_DEFAULT_VERSION_TMPL: echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" _DEFAULT_VERSION: echo "{{invocation_directory()}}/nix/variables/versions.nix" _usage: just -l # Re-render the default versions update-default-versions: #!/usr/bin/env bash template="$(just _DEFAULT_VERSION_TMPL)" outfile="$(just _DEFAULT_VERSION)" esh -o ${outfile} ${template} _get_nix_path versionsPath: echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}}) _device recipe dir +moreargs="": #!/usr/bin/env bash set -ex source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix) $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) _render_templates: #!/usr/bin/env bash set -ex if ! ip route get 1.1.1.1; then echo No route to WAN. Skipping template rendering... else source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix fi _rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates #!/usr/bin/env bash set -ex just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}} rebuild-remote-device device target rebuildarg="dry-activate" : #!/usr/bin/env bash set -ex just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'" # Rebuild this device's NixOS rebuild-this-device rebuildarg="dry-activate": #!/usr/bin/env bash set -e function parse_hm_rebuildarg() { case $1 in switch) echo switch ;; *) echo build ;; esac } export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log export HOMEREBUILD_LOG=.$(hostname -s)_homerebuild.log echo Rebuilding system in {{rebuildarg}}-mode... if just -v _rebuild-device nix/os/devices/$(hostname -s) {{rebuildarg}} > ${SYSREBUILD_LOG} 2>&1 ; then echo System rebuild successful else cat ${SYSREBUILD_LOG} echo ERROR: system rebuild failed exit 1 fi if type home-manager > /dev/null 2>&1; then echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode... source $(just -v _get_nix_path {{invocation_directory()}}/nix/os/devices/$(hostname -s)/versions.nix) if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then echo Home rebuild successful else cat ${HOMEREBUILD_LOG} echo ERROR: home rebuild failed exit 1 fi fi # Re-render the versions of a remote device and rebuild its environment update-remote-device device target rebuildmode='switch': #!/usr/bin/env bash set -e template=nix/os/devices/{{device}}/versions.tmpl.nix outfile=nix/os/devices/{{device}}/versions.nix if ! test -e ${template}; then template="$(just _DEFAULT_VERSION_TMPL)" fi esh -o ${outfile} ${template} if ! test "$(git diff ${outfile})"; then echo Already on latest versions exit 0 fi just -v rebuild-remote-device {{device}} {{target}} dry-activate || { echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile} exit 1 } just -v rebuild-remote-device {{ device }} {{ target }} {{ rebuildmode }} || { echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile} exit 1 } git commit -v ${outfile} -m "nix/os/devices/{{ device }}: bump versions" # Re-render the versions of the current device and rebuild its environment update-this-device rebuild-mode='switch': #!/usr/bin/env bash set -e template=nix/os/devices/$(hostname -s)/versions.tmpl.nix outfile=nix/os/devices/$(hostname -s)/versions.nix if ! test -e ${template}; then template="$(just _DEFAULT_VERSION_TMPL)" fi esh -o ${outfile} ${template} if ! test "$(git diff ${outfile})"; then echo Already on latest versions exit 0 fi export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log just -v rebuild-this-device dry-activate || { echo ERROR: Update failed, reverting ${outfile}... exit 1 } just -v rebuild-this-device {{rebuild-mode}} || { echo ERROR: Rebuilding in {{rebuild-mode}}-mode failed exit 1 } git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions" # Rebuild an offline system rebuild-disk device: #!/usr/bin/env bash set -xe just -v disk-mount {{device}} trap "set +e; just -v disk-umount {{device}}" EXIT just -v disk-install {{device}} # Re-render the versions of the given offline system and reinstall it in offline-mode update-disk dir: #!/usr/bin/env bash set -exuo pipefail dir={{dir}} template={{dir}}/versions.tmpl.nix outfile={{dir}}/versions.nix if ! test -e ${template}; then template="$(just _DEFAULT_VERSION_TMPL)" fi esh -o ${outfile} ${template} if ! test "$(git diff ${outfile})"; then echo Already on latest versions exit 0 fi export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log just -v rebuild-disk {{dir}} || { echo ERROR: Update of {{dir}} failed, reverting ${outfile}... exit 1 } git commit -v ${outfile} -m "${dir}: bump versions" # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: #!/usr/bin/env bash set -xe home-manager switch || just -v rebuild-this-device switch Xephyr -ac -br -resizeable :1 & XEPHYR_PID=$! echo ${XEPHYR_PID} DISPLAY=:1 $(grep qtile ~/.xsession) & echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" wait $! kill ${XEPHYR_PID} # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. disk-prepare dir: just -v _device diskPrepare {{dir}} --argstr rebuildarg "dummy" disk-relabel dir previous: just -v _device diskRelabel {{dir}} --argstr rebuildarg "dummy" --argstr previousDiskId {{previous}} # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' disk-mount dir: just -v _device diskMount {{dir}} --argstr rebuildarg "dummy" # Unmount target disk, specified by device configuration directory disk-umount dir: just -v _device diskUmount {{dir}} --argstr rebuildarg "dummy" # Perform an offline installation on the mounted target disk, specified by device configuration directory disk-install dir: _render_templates just -v _device diskInstall {{dir}} --argstr rebuildarg "dummy" verify-n-unlock sshserver attempts="10": #!/usr/bin/env bash set -e : ${VNCSOCK:?VNCSOCK must be set} : ${VNCPW:?VNCPW must be set} export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" export TESS_ARGS="-c debug_file=/dev/null --psm 4" function send() { local what="${1:?need something to send}" ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null } function expect() { local what="${1:?need something to expect}" vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff tesseract ${TESS_ARGS} screenshot.tiff screenshot grep --quiet "${what}" screenshot.txt } function send_and_expect() { local send="${1:?need something to send}" local expect="${2:?need something to expect}" if ! send "${send}"; then echo warning: cannot send > /dev/stderr return -1 fi expect "${expect}" } trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT for i in `seq 1 {{attempts}}`; do echo Attempt $i... expect="$(pwgen -0 12)" send="'\0033\0143'${expect}" if send_and_expect "${send}" "${expect}"; then pipe=$(mktemp -u) mkfifo ${pipe} exec 3<>${pipe} rm ${pipe} echo Verification succeeded at attempt $i. Unlocking remote drive... ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null & eval ${GETPW} | head -n1 >&3 for j in `seq 1 120`; do sleep 0.5 if expect '— success'; then echo Unlock successful. exit 0 fi done echo Unlock failed... exit 1 fi done echo Verification failed {{attempts}} times. Giving up... exit 1 _get_pass_entry path key: pass show {{path}}| grep -E "^{{key}}:" | awk '{ print $2 }' # jq -sR 'split("\n") | map(split(":"))' <(pass show Infrastructure/VPS/CFB4ED74 | grep -E "^[A-Za-z_]+:") run-with-channels +cmds: #!/usr/bin/env bash source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) {{cmds}} # Switch between gpg-card capable devices which have a copy of the same key switch-gpg-card: #!/usr/bin/env bash # # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. # # Connect the new device and then run this script to make it known to gnupg. # set -xe KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') # export pubkey and ownertrust gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust # delete the key gpg --yes --delete-secret-and-public-keys "${KEY_ID}" # import pubkey and ownertrust back and cleanup gpg2 --import "${KEY_ID}".pubkey gpg2 --import-ownertrust < "${KEY_ID}".ownertrust rm "${KEY_ID}".{pubkey,ownertrust} # refresh the gpg agent gpg-connect-agent "scd serialno" "learn --force" /bye gpg --card-status