of
https://github.com/nix-community/nixos-anywhere.git
synced 2024-10-03 19:27:35 +03:00
15 KiB
15 KiB
All-in-one
Combines the install and nixos-rebuild module in one interface to install NixOS with nixos-anywhere and then keep it up-to-date with nixos-rebuild.
Example
locals {
ipv4 = "192.0.2.1"
}
module "deploy" {
source = "github.com/nix-community/nixos-anywhere//terraform/all-in-one"
# with flakes
nixos_system_attr = ".#nixosConfigurations.mymachine.config.system.build.toplevel"
nixos_partitioner_attr = ".#nixosConfigurations.mymachine.config.system.build.diskoScript"
# without flakes
# file can use (pkgs.nixos []) function from nixpkgs
#file = "${path.module}/../.."
#nixos_system_attr = "config.system.build.toplevel"
#nixos_partitioner_attr = "config.system.build.diskoScript"
target_host = local.ipv4
# when instance id changes, it will trigger a reinstall
instance_id = local.ipv4
# useful if something goes wrong
# debug_logging = true
# script is below
extra_files_script = "${path.module}/decrypt-ssh-secrets.sh"
disk_encryption_key_scripts = [{
path = "/tmp/secret.key"
# script is below
script = "${path.module}/decrypt-zfs-key.sh"
}]
}
Note: You need to mark scripts as executable (chmod +x
)
./decrypt-ssh-secrets.sh
#!/usr/bin/env bash
mkdir -p etc/ssh var/lib/secrets
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
umask 0177
sops --extract '["initrd_ssh_key"]' --decrypt "$SCRIPT_DIR/secrets.yaml" >./var/lib/secrets/initrd_ssh_key
# restore umask
umask 0022
for keyname in ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_ed25519_key ssh_host_ed25519_key.pub; do
if [[ $keyname == *.pub ]]; then
umask 0133
else
umask 0177
fi
sops --extract '["'$keyname'"]' --decrypt "$SCRIPT_DIR/secrets.yaml" >"./etc/ssh/$keyname"
done
./decrypt-zfs-key.sh
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cd "$SCRIPT_DIR"
sops --extract '["zfs-key"]' --decrypt "$SCRIPT_DIR/secrets.yaml"
See also
- nixos-wiki setup for hetzner-cloud
Requirements
No requirements.
Providers
No providers.
Modules
Name | Source | Version |
---|---|---|
install | ../install | n/a |
nixos-rebuild | ../nixos-rebuild | n/a |
partitioner-build | ../nix-build | n/a |
system-build | ../nix-build | n/a |
Resources
No resources.
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
debug_logging | Enable debug logging | bool |
false |
no |
deployment_ssh_key | Content of private key used to deploy to the target_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable | string |
null |
no |
disk_encryption_key_scripts | Each script will be executed locally. Output of each will be created at the given path to disko during installation. The keys will be not copied to the final system | list(object({ |
[] |
no |
extra_environment | Extra environment variables to be set during installation. This can be useful to set extra variables for the extra_files_script or disk_encryption_key_scripts | map(string) |
{} |
no |
extra_files_script | A script that should place files in the current directory that will be copied to the targets / directory | string |
null |
no |
file | Nix file containing the nixos_system_attr and nixos_partitioner_attr. Use this if you are not using flake | string |
null |
no |
install_port | SSH port used to connect to the target_host, before installing NixOS. If null than the value of target_port is used |
string |
null |
no |
install_ssh_key | Content of private key used to connect to the target_host during initial installation | string |
null |
no |
install_user | SSH user used to connect to the target_host, before installing NixOS. If null than the value of target_host is used |
string |
null |
no |
instance_id | The instance id of the target_host, used to track when to reinstall the machine | string |
null |
no |
kexec_tarball_url | NixOS kexec installer tarball url | string |
null |
no |
nix_options | the options of nix | map(string) |
{} |
no |
nixos_partitioner_attr | Nixos partitioner and mount script i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.diskoNoDeps or just your-evaluated.config.system.build.diskNoDeps. config.system.build.diskNoDeps is provided by the disko nixos module |
string |
n/a | yes |
nixos_system_attr | The nixos system to deploy i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.toplevel or just your-evaluated-nixos.config.system.build.toplevel if you are not using flakes | string |
n/a | yes |
no_reboot | DEPRECATED: Use phases instead. Do not reboot after installation |
bool |
false |
no |
phases | Phases to run | set(string) |
[ |
no |
stop_after_disko | DEPRECATED: Use phases instead. Exit after disko formatting |
bool |
false |
no |
target_host | DNS host to deploy to | string |
n/a | yes |
target_port | SSH port used to connect to the target_host after installing NixOS. If install_port is not set than this port is also used before installing. | number |
22 |
no |
target_user | SSH user used to connect to the target_host after installing NixOS. If install_user is not set than this user is also used before installing. | string |
"root" |
no |
Outputs
Name | Description |
---|---|
result | n/a |