nixos/scripts/bootstrap.sh

#!/usr/bin/env bash

echo -e "
Before using this tool, ensure that the host has been setup correctly.
Boot the latest Nixos-minimal install ISO on the host and access the tty.

Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally
Run 'passwd' and set a temporary password (something simple like '1234') 
for the root user.
"

read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
[ "$confirm" != "yes" ] && echo "Exiting" && exit 0

# Target host details
cd ~
read -p "Enter hostname: " hostname
read -p "Enter username: " username
read -p "Enter ip address: " ip
read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config

echo "
Details entered:
Hostname: $hostname
Username: $username
IP address: $ip
System to build: $config
"
read -p "Is this correct? (yes|no): " check_details
[ "$check_details" != "yes" ] && echo "Try again. Exiting" && exit 0

# Generate key name and dir
HOST_KEY_DIR="$HOME/keys/hosts/$hostname"
USER_KEY_DIR="$HOME/keys/users/$username"
mkdir -p "$HOST_KEY_DIR" "$USER_KEY_DIR"

# Create ssh keys if not exists
echo "Creating '$hostname' ssh keys"
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname"
echo "Creating '$username' ssh keys"
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "user" --username "$username" --hostname "$hostname"

# Delete key in known hosts if exists
sed -i "/$ip/d" ~/.ssh/known_hosts 

# Authorise source public key
echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"

# Generate age key from target host and user public ssh key
echo "Generating age key from target host and user ssh key"
nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key"
nix-shell -p ssh-to-age --run "cat $USER_KEY_DIR/id_ed25519.pub | ssh-to-age > $USER_KEY_DIR/age_user_key"
HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key")
USER_AGE_KEY=$(cat "$USER_KEY_DIR/age_user_key")
echo -e "Host age key:\n$HOST_AGE_KEY\n"
echo -e "User age key:\n$USER_AGE_KEY\n"
echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later."

# Install Nixos to target
cd "$HOME/nixos"
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1

## Delete keys from local known_hosts
echo "Deleting host from known_hosts"
sed -i "/$ip/d" ~/.ssh/known_hosts

# Check host OS has booted (and not booted back into live cd)
while true;
do
  read -p "Confirm live CD has been removed... (yes|no): " confirm
  [ "$confirm" = "yes" ] && break
done
echo "Waiting for $ip to come back online and port 22 to be open..."
while ! ping -c 1 $ip &> /dev/null || ! nc -zvw3 $ip 22 &> /dev/null
do
    echo "$ip is still offline or port 22 is not open. Checking again in 5 seconds..."
    sleep 5
done
echo "$ip is now online and port 22 is open!"

# Authorise source public key
echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$username@$ip"

# Copy host ssh keys to target & delete key in known hosts (because of key change)
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key" "root@$ip:/etc/ssh/ssh_host_ed25519_key" && sed -i "/$ip/d" ~/.ssh/known_hosts
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"

# Copy user ssh keys to target
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519_key" "$username@$ip:~/.ssh/id_ed25519"
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519_key.pub" "$username@$ip~/.ssh/id_ed25519.pub"

# Copy deploy_key to target for personal repo authorisation
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"

echo "Configuring target host ssh connection to enable connection to gitea repos:"
read -r -d '' config << EOM
Host git.bitlab21.com
    IdentitiesOnly yes
    StrictHostKeyChecking no
    IdentityFile ~/.ssh/deploy_key-ssh-ed25519
EOM
echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config'

echo -e "
Complete!

Now add the new target host age key to .sops.yaml. This is needed to enable the
new host to decrypt the secrets.yaml file from the ssh key we generated
previously.

Enter the details as following:
keys:
- &users:
    - &$username $USER_AGE_KEY
- &hosts:
    - &$hostname $HOST_AGE_KEY

creation_rules:
  - path_regex: secrets.yaml$
    key_groups:
      - age:
        - *$username
        - *$hostname

Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:

  'sops --config .sops.yaml updatekeys secrets.yaml' 

or with just:

  'just update-sops-secrets'

Then commit and push these changes to remote so they can be accessed on the new
host.
"

while true;
do
  read -p "Confirm keys have been added to .sops.yaml using the above steps, and the changes (if any) have been commited and pushed...(yes|no): " confirm
  [ "$confirm" = "yes" ] && break
done

ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"

echo "Successfully installed Nixos on the target host!"
echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"