Use Pulumi to provision and Nix to configure (#12)

2025-10-05 08:38:41 +00:00 · 2023-02-02 22:14:16 +00:00
parent 61611ccc2c
commit d08cf9bec3
46 changed files with 810 additions and 1165 deletions
--- a/deploy.sh
+++ b/deploy.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# e.g. foo.bar.com (i.e. the hostname in DNS)
+# TODO: get this with `jq` from config file
+DOMAIN="$1"
+# e.g. `PulumiWebServer/Nix`, the directory holding the Nix flake that you want on the remote machine.
+# Appropriate `networking.nix`, `hardware-configuration.nix`, and `ssh-keys.json` files, as output
+# by the `pulumi up` command, will end up written to this folder.
+NIX_FLAKE="$2"
+
+if [ ! -d "$NIX_FLAKE" ]; then
+    echo "Flake directory $NIX_FLAKE does not exist; aborting" 1>&2
+    exit 1
+fi
+
+# TODO this somehow failed to find the right key
+AGE_KEY="$(ssh-keyscan "$DOMAIN" | ssh-to-age | tail -1 2>/dev/null)"
+
+if [ -e "/tmp/networking.nix" ]; then
+    mv "/tmp/networking.nix" "$NIX_FLAKE"
+fi
+
+if [ -e "/tmp/hardware-configuration.nix" ]; then
+    mv "/tmp/hardware-configuration.nix" "$NIX_FLAKE"
+fi
+
+if [ -e "/tmp/ssh-keys.json" ]; then
+    mv "/tmp/ssh-keys.json" "$NIX_FLAKE"
+fi
+
+if [ -n "$AGE_KEY" ]; then
+    sed -i -E "s!  - &staging_server.+!  - \&staging_server '$AGE_KEY'!g" .sops.yaml || exit 2
+fi
+
+sops updatekeys "$NIX_FLAKE/secrets/staging.json" || exit 3
+
+cd "$NIX_FLAKE" || exit 4
+
+nixos-rebuild switch --fast --flake .#default --target-host "root@$DOMAIN" --build-host "root@$DOMAIN" || exit