# Scripts

Utility scripts for infrastructure management.
Covers deployment, LXC container creation and bootstrap,
initial configuration of new NixOS machines, and age key generation.

## Scripts Overview

### `create-lxc-nixos.sh` — Create and deploy a NixOS LXC container

Creates a NixOS LXC container on a remote Proxmox VE hypervisor, then
bootstraps it with the initial NixOS configuration and runs `deploy.sh`
to apply the host-specific configuration.

```bash
# Usage
./create-lxc-nixos.sh <short_name> [options]

# Example: create dns01 with static IPv4 and IPv6 token
./create-lxc-nixos.sh dns01 \
  --ip 10.40.0.10/24 \
  --ip6 ::a:b:c:d \
  --pve-host pve01.prod.lagraula.fr

# Dry run to preview the commands
./create-lxc-nixos.sh dns01 --dry-run
```

**Bootstrap process:**
1. `pct create` — create the container from the NixOS template
2. `pct start <CT_ID>` — start the container
3. Wait for the container to be ready (polling `pct exec`)
4. `pct push initial-lxc-configuration.nix` → `/etc/nixos/configuration.nix`
5. `pct push deploy.sh` → `/usr/local/bin/deploy-nixos`
6. `pct exec nixos-rebuild switch` — apply initial config (SSH, git, curl)
7. `pct exec deploy-nixos` — clone repo and apply host-specific config

### `deploy.sh` — Deploy NixOS configuration from Git repository

Clones or updates the nixos-infra repository, detects the hostname,
finds the corresponding configuration file, and applies it with
`nixos-rebuild switch`.

```bash
# Usage
./deploy.sh [options]

# Options
-u, --repo-url URL    Git repository URL (default: https://gitea.lagraula.fr/...)
-d, --repo-dir DIR    Local directory (default: /etc/nixos-infra)
-b, --branch BRANCH   Git branch (default: main)
-n, --dry-run         Simulate without making changes
```

**Configuration lookup order:**
1. `hosts/servers/<hostname>/configuration.nix`
2. `hosts/workstations/<hostname>/configuration.nix`

### `initial-lxc-configuration.nix` — Bootstrap NixOS configuration (LXC)

Minimal NixOS configuration pushed to a new LXC container during the
bootstrap phase. Installs SSH, git, and curl so the container can
clone the repository and apply its specific configuration.

**Pushed to `/etc/nixos/configuration.nix` by `create-lxc-nixos.sh`.**

### `gen-secrets-keys.sh` — Generate age public keys for agenix

Connects to each host in the infrastructure, retrieves its SSH host
key via `ssh-keyscan`, converts it to an age public key with
`ssh-to-age`, and stores it in `secrets/pubkeys/<hostname>.age`.

```bash
# Usage
./gen-secrets-keys.sh

# Prerequisites
#   nix-shell -p ssh-to-age
```

**After generating keys, encrypt secrets with:**
```bash
age -r $(cat secrets/pubkeys/<hostname>.age) -o secrets/<name>.age
agenix -e secrets/<name>.age
```

### `update-nixpkgs.sh` — Update the nixpkgs pin

Updates `pkgs/nixpkgs.json` with the latest commit from nixpkgs stable.

## Deployment workflow (LXC containers)

```
create-lxc-nixos.sh         # Step 1: Create + bootstrap
  └─ pct create
  └─ pct push initial-lxc-configuration.nix
  └─ pct push deploy.sh
  └─ pct exec nixos-rebuild switch
  └─ pct exec deploy.sh     # Step 2: Clone repo + apply config
      └─ git clone
      └─ nixos-rebuild switch (host-specific)
```

For subsequent updates on an already-deployed container:
```bash
ssh <hostname>
sudo /usr/local/bin/deploy-nixos