feat: add usb installer (#3)

* feat: new installation method * feat: add new commands list * feat: add demo account * feat: add usb installer picture * feat: update root user packages * feat: update demovm secrets * feat: use home-manager NixOS module
badele · Oct 26, 2024 · b11a3dd · b11a3dd
1 parent 6ddf4f5
commit b11a3dd
Show file tree

Hide file tree

Showing 229 changed files with 4,355 additions and 4,818 deletions.
diff --git a/.envrc b/.envrc
@@ -1 +1 @@
-use flake
+use flake
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -0,0 +1,14 @@
+name: pre-commit
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v3
+    - uses: pre-commit/action@v3.0.1
diff --git a/.gitignore b/.gitignore
@@ -6,8 +6,14 @@ docs/nvim/tags
 # direnv
 .direnv
 
-# Devenv
-.devenv*
-devenv.local.nix
+# Private keys
+hosts/*/ssh_host_rsa_key
+hosts/*/ssh_host_ed25519_key
 
-.pre-commit-config.yaml
+# demo user
+users/demo/age-key.txt
+hosts/demovm/secrets.tmp
+hosts/demovm/ssh_host_rsa_key.pub
+hosts/demovm/ssh_host_ed25519_key.pub
+disk-demo.raw
+result
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,58 @@
+repos:
+  - repo: 'https://github.com/pre-commit/pre-commit-hooks'
+    rev: v4.5.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-executables-have-shebangs
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-yaml
+      - id: detect-aws-credentials
+        args: [--allow-missing-credentials]
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: no-commit-to-branch
+        args: ['--branch', 'main']
+      - id: trailing-whitespace
+  - repo: local
+    hooks:
+      - id: nixpkgs-fmt
+        name: nixpkgs-fmt
+        description: Format nix code with nixpkgs-fmt.
+        language: system
+        entry: nixpkgs-fmt
+        files: \.nix$
+        stages:
+          - commit
+      - id: docupdate
+        name: docupdate
+        description: Update documentation.
+        language: system
+        entry: just doc-update
+        stages:
+          - commit
+        files: ^README\.md$
+      - id: check-secrets
+        name: check-test-age-public-key
+        description: Check test age public key
+        language: python
+        entry: ./.pre-commit-scripts/check-public-test-age-key.py
+        stages:
+          - commit
+        files: secrets\.yml$
+      - id: deno-fmt
+        name: deno-fmt
+        description: Format deno code with deno fmt.
+        language: system
+        entry: deno fmt
+        stages:
+          - commit
+        files: \.ts$
+      - id: deno-lint
+        name: deno-lint
+        description: Lint deno code with deno lint.
+        language: system
+        entry: deno lint
+        stages:
+          - commit
+        files: \.ts$
diff --git a/.pre-commit-scripts/check-public-test-age-key.py b/.pre-commit-scripts/check-public-test-age-key.py
@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+
+from __future__ import annotations
+
+import sys
+import re
+
+# Check if the age key only used on hosts/vm-test folder
+
+import argparse
+from typing import Sequence
+
+# read text file and convert to array
+with open(".sops.yaml") as f:
+    SOPSLINES = f.readlines()
+
+    SOPSLINES = [line for line in SOPSLINES if "&demo" in line or "&demovm" in line]
+
+# Extract age key from SOPSLINES Array
+AGEKEYS = re.findall(r"age[a-z0-9]+", "".join(SOPSLINES))
+
+# Convert to bytes
+AGEKEYS = [str.encode(line) for line in AGEKEYS]
+
+IGNORE = ["hosts/demovm/secrets.yml" "users/demo/secrets.yml"]
+
+
+def main(argv: Sequence[str] | None = None) -> int:
+    parser = argparse.ArgumentParser()
+    parser.add_argument("filenames", nargs="*", help="Filenames to check")
+    args = parser.parse_args(argv)
+
+    age_key_files = []
+
+    # Check if the age key is found in the file
+    for filename in args.filenames:
+        with open(filename, "rb") as f:
+            content = f.read()
+            if any(agekey in content for agekey in AGEKEYS) and filename in IGNORE:
+                age_key_files.append(filename)
+
+    if age_key_files:
+        for age_key_file in age_key_files:
+            print(f"Age key found in a file other than the demo file: {age_key_file}")
+        return 1
+    else:
+        return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
diff --git a/.pre-commit-scripts/updatedoc.ts b/.pre-commit-scripts/updatedoc.ts
@@ -0,0 +1,42 @@
+#!/usr/bin/env -S deno run --allow-sys --allow-read --allow-env --allow-net --allow-run --allow-write
+
+function replaceCode(tag: string, content: string, replace: string): string {
+  const regex = new RegExp(`<!-- ${tag} -->.*/${tag} -->`, "sm");
+  return content.replace(
+    regex,
+    `<!-- ${tag} -->\n\n\`\`\`text\n${replace}\`\`\`\n\n<!-- /${tag} -->`,
+  );
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// Read README.md
+///////////////////////////////////////////////////////////////////////////////
+
+const doc = await Deno.readTextFile("README.md");
+
+///////////////////////////////////////////////////////////////////////////////
+// Execute commands
+///////////////////////////////////////////////////////////////////////////////
+
+// List commands
+const cmdcommands = new Deno.Command("just", {});
+let { stdout } = await cmdcommands.output();
+const outputcommands = new TextDecoder().decode(stdout);
+
+// List packages
+const cmdpackages = new Deno.Command("just", { args: ["packages"] });
+({ stdout } = await cmdpackages.output());
+const outputpackages = new TextDecoder().decode(stdout);
+
+///////////////////////////////////////////////////////////////////////////////
+// Replace tags
+///////////////////////////////////////////////////////////////////////////////
+
+let result = replaceCode("COMMANDS", doc, outputcommands);
+result = replaceCode("PACKAGES", result, outputpackages);
+
+///////////////////////////////////////////////////////////////////////////////
+// Update READLE.md
+///////////////////////////////////////////////////////////////////////////////
+
+await Deno.writeTextFile("README.md", result);
diff --git a/.sops.yaml b/.sops.yaml
@@ -2,14 +2,17 @@ keys:
   # Users
   - &users: # nix-shell -p age --run 'age-keygen'
     - &badele age15js628ku59g94njn0vup20r4xx34guesgsj5dqsken5hma2zqg2szjed66
+    - &demo age1x703g2zquc2uv5lzz79rvj3m9g868wft6lp8g5sp9qsnaa3ld5esas4nqk
   # Hosts
-  - &hosts: # inv ssh-init-host-key
-    - &rpi40 age152ud7upe5xylsvf7kkfpdz6x99r6hcmkam8gwntfdv0px70f0u0sqzc8qe 
+  - &hosts: # just nixos-init-host <HOST>
+    - &rpi40 age152ud7upe5xylsvf7kkfpdz6x99r6hcmkam8gwntfdv0px70f0u0sqzc8qe
     - &sadhome age1qfarvkm9ejyfu785vmawj5vve3uffsh7r78pef4ec3njl9vfgs2sx3524g
     - &sam age1x363tjjzx6j77j3m4zynkjgyj38qcyf4wah5mc8mtjt5yt6zvgxqr3z7px
     - &bootstore age1ejza6f2xzycq7jj2eu8fyg5vjdctljttm67mfteyd4k7wzvdyc8s7sc8jh
     - &badxps age1w9v05mvydywp39cq8tmgxjh8yc2w86qpp9aa4zt9ukf0qq8n5y4s5tkn7z
     - &b4d14 age1r7d0v4nudrv9wy7rvh784lnmzspm24uja6c6hrhhwjy7qf4e5d5q04gf3x
+    - &srvhoma age1jldv57mqz6ahwcm62efelumv22ngyvxjff8736shx9kycu9z7a4q7a3xdl
+    - &demovm age1j9szuan8nt709ewa5f6vlkhde0zg2kmlfccqarfu74dhg2a5h3jsrhxg2g
 
 creation_rules:
   - path_regex: users/badele/secrets.yml$
@@ -29,6 +32,7 @@ creation_rules:
           - *sadhome
           - *sam
           - *b4d14
+          - *srvhoma
 
   - path_regex: hosts/rpi40/secrets.yml$
     key_groups:
@@ -65,3 +69,22 @@ creation_rules:
       - age:
           - *badele
           - *b4d14
+
+  - path_regex: hosts/srvhoma/secrets.yml$
+    key_groups:
+      - age:
+          - *badele
+          - *srvhoma
+
+  # Tempory test credential before encryption
+  - path_regex: hosts/demovm/secrets.tmp$
+    key_groups:
+      - age:
+          - *demo
+          - *demovm
+
+  - path_regex: hosts/demovm/secrets.yml$
+    key_groups:
+      - age:
+          - *demo
+          - *demovm