Initial framework: reusable modules, lib, pkgs, overlays, scripts, sample environment

scripts/README.md

@@ -0,0 +1,107 @@
+# Scripts
+
+Utility scripts for infrastructure management.
+Covers deployment, LXC container creation and bootstrap,
+initial configuration of new NixOS machines, and age key generation.
+
+## Scripts Overview
+
+### `create-lxc-nixos.sh` — Create and deploy a NixOS LXC container
+
+Creates a NixOS LXC container on a remote Proxmox VE hypervisor, then
+bootstraps it with the initial NixOS configuration and runs `deploy.sh`
+to apply the host-specific configuration.
+
+```bash
+# Usage
+./create-lxc-nixos.sh <short_name> [options]
+
+# Example: create dns01 with static IPv4 and IPv6 token
+./create-lxc-nixos.sh dns01 \
+  --ip 10.40.0.10/24 \
+  --ip6 ::a:b:c:d \
+  --pve-host pve01.prod.lagraula.fr
+
+# Dry run to preview the commands
+./create-lxc-nixos.sh dns01 --dry-run
+```
+
+**Bootstrap process:**
+1. `pct create` — create the container from the NixOS template
+2. `pct start <CT_ID>` — start the container
+3. Wait for the container to be ready (polling `pct exec`)
+4. `pct push initial-lxc-configuration.nix` → `/etc/nixos/configuration.nix`
+5. `pct push deploy.sh` → `/usr/local/bin/deploy-nixos`
+6. `pct exec nixos-rebuild switch` — apply initial config (SSH, git, curl)
+7. `pct exec deploy-nixos` — clone repo and apply host-specific config
+
+### `deploy.sh` — Deploy NixOS configuration from Git repository
+
+Clones or updates the nixos-infra repository, detects the hostname,
+finds the corresponding configuration file, and applies it with
+`nixos-rebuild switch`.
+
+```bash
+# Usage
+./deploy.sh [options]
+
+# Options
+-u, --repo-url URL    Git repository URL (default: https://gitea.lagraula.fr/...)
+-d, --repo-dir DIR    Local directory (default: /etc/nixos-infra)
+-b, --branch BRANCH   Git branch (default: main)
+-n, --dry-run         Simulate without making changes
+```
+
+**Configuration lookup order:**
+1. `hosts/servers/<hostname>/configuration.nix`
+2. `hosts/workstations/<hostname>/configuration.nix`
+
+### `initial-lxc-configuration.nix` — Bootstrap NixOS configuration (LXC)
+
+Minimal NixOS configuration pushed to a new LXC container during the
+bootstrap phase. Installs SSH, git, and curl so the container can
+clone the repository and apply its specific configuration.
+
+**Pushed to `/etc/nixos/configuration.nix` by `create-lxc-nixos.sh`.**
+
+### `gen-secrets-keys.sh` — Generate age public keys for agenix
+
+Connects to each host in the infrastructure, retrieves its SSH host
+key via `ssh-keyscan`, converts it to an age public key with
+`ssh-to-age`, and stores it in `secrets/pubkeys/<hostname>.age`.
+
+```bash
+# Usage
+./gen-secrets-keys.sh
+
+# Prerequisites
+#   nix-shell -p ssh-to-age
+```
+
+**After generating keys, encrypt secrets with:**
+```bash
+age -r $(cat secrets/pubkeys/<hostname>.age) -o secrets/<name>.age
+agenix -e secrets/<name>.age
+```
+
+### `update-nixpkgs.sh` — Update the nixpkgs pin
+
+Updates `pkgs/nixpkgs.json` with the latest commit from nixpkgs stable.
+
+## Deployment workflow (LXC containers)
+
+```
+create-lxc-nixos.sh         # Step 1: Create + bootstrap
+  └─ pct create
+  └─ pct push initial-lxc-configuration.nix
+  └─ pct push deploy.sh
+  └─ pct exec nixos-rebuild switch
+  └─ pct exec deploy.sh     # Step 2: Clone repo + apply config
+      └─ git clone
+      └─ nixos-rebuild switch (host-specific)
+```
+
+For subsequent updates on an already-deployed container:
+```bash
+ssh <hostname>
+sudo /usr/local/bin/deploy-nixos