feat(nixos-anywhere): add deploy script and docs in README.md

README.md

@@ -12,6 +12,29 @@ Secrets are stored in secrets/secrets.yaml. You can edit these secrets with `sop
 
 To decrypt these secrets with sops-nix during a rebuild, you must add your host public key to the `.sops.yaml` file. Generate it with `cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age`, add it to the file, then run `sops updatekeys secrets/secrets.yaml`.
 
+# Provisioning A New Machine
+
+On the target system, boot into the NixOS installer and run:
+
+```bash
+# Create a password for the nixos user for SSH access.
+passwd
+
+# Start wpa_supplicant and connect to a wifi network.
+sudo systemctl start wpa_supplicant
+wpa_cli
+> add_network
+> set_network 0 ssid "SSID"
+> set_network 0 psk "password"
+> enable_network 0
+> quit
+
+# Get the IP address of the target system.
+ip addr
+```
+
+On the host machine, run the command `deploy --flake .#<hostname> --target-host <username>@<ip_address>` to build the new system configuration and copy it over SSH along with the sops age key and ssh keys.
+
 # Acknowledgements
 
 - https://www.youtube.com/watch?v=CwfKlX3rA6E for piquing my interest in this OS in the first place

configs/shell/scripts/default.nix

@@ -11,6 +11,7 @@
 
       (pkgs.writeShellScriptBin "rebuild" (builtins.readFile ./rebuild.sh))
       (pkgs.writeShellScriptBin "byebye" (builtins.readFile ./byebye.sh))
+      (pkgs.writeShellScriptBin "deploy" (builtins.readFile ./deploy.sh))
     ];
   };
 }

configs/shell/scripts/deploy.sh

@@ -0,0 +1,43 @@
+# Set default values
+flake=".#default" # Default flake attribute if none is provided
+target_host="nixos@<hostname>" # Default target host
+
+# Process command-line arguments
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --flake)
+      flake="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    --target-host)
+      target_host="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    *)
+      echo "Unknown option: $1" >&2
+      exit 1
+      ;;
+  esac
+done
+
+# Prepare temporary directory and copy necessary files
+root=$(mktemp -d)
+sudo mkdir -p ${root}/home/rafiq/.config/sops/age
+sudo cp ~/.config/sops/age/keys.txt "${root}/home/rafiq/.config/sops/age/keys.txt"
+sudo mkdir -p ${root}/home/rafiq/.ssh
+sudo cp ~/.ssh/id_ed25519 "${root}/home/rafiq/.ssh/id_ed25519"
+sudo cp ~/.ssh/id_ed25519.pub "${root}/home/rafiq/.ssh/id_ed25519.pub"
+
+# Run nixos-anywhere
+sudo nix run github:nix-community/nixos-anywhere -- \
+  --flake "${flake}" \
+  --target-host "${target_host}" \
+  --copy-host-keys \
+  --extra-files "${root}" \
+  --chown /home/rafiq/.config 1000:100 \
+  --chown /home/rafiq/.ssh 1000:100
+
+# Clean up the temporary directory
+sudo rm -rf "$root"

configs/users.nix

@@ -18,19 +18,27 @@
   time.timeZone = "Asia/Singapore";
   i18n.defaultLocale = "en_SG.UTF-8";
 
-  users.mutableUsers = false; # Always reset users on system activation
+  users = {
+    mutableUsers = false; # Always reset users on system activation
 
-  users.users.rafiq = {
-    isNormalUser = true;
-    description = "rafiq";
-    hashedPasswordFile = config.sops.secrets.password.path;
-    extraGroups = [
-      "networkmanager"
-      "wheel"
-    ];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n"
-    ];
+    groups.users = {
+      gid = 100;
+      members = [ "rafiq" ];
+    };
+
+    users.rafiq = {
+      isNormalUser = true;
+      description = "rafiq";
+      hashedPasswordFile = config.sops.secrets.password.path;
+      uid = 1000;
+      extraGroups = [
+        "networkmanager"
+        "wheel"
+      ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n"
+      ];
+    };
   };
 
   home-manager.users.rafiq.home = {
@@ -38,5 +46,4 @@
     homeDirectory = "/home/rafiq";
     stateVersion = "25.05";
   };
-
 }