infra/Justfile

# _DEFAULT_VERSION_TMPL:
# 	echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"

_usage:
    just -l

# Re-render the default versions
update-default-versions:
    nix flake update

_get_nix_path versionsPath:
    echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath  {{ versionsPath }})

_device recipe dir +moreargs="":
    #!/usr/bin/env bash
    set -ex
    unset NIX_PATH
    source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix)
    $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }})

_render_templates:
    #!/usr/bin/env bash
    set -ex
    if ! ip route get 1.1.1.1; then
    	echo No route to WAN. Skipping template rendering...
    else
    	source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix)
    	# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
    fi

rebuild-remote-device device +rebuildargs="dry-activate":
    #!/usr/bin/env bash
    set -ex
    nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }}

# Rebuild this device's NixOS
rebuild-this-device +rebuildargs="dry-activate":
    nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }}

# Re-render the versions of a remote device and rebuild its environment
update-remote-device devicename +rebuildargs='build':
    #!/usr/bin/env bash
    set -e

    (
    	set -xe
    	cd nix/os/devices/{{ devicename }}
    	nix flake update
    )

    just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }}

    git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions"

# Re-render the versions of the current device and rebuild its environment
update-this-device rebuild-mode='switch' +moreargs='':
    #!/usr/bin/env bash
    set -e

    (
    	set -xe
    	cd nix/os/devices/$(hostname -s)
    	nix flake update
    )

    just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }}

    git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions"

# Rebuild an offline system
rebuild-disk device:
    #!/usr/bin/env bash
    set -xe

    just -v disk-mount {{ device }}
    trap "set +e; just -v disk-umount {{ device }}" EXIT
    just -v disk-install {{ device }}

# Re-render the versions of the given offline system and reinstall it in offline-mode
update-disk dir:
    #!/usr/bin/env bash
    set -exuo pipefail

    dir={{ dir }}

    template={{ dir }}/versions.tmpl.nix
    outfile={{ dir }}/versions.nix

    if ! test -e ${template}; then
    	template="$(just _DEFAULT_VERSION_TMPL)"
    fi

    esh -o ${outfile} ${template}
    if ! test "$(git diff ${outfile})"; then
    	echo Already on latest versions
    	exit 0
    fi

    export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log
    just -v rebuild-disk {{ dir }} || {
    	echo ERROR: Update of {{ dir }} failed, reverting ${outfile}...
    	exit 1
    }

    git commit -v ${outfile} -m "${dir}: bump versions"

# Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L)
hm-iterate-qtile:
    #!/usr/bin/env bash
    set -xe
    home-manager switch || just -v rebuild-this-device switch
    Xephyr -ac -br -resizeable :1 &
    XEPHYR_PID=$!
    echo ${XEPHYR_PID}
    DISPLAY=:1 $(grep qtile ~/.xsession) &
    echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L"
    wait $!
    kill ${XEPHYR_PID}

# !!! DANGERIOUS !!! This wipes the disk which is configured for the given device.
disk-prepare dir:
    just -v _device diskPrepare {{ dir }}

disk-relabel dir previous:
    just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }}

# Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
disk-mount dir:
    just -v _device diskMount {{ dir }}

# Unmount target disk, specified by device configuration directory
disk-umount dir:
    just -v _device diskUmount {{ dir }}

# Perform an offline installation on the mounted target disk, specified by device configuration directory
disk-install dir: _render_templates
    just -v _device diskInstall {{ dir }}

verify-n-unlock sshserver attempts="10":
    #!/usr/bin/env bash
    set -e
    env \
      GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \
      SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \
      VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \
      VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }}  VNCPW)" \
      \
      just _verify-n-unlock {{ sshserver }} {{ attempts }}

_verify-n-unlock sshserver attempts:
    #!/usr/bin/env bash
    set -e
    : ${VNCSOCK:?VNCSOCK must be set}
    : ${VNCPW:?VNCPW must be set}

    export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"
    export TESS_ARGS="-c debug_file=/dev/null --psm 4"

    function send() {
    	local what="${1:?need something to send}"
    	ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null
    }

    function expect() {
    	local what="${1:?need something to expect}"
    	vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp
    	convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff
    	tesseract ${TESS_ARGS} screenshot.tiff screenshot
    	grep --quiet "${what}" screenshot.txt
    }

    function send_and_expect() {
    	local send="${1:?need something to send}"
    	local expect="${2:?need something to expect}"
    	if ! send "${send}"; then
    		echo warning: cannot send > /dev/stderr
    		return -1
    	fi
    	expect "${expect}"
    }

    trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT

    for i in `seq 1 {{ attempts }}`; do
    	echo Attempt $i...
    	expect="$(pwgen -0 12)"
    	send="'\0033\0143'${expect}"
    	if send_and_expect "${send}" "${expect}"; then
    		pipe=$(mktemp -u)
    		mkfifo ${pipe}
    		exec 3<>${pipe}
    		rm ${pipe}

    		echo Verification succeeded at attempt $i. Unlocking remote drive...
    		ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null &
    		eval ${GETPW} | head -n1 >&3

    		for j in `seq 1 120`; do
    			sleep 0.5
    			if expect '— success'; then
    				echo Unlock successful.
    				exit 0
    			fi
    		done

    		echo Unlock failed...
    		exit 1
    	fi
    done
    echo Verification failed {{ attempts }} times. Giving up...
    exit 1

_get_pass_entry path key:
    pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g'

run-with-channels +cmds:
    #!/usr/bin/env bash
    source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix)
    {{ cmds }}

install-config config root:
    sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd

# Switch between gpg-card capable devices which have a copy of the same key
switch-gpg-card key-id="6EEFA706CB17E89B":
    #!/usr/bin/env bash
    #
    # Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
    #
    # Connect the new device and then run this script to make it known to gnupg.
    #
    set -xe
    if [[ -n "{{key-id}}" ]]; then
        KEY_ID="{{key-id}}"
    else
        KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')
    fi

    # export pubkey and ownertrust
    gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
    # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}`
    gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust

    # delete the key
    gpg --yes --delete-secret-and-public-keys "${KEY_ID}"

    # import pubkey and ownertrust back and cleanup
    gpg2 --import "${KEY_ID}".pubkey
    gpg2 --import-ownertrust < "${KEY_ID}".ownertrust
    rm "${KEY_ID}".{pubkey,ownertrust}

    # refresh the gpg agent
    gpg-connect-agent "scd serialno" "learn --force" /bye
    gpg --card-status

# Connect to `remote` UUID, and turn it into a short name
uuid-to-device-name remote:
    #!/usr/bin/env bash
    set -e -o pipefail
    ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}'

test-connection:
    #! /usr/bin/env nix-shell
    #! nix-shell -p curl zsh
    #! nix-shell -i zsh
    #! nix-shell --pure

    while true; do
      FAILURE="false"
      output=$(
    	echo "$(date)\n---"
    	for url in \
    		"https://172.16.0.1:65443/0.7/gui/#/login/" \
    		"https://192.168.0.1" \
    		"http://172.172.171.9" \
    		"https://172.172.171.10:65443" \
    		"https://172.172.171.11:65443" \
    		"https://172.172.171.13:443" \
    		"https://172.172.171.14:443" \
    		"http://172.172.171.15:22" \
    		"http://172.172.171.16:22" \
    		"https://crates.io" \
    		"https://holo.host" \
    		; \
    	do
    	  print "trying ${url}": $(
    		curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1)
    		# if [ $? -ne 0 ]; then
    		if [[ "$curl_output" == *timeout* ]]; then
    		  echo failure: $(echo ${curl_output} | tail -n1)
    		  # BUG: outer FAILURE is not set by this
    		  FAILURE="true"
    		else
    		  echo success
    		fi
    	  )
    	done
      )
      clear
      echo ${output}

      if [[ ${FAILURE} == "true" ]]; then
    	echo something failed
    	tracepath -m5 -n1 172.16.0.1
    	tracepath -m5 -n1 192.168.0.1
      fi

      sleep 5
    done

cachix-use name:
    nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/

update-sops-keys:
    for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done

deploy-router0-dmz0:
    NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1

ttyusb:
    screen -fa /dev/ttyUSB0 115200
WIP everything 2024-01-18 14:59:17 +00:00			`# _DEFAULT_VERSION_TMPL:`
			`# echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"`
Justfile: implement update-remote-device This bumps the versions for the remote device, attempts a rebuild and commits the resulting versions if the rebuild succeeded. 2019-03-06 13:52:23 +01:00
nix: add channel configuration and rework update process 2018-11-03 11:45:40 +01:00			`_usage:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`just -l`
nix: add channel configuration and rework update process 2018-11-03 11:45:40 +01:00
Justfile: describe the update recipes 2019-11-28 01:05:14 +01:00			`# Re-render the default versions`
Justfile: add command for updating the default versions 2019-03-31 22:47:58 +02:00			`update-default-versions:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`nix flake update`
Justfile: add command for updating the default versions 2019-03-31 22:47:58 +02:00
nix,steveej-t480s-work: introduce pure versioning 2018-12-17 13:10:06 +01:00			`_get_nix_path versionsPath:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath {{ versionsPath }})`
nix,steveej-t480s-work: introduce pure versioning 2018-12-17 13:10:06 +01:00
nix/os/devices: refactor expressions 2018-11-19 02:04:26 +01:00			`_device recipe dir +moreargs="":`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -ex`
			`unset NIX_PATH`
			`source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix)`
			`$(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }})`
make * composable; add install medium; archive prevoius code 2018-10-30 13:38:36 +01:00
just: render templates for offline installations 2018-11-10 19:49:25 +01:00			`_render_templates:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -ex`
			`if ! ip route get 1.1.1.1; then`
			`echo No route to WAN. Skipping template rendering...`
			`else`
			`source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix)`
			`# nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix`
			`fi`
just: render templates for offline installations 2018-11-10 19:49:25 +01:00
feat: start migrating steveej-t14 and sj-vps-htz-0 to sops 2023-07-05 15:55:04 +02:00			`rebuild-remote-device device +rebuildargs="dry-activate":`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -ex`
			`nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }}`
Justfile: support rebuild of remote device 2018-11-12 23:37:31 +01:00
Justfile: fix typo 2019-03-03 00:14:15 +01:00			`# Rebuild this device's NixOS`
flakfiy some Justfile recipes and experiment with wayland based custom desktop 2023-05-21 11:58:57 +02:00			`rebuild-this-device +rebuildargs="dry-activate":`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }}`
nix config udpate; polish top-level Justfile 2018-11-03 11:03:03 +01:00
Justfile: describe the update recipes 2019-11-28 01:05:14 +01:00			`# Re-render the versions of a remote device and rebuild its environment`
feat: init srv0-dmz0 2023-07-06 22:42:24 +02:00			`update-remote-device devicename +rebuildargs='build':`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -e`
Justfile: implement update-remote-device This bumps the versions for the remote device, attempts a rebuild and commits the resulting versions if the rebuild succeeded. 2019-03-06 13:52:23 +01:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`(`
			`set -xe`
			`cd nix/os/devices/{{ devicename }}`
			`nix flake update`
			`)`
Justfile: implement update-remote-device This bumps the versions for the remote device, attempts a rebuild and commits the resulting versions if the rebuild succeeded. 2019-03-06 13:52:23 +01:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }}`
Justfile: move rebuild functionality into rebuild 2018-11-03 22:55:50 +01:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions"`
Justfile: move rebuild functionality into rebuild 2018-11-03 22:55:50 +01:00
Justfile: describe the update recipes 2019-11-28 01:05:14 +01:00			`# Re-render the versions of the current device and rebuild its environment`
WIP everything 2024-01-18 14:59:17 +00:00			`update-this-device rebuild-mode='switch' +moreargs='':`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -e`
nix: add semi-automatic update process 2019-01-17 22:35:19 +01:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`(`
			`set -xe`
			`cd nix/os/devices/$(hostname -s)`
			`nix flake update`
			`)`
Justfile: move rebuild functionality into rebuild 2018-11-03 22:55:50 +01:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }}`
Justfile: move rebuild functionality into rebuild 2018-11-03 22:55:50 +01:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions"`
Justfile/update-this-device: treat all rebuilds as errors 2019-03-03 00:14:28 +01:00
Justfile: add rebuild and update tasks for offline disk installations 2020-09-28 21:56:45 +02:00			`# Rebuild an offline system`
			`rebuild-disk device:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -xe`
Justfile: add rebuild and update tasks for offline disk installations 2020-09-28 21:56:45 +02:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`just -v disk-mount {{ device }}`
			`trap "set +e; just -v disk-umount {{ device }}" EXIT`
			`just -v disk-install {{ device }}`
Justfile: add rebuild and update tasks for offline disk installations 2020-09-28 21:56:45 +02:00
			`# Re-render the versions of the given offline system and reinstall it in offline-mode`
			`update-disk dir:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -exuo pipefail`
Justfile: add rebuild and update tasks for offline disk installations 2020-09-28 21:56:45 +02:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`dir={{ dir }}`
Justfile: add rebuild and update tasks for offline disk installations 2020-09-28 21:56:45 +02:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`template={{ dir }}/versions.tmpl.nix`
			`outfile={{ dir }}/versions.nix`
Justfile: add rebuild and update tasks for offline disk installations 2020-09-28 21:56:45 +02:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`if ! test -e ${template}; then`
			`template="$(just _DEFAULT_VERSION_TMPL)"`
			`fi`
Justfile: add rebuild and update tasks for offline disk installations 2020-09-28 21:56:45 +02:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`esh -o ${outfile} ${template}`
			`if ! test "$(git diff ${outfile})"; then`
			`echo Already on latest versions`
			`exit 0`
			`fi`
Justfile: add rebuild and update tasks for offline disk installations 2020-09-28 21:56:45 +02:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log`
			`just -v rebuild-disk {{ dir }} \|\| {`
			`echo ERROR: Update of {{ dir }} failed, reverting ${outfile}...`
			`exit 1`
			`}`
Justfile: add rebuild and update tasks for offline disk installations 2020-09-28 21:56:45 +02:00
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`git commit -v ${outfile} -m "${dir}: bump versions"`
Justfile: add rebuild and update tasks for offline disk installations 2020-09-28 21:56:45 +02:00
qtile: fix mute state filepath and add usage note 2018-11-15 18:24:28 +01:00			`# Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L)`
home/qtile: add volume keys and ease testing 2018-11-03 18:43:22 +01:00			`hm-iterate-qtile:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -xe`
			`home-manager switch \|\| just -v rebuild-this-device switch`
			`Xephyr -ac -br -resizeable :1 &`
			`XEPHYR_PID=$!`
			`echo ${XEPHYR_PID}`
			`DISPLAY=:1 $(grep qtile ~/.xsession) &`
			`echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L"`
			`wait $!`
			`kill ${XEPHYR_PID}`
home/qtile: add volume keys and ease testing 2018-11-03 18:43:22 +01:00
nix/devices: implement disk-prepare 2018-11-10 19:24:24 +01:00			`# !!! DANGERIOUS !!! This wipes the disk which is configured for the given device.`
			`disk-prepare dir:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`just -v _device diskPrepare {{ dir }}`
nix config udpate; polish top-level Justfile 2018-11-03 11:03:03 +01:00
nix/os/devices: add relabel command After bytewise-copying from a prevoius disk, the partition labels and logical volume groupnames need to be renamed according to the new disk id. 2019-01-12 22:24:30 +01:00			`disk-relabel dir previous:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }}`
nix/os/devices: add relabel command After bytewise-copying from a prevoius disk, the partition labels and logical volume groupnames need to be renamed according to the new disk id. 2019-01-12 22:24:30 +01:00
nix config udpate; polish top-level Justfile 2018-11-03 11:03:03 +01:00			`# Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'`
			`disk-mount dir:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`just -v _device diskMount {{ dir }}`

nix config udpate; polish top-level Justfile 2018-11-03 11:03:03 +01:00			`# Unmount target disk, specified by device configuration directory`
			`disk-umount dir:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`just -v _device diskUmount {{ dir }}`
nix config udpate; polish top-level Justfile 2018-11-03 11:03:03 +01:00
nix/devices: implement disk-prepare 2018-11-10 19:24:24 +01:00			`# Perform an offline installation on the mounted target disk, specified by device configuration directory`
just: render templates for offline installations 2018-11-10 19:49:25 +01:00			`disk-install dir: _render_templates`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`just -v _device diskInstall {{ dir }}`
justfile: complete the verify-n-unlock recipe 2021-12-06 21:38:27 +01:00
Justfile: rename remote unlock recipe 2019-01-10 23:31:33 +01:00			`verify-n-unlock sshserver attempts="10":`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -e`
			`env \`
			`GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \`
			`SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \`
			`VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \`
			`VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCPW)" \`
			`\`
			`just _verify-n-unlock {{ sshserver }} {{ attempts }}`
justfile: complete the verify-n-unlock recipe 2021-12-06 21:38:27 +01:00
			`_verify-n-unlock sshserver attempts:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -e`
			`: ${VNCSOCK:?VNCSOCK must be set}`
			`: ${VNCPW:?VNCPW must be set}`

			`export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"`
			`export TESS_ARGS="-c debug_file=/dev/null --psm 4"`

			`function send() {`
			`local what="${1:?need something to send}"`
			`ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null`
			`}`

			`function expect() {`
			`local what="${1:?need something to expect}"`
			`vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp`
			`convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff`
			`tesseract ${TESS_ARGS} screenshot.tiff screenshot`
			`grep --quiet "${what}" screenshot.txt`
			`}`

			`function send_and_expect() {`
			`local send="${1:?need something to send}"`
			`local expect="${2:?need something to expect}"`
			`if ! send "${send}"; then`
			`echo warning: cannot send > /dev/stderr`
			`return -1`
			`fi`
			`expect "${expect}"`
			`}`

			`trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p \| cut -d " " -f 4); exit $E' EXIT`

			for i in `seq 1 {{ attempts }}`; do
			`echo Attempt $i...`
			`expect="$(pwgen -0 12)"`
			`send="'\0033\0143'${expect}"`
			`if send_and_expect "${send}" "${expect}"; then`
			`pipe=$(mktemp -u)`
			`mkfifo ${pipe}`
			`exec 3<>${pipe}`
			`rm ${pipe}`

			`echo Verification succeeded at attempt $i. Unlocking remote drive...`
			`ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null &`
			`eval ${GETPW} \| head -n1 >&3`

			for j in `seq 1 120`; do
			`sleep 0.5`
			`if expect '— success'; then`
			`echo Unlock successful.`
			`exit 0`
			`fi`
			`done`

			`echo Unlock failed...`
			`exit 1`
			`fi`
			`done`
			`echo Verification failed {{ attempts }} times. Giving up...`
			`exit 1`
Justfile: prototype remote drive unlock 2018-12-17 13:38:12 +01:00
			`_get_pass_entry path key:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`pass show {{ path }}\| grep -E "^{{ key }}:" \| sed -E 's/^[^:]+: *//g'`
fixup! Justfile: add a recipe to run cmds with NIX_PATH set 2019-01-17 22:43:11 +01:00
Justfile: add a recipe to run cmds with NIX_PATH set 2019-01-12 22:34:08 +01:00			`run-with-channels +cmds:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix)`
			`{{ cmds }}`
Justfile: add commands to switch yubikey 2019-07-17 09:46:38 +02:00
Justfile: add convenient wrapper around nixos-install 2020-11-25 21:51:27 +01:00			`install-config config root:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd`
Justfile: add convenient wrapper around nixos-install 2020-11-25 21:51:27 +01:00
Justfile: rename yubikey -> gpg-card 2019-09-06 12:39:24 +02:00			`# Switch between gpg-card capable devices which have a copy of the same key`
tweak gpg related code 2025-04-05 21:33:13 +02:00			`switch-gpg-card key-id="6EEFA706CB17E89B":`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`#`
			`# Derived from https://github.com/drduh/YubiKey-Guide/issues/19.`
			`#`
			`# Connect the new device and then run this script to make it known to gnupg.`
			`#`
			`set -xe`
tweak gpg related code 2025-04-05 21:33:13 +02:00			`if [[ -n "{{key-id}}" ]]; then`
			`KEY_ID="{{key-id}}"`
			`else`
			`KEY_ID=$(gpg --card-status \| rg sec \| rg -o '[0-9A-Z]{16}')`
			`fi`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00
			`# export pubkey and ownertrust`
			`gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"`
			# if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}`
			`gpg2 --export-ownertrust \| rg "${KEY_ID}" > "${KEY_ID}".ownertrust`

			`# delete the key`
			`gpg --yes --delete-secret-and-public-keys "${KEY_ID}"`

			`# import pubkey and ownertrust back and cleanup`
			`gpg2 --import "${KEY_ID}".pubkey`
			`gpg2 --import-ownertrust < "${KEY_ID}".ownertrust`
			`rm "${KEY_ID}".{pubkey,ownertrust}`

			`# refresh the gpg agent`
			`gpg-connect-agent "scd serialno" "learn --force" /bye`
			`gpg --card-status`
Justfile: add uuid-to-device-name recipe 2020-12-16 10:53:51 +01:00
			# Connect to `remote` UUID, and turn it into a short name
			`uuid-to-device-name remote:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#!/usr/bin/env bash`
			`set -e -o pipefail`
			`ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' \| xxhsum --quiet -H1 \| awk '{print $1}'`
add connection test recipe 2022-01-15 20:37:44 +01:00
			`test-connection:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`#! /usr/bin/env nix-shell`
			`#! nix-shell -p curl zsh`
			`#! nix-shell -i zsh`
			`#! nix-shell --pure`

			`while true; do`
			`FAILURE="false"`
			`output=$(`
			`echo "$(date)\n---"`
			`for url in \`
			`"https://172.16.0.1:65443/0.7/gui/#/login/" \`
			`"https://192.168.0.1" \`
			`"http://172.172.171.9" \`
			`"https://172.172.171.10:65443" \`
			`"https://172.172.171.11:65443" \`
			`"https://172.172.171.13:443" \`
			`"https://172.172.171.14:443" \`
			`"http://172.172.171.15:22" \`
			`"http://172.172.171.16:22" \`
			`"https://crates.io" \`
			`"https://holo.host" \`
			`; \`
			`do`
			`print "trying ${url}": $(`
			`curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1)`
			`# if [ $? -ne 0 ]; then`
			`if [[ "$curl_output" == timeout ]]; then`
			`echo failure: $(echo ${curl_output} \| tail -n1)`
			`# BUG: outer FAILURE is not set by this`
			`FAILURE="true"`
			`else`
			`echo success`
			`fi`
			`)`
			`done`
			`)`
			`clear`
			`echo ${output}`

			`if [[ ${FAILURE} == "true" ]]; then`
			`echo something failed`
			`tracepath -m5 -n1 172.16.0.1`
			`tracepath -m5 -n1 192.168.0.1`
			`fi`

			`sleep 5`
			`done`
feat(Justfile): cachix recipe and apply locally without ssh 2023-05-23 18:09:54 +02:00
			`cachix-use name:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/`
radicale path updates and updatekey command 2024-01-25 00:09:06 +01:00
			`update-sops-keys:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done`
Justfile: convenience commands to working with the router0-dmz0 locally 2025-02-07 11:55:14 +01:00
			`deploy-router0-dmz0:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1`
Justfile: convenience commands to working with the router0-dmz0 locally 2025-02-07 11:55:14 +01:00
			`ttyusb:`
chore: bump and reconfigure treefmt-nix, include just fmt 2025-02-14 16:46:28 +01:00			`screen -fa /dev/ttyUSB0 115200`