diff options
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/common.nix | 4 | ||||
| -rw-r--r-- | scripts/darwin.nix | 38 | ||||
| -rw-r--r-- | scripts/default.nix | 24 | ||||
| -rw-r--r-- | scripts/infra.nix | 79 | ||||
| -rw-r--r-- | scripts/linux.nix | 19 |
5 files changed, 164 insertions, 0 deletions
diff --git a/scripts/common.nix b/scripts/common.nix new file mode 100644 index 0000000..931480c --- /dev/null +++ b/scripts/common.nix @@ -0,0 +1,4 @@ +{ pkgs }: +[ + (pkgs.writeScriptBin "update-deps" "nix flake update --commit-lock-file") +] diff --git a/scripts/darwin.nix b/scripts/darwin.nix new file mode 100644 index 0000000..c1bbbde --- /dev/null +++ b/scripts/darwin.nix @@ -0,0 +1,38 @@ +{ + pkgs, + system, + inputs, +}: +[ + (pkgs.writeScriptBin "nbuild" '' + set -e + echo "> Running darwin-rebuild build..." + ${inputs.darwin.packages.${system}.darwin-rebuild}/bin/darwin-rebuild build --flake . + echo "> darwin-rebuild build was successful ✅" + echo "> macOS config was successfully applied 🚀" + '') + + (pkgs.writeScriptBin "nswitch" '' + set -e + echo "> Running darwin-rebuild switch..." + ${inputs.darwin.packages.${system}.darwin-rebuild}/bin/darwin-rebuild switch --flake . + echo "> darwin-rebuild build was successful ✅" + echo "> macOS config was successfully applied 🚀" + '') + + (pkgs.writeScriptBin "switch-vm-synology" '' + set -e + echo "> Running nixos-rebuild switch ..." + ${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --keep-going --flake .#vm-synology --target-host vm-synology --build-host vm-synology --fast --use-remote-sudo --use-substitutes + echo "> nixos-rebuild switch was successful ✅" + '') + + (pkgs.writeScriptBin "sync-agenix-key" '' + set -e + echo "> Copying agenix SSH key from 1password ..." + mkdir -p ~/.ssh + ${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/agenix/private key?ssh-format=openssh" > ~/.ssh/agenix + ${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/agenix/public key" > ~/.ssh/agenix.pub + echo "> agenix SSH key copied successfully 🔐" + '') +] diff --git a/scripts/default.nix b/scripts/default.nix new file mode 100644 index 0000000..bf91760 --- /dev/null +++ b/scripts/default.nix @@ -0,0 +1,24 @@ +{ + pkgs, + system, + inputs, + self, +}: +let + common = import ./common.nix { inherit pkgs; }; + infra = import ./infra.nix { inherit self pkgs; }; + darwin = import ./darwin.nix { inherit pkgs system inputs; }; + linux = import ./linux.nix { inherit pkgs system inputs; }; +in +{ + common = common; + infra = infra; + darwin = if pkgs.lib.hasSuffix "darwin" system then darwin else [ ]; + linux = if pkgs.lib.hasSuffix "linux" system then linux else [ ]; + + all = + common + ++ infra + ++ (if pkgs.lib.hasSuffix "darwin" system then darwin else [ ]) + ++ (if pkgs.lib.hasSuffix "linux" system then linux else [ ]); +} diff --git a/scripts/infra.nix b/scripts/infra.nix new file mode 100644 index 0000000..aa9b0d6 --- /dev/null +++ b/scripts/infra.nix @@ -0,0 +1,79 @@ +{ self, pkgs }: +let + tofuSetup = '' + tofu_setup() { + # Ensure bucket exists + ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets describe \ + gs://fcuny-infra-tofu-state \ + --project=fcuny-infra \ + --quiet || \ + ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets create \ + gs://fcuny-infra-tofu-state \ + --project=fcuny-infra \ + --uniform-bucket-level-access \ + --public-access-prevention \ + --location=us-west1 \ + --default-storage-class=STANDARD \ + --quiet + + # Setup temp directory + TMPDIR=$(mktemp -d) + trap 'rm -rf "$TMPDIR"' EXIT + + # Install terraform configs + ${pkgs.coreutils}/bin/install -Dm 0644 ${ + import "${self}/infra/tf/backups.nix" { + inherit pkgs; + } + } "$TMPDIR/backups/backups.tf.json" + + ${pkgs.coreutils}/bin/install -Dm 0644 ${ + import "${self}/infra/tf/dns.nix" { + inherit pkgs; + } + } "$TMPDIR/cloudflare/cloudflare-dns.tf.json" + + # Initialize both workspaces + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" init + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" init + + # Fetch Cloudflare API token + CLOUDFLARE_API_TOKEN=$(${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/mcwt3evuidhalk3dfz4tqpzdpa/credential") + } + ''; +in +[ + (pkgs.writeShellScriptBin "gcloud-auth" '' + set -xeuo pipefail + ${pkgs.google-cloud-sdk}/bin/gcloud auth print-identity-token > /dev/null 2>&1 || \ + ${pkgs.google-cloud-sdk}/bin/gcloud auth login --quiet + ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default print-access-token > /dev/null 2>&1 || \ + ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default login --quiet + '') + + (pkgs.writeShellScriptBin "tf-plan" '' + set -xeuo pipefail + + ${tofuSetup} + tofu_setup + + echo "=== Planning backups ===" + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" plan + + echo "=== Planning cloudflare ===" + CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" plan + '') + + (pkgs.writeShellScriptBin "tf-apply" '' + set -xeuo pipefail + + ${tofuSetup} + tofu_setup + + echo "=== Applying backups ===" + ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" apply -auto-approve + + echo "=== Applying cloudflare ===" + CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" apply -auto-approve + '') +] diff --git a/scripts/linux.nix b/scripts/linux.nix new file mode 100644 index 0000000..b44c86f --- /dev/null +++ b/scripts/linux.nix @@ -0,0 +1,19 @@ +{ + pkgs, +}: +[ + (pkgs.writeScriptBin "nbuild" '' + set -e + echo "> Running nixos-rebuild build..." + sudo nixos-rebuild build --flake . + echo "> nixos-rebuild build was successful ✅" + '') + + (pkgs.writeScriptBin "nswitch" '' + set -e + echo "> Running nixos-rebuild switch..." + sudo nixos-rebuild switch --flake . + echo "> nixos-rebuild switch was successful ✅" + echo "> NixOS config was successfully applied 🚀" + '') +] |