xavier/nixos-infra-framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nixos-infra-framework/scripts/README.md
T

107 lines
3.3 KiB
Markdown
Raw Permalink Blame History

# Scripts
Utility scripts for infrastructure management.
Covers deployment, LXC container creation and bootstrap,
initial configuration of new NixOS machines, and age key generation.
## Scripts Overview
### `create-lxc-nixos.sh` — Create and deploy a NixOS LXC container
Creates a NixOS LXC container on a remote Proxmox VE hypervisor, then
bootstraps it with the initial NixOS configuration and runs `deploy.sh`
to apply the host-specific configuration.
```bash
# Usage
./create-lxc-nixos.sh <short_name> [options]
# Example: create dns01 with static IPv4 and IPv6 token
./create-lxc-nixos.sh dns01 \
--ip 10.40.0.10/24 \
--ip6 ::a:b:c:d \
--pve-host pve01.prod.lagraula.fr
# Dry run to preview the commands
./create-lxc-nixos.sh dns01 --dry-run
```
**Bootstrap process:**
1. `pct create` — create the container from the NixOS template
2. `pct start <CT_ID>` — start the container
3. Wait for the container to be ready (polling `pct exec`)
4. `pct push initial-lxc-configuration.nix``/etc/nixos/configuration.nix`
5. `pct push deploy.sh``/usr/local/bin/deploy-nixos`
6. `pct exec nixos-rebuild switch` — apply initial config (SSH, git, curl)
7. `pct exec deploy-nixos` — clone repo and apply host-specific config
### `deploy.sh` — Deploy NixOS configuration from Git repository
Clones or updates the nixos-infra repository, detects the hostname,
finds the corresponding configuration file, and applies it with
`nixos-rebuild switch`.
```bash
# Usage
./deploy.sh [options]
# Options
-u, --repo-url URL Git repository URL (default: https://gitea.lagraula.fr/...)
-d, --repo-dir DIR Local directory (default: /etc/nixos-infra)
-b, --branch BRANCH Git branch (default: main)
-n, --dry-run Simulate without making changes
```
**Configuration lookup order:**
1. `hosts/servers/<hostname>/configuration.nix`
2. `hosts/workstations/<hostname>/configuration.nix`
### `initial-lxc-configuration.nix` — Bootstrap NixOS configuration (LXC)
Minimal NixOS configuration pushed to a new LXC container during the
bootstrap phase. Installs SSH, git, and curl so the container can
clone the repository and apply its specific configuration.
**Pushed to `/etc/nixos/configuration.nix` by `create-lxc-nixos.sh`.**
### `gen-secrets-keys.sh` — Generate age public keys for agenix
Connects to each host in the infrastructure, retrieves its SSH host
key via `ssh-keyscan`, converts it to an age public key with
`ssh-to-age`, and stores it in `secrets/pubkeys/<hostname>.age`.
```bash
# Usage
./gen-secrets-keys.sh
# Prerequisites
# nix-shell -p ssh-to-age
```
**After generating keys, encrypt secrets with:**
```bash
age -r $(cat secrets/pubkeys/<hostname>.age) -o secrets/<name>.age
agenix -e secrets/<name>.age
```
### `update-nixpkgs.sh` — Update the nixpkgs pin
Updates `pkgs/nixpkgs.json` with the latest commit from nixpkgs stable.
## Deployment workflow (LXC containers)
```
create-lxc-nixos.sh # Step 1: Create + bootstrap
└─ pct create
└─ pct push initial-lxc-configuration.nix
└─ pct push deploy.sh
└─ pct exec nixos-rebuild switch
└─ pct exec deploy.sh # Step 2: Clone repo + apply config
└─ git clone
└─ nixos-rebuild switch (host-specific)
```
For subsequent updates on an already-deployed container:
```bash
ssh <hostname>
sudo /usr/local/bin/deploy-nixos
Reference in New Issue View Git Blame Copy Permalink