numtide/nixos-anywhere
1
1
Fork 0
mirror of https://github.com/numtide/nixos-anywhere.git synced 2024-07-14 16:30:30 +03:00
Code Issues Packages Projects Releases Wiki Activity
main
nixos-anywhere/terraform/all-in-one.md

12 KiB
Raw Permalink Blame History

All-in-one

Combines the install and nixos-rebuild module in one interface to install NixOS with nixos-anywhere and then keep it up-to-date with nixos-rebuild.

Example

locals {
  ipv4 = "192.0.2.1"
}

module "deploy" {
  source                 = "github.com/nix-community/nixos-anywhere//terraform/all-in-one"
  # with flakes
  nixos_system_attr      = ".#nixosConfigurations.mymachine.config.system.build.toplevel"
  nixos_partitioner_attr = ".#nixosConfigurations.mymachine.config.system.build.diskoScript"
  # without flakes
  # file can use (pkgs.nixos []) function from nixpkgs
  #file                   = "${path.module}/../.."
  #nixos_system_attr      = "config.system.build.toplevel"
  #nixos_partitioner_attr = "config.system.build.diskoScript"

  target_host            = local.ipv4
  # when instance id changes, it will trigger a reinstall
  instance_id            = local.ipv4
  # useful if something goes wrong
  # debug_logging          = true
  # script is below
  extra_files_script     = "${path.module}/decrypt-ssh-secrets.sh"
  disk_encryption_key_scripts = [{
    path   = "/tmp/secret.key"
    # script is below
    script = "${path.module}/decrypt-zfs-key.sh"
  }]
}

Note: You need to mark scripts as executable (chmod +x)

./decrypt-ssh-secrets.sh

#!/usr/bin/env bash

mkdir -p etc/ssh var/lib/secrets

SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"

umask 0177
sops --extract '["initrd_ssh_key"]' --decrypt "$SCRIPT_DIR/secrets.yaml" >./var/lib/secrets/initrd_ssh_key

# restore umask
umask 0022

for keyname in ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_ed25519_key ssh_host_ed25519_key.pub; do
  if [[ $keyname == *.pub ]]; then
    umask 0133
  else
    umask 0177
  fi
  sops --extract '["'$keyname'"]' --decrypt "$SCRIPT_DIR/secrets.yaml" >"./etc/ssh/$keyname"
done

./decrypt-zfs-key.sh

#!/usr/bin/env bash

set -euo pipefail

SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cd "$SCRIPT_DIR"
sops --extract '["zfs-key"]' --decrypt "$SCRIPT_DIR/secrets.yaml"

See also

Requirements

No requirements.

Providers

No providers.

Modules

Name Source Version
install ../install n/a
nixos-rebuild ../nixos-rebuild n/a
partitioner-build ../nix-build n/a
system-build ../nix-build n/a

Resources

No resources.

Inputs

Name Description Type Default Required
debug_logging Enable debug logging bool false no
deployment_ssh_key Content of private key used to deploy to the target_host after initial installation. To ensure maximum security, it is advisable to connect to your host using ssh-agent instead of relying on this variable string null no
disk_encryption_key_scripts Each of these script files will be executed locally and the output of each of them will be made present at the given path to disko during installation. The keys will be not copied to the final system 
list(object({
 path = string
 script = string
 }))
 [] no
extra_environment Extra environment variables to be set during installation. This can be usefull to set extra variables for the extra_files_script or disk_encryption_key_scripts map(string) {} no
extra_files_script A script file that prepares extra files to be copied to the target host during installation. The script expected to write all its files to the current directory. This directory is copied to the target host during installation to the / directory. string null no
file Nix file containing the nixos_system_attr and nixos_partitioner_attr. Use this if you are not using flake string null no
install_ssh_key Content of private key used to connect to the target_host during initial installation string null no
install_user SSH user used to connect to the target_host, before installing NixOS. If null than the value of target_host is used string null no
instance_id The instance id of the target_host, used to track when to reinstall the machine string null no
kexec_tarball_url NixOS kexec installer tarball url string null no
nix_options the options of nix map(string) {} no
nixos_partitioner_attr Nixos partitioner and mount script i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.diskoNoDeps or just your-evaluated.config.system.build.diskNoDeps. config.system.build.diskNoDeps is provided by the disko nixos module string n/a yes
nixos_system_attr The nixos system to deploy i.e. your-flake#nixosConfigurations.your-evaluated-nixos.config.system.build.toplevel or just your-evaluated-nixos.config.system.build.toplevel if you are not using flakes string n/a yes
no_reboot Do not reboot after installation bool false no
stop_after_disko Exit after disko formatting bool false no
target_host DNS host to deploy to string n/a yes
target_port SSH port used to connect to the target_host, before installing NixOS number 22 no
target_user SSH user used to connect to the target_host after installing NixOS. If install_user is not set than this user is also used before installing. string "root" no

Outputs

Name Description
result n/a