From 2208bcf968b3e83e399c4e05ddb4cd7abbc85a67 Mon Sep 17 00:00:00 2001 From: Sam Date: Tue, 21 Jan 2025 11:05:08 +0000 Subject: [PATCH] modify bootstrap script and change btrfsMountDevice in merlin --- hosts/common/disks/basic.nix | 36 +++++++++++++ hosts/common/disks/default.nix | 9 ++-- .../common/disks/ext4/{basic.nix => ext4.nix} | 0 hosts/merlin/default.nix | 3 +- scripts/bootstrap.sh | 53 +++++++++++-------- 5 files changed, 71 insertions(+), 30 deletions(-) create mode 100644 hosts/common/disks/basic.nix rename hosts/common/disks/ext4/{basic.nix => ext4.nix} (100%) diff --git a/hosts/common/disks/basic.nix b/hosts/common/disks/basic.nix new file mode 100644 index 0000000..a05b8ce --- /dev/null +++ b/hosts/common/disks/basic.nix @@ -0,0 +1,36 @@ +{ +device ? throw "Must define a device, e.g. /dev/sda", +fsModule ? "Must specify submodule" +}: +{ + disko.devices = { + disk = { + main = { + type = "disk"; + inherit device; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + start = "1M"; + end = "128M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = ["umask=0077"]; + }; + }; + root = { + size = "100%"; + content = import "${fsModule}"; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/common/disks/default.nix b/hosts/common/disks/default.nix index 45c392d..29d903a 100644 --- a/hosts/common/disks/default.nix +++ b/hosts/common/disks/default.nix @@ -1,11 +1,8 @@ { device, fsType, encrypted, impermanence, ... }: let fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix; - basic = import ./${fsType}/basic.nix { inherit device; }; - lvm = import ./lvm.nix { inherit device; fsModule = fsModule; }; + basic = import ./basic.nix { inherit device; fsModule = fsModule; }; luks = import ./luks.nix { inherit device; fsModule = fsModule; }; in -if fsType == "ext4" then basic -else if fsType == "btrfs" && encrypted then luks -else if fsType == "btrfs" then lvm -else null +if fsType == "btrfs" && encrypted then luks +else basic diff --git a/hosts/common/disks/ext4/basic.nix b/hosts/common/disks/ext4/ext4.nix similarity index 100% rename from hosts/common/disks/ext4/basic.nix rename to hosts/common/disks/ext4/ext4.nix diff --git a/hosts/merlin/default.nix b/hosts/merlin/default.nix index e6f4621..0d334cf 100644 --- a/hosts/merlin/default.nix +++ b/hosts/merlin/default.nix @@ -9,8 +9,9 @@ fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence dev = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f"; encrypted = false; # currrently only applies to btrfs - btrfsMountDevice = "/dev/root_vg/root"; + btrfsMountDevice = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f-part2"; impermanence = true; + piholeIp = configVars.networking.addresses.pihole.ip; gatewayIp = configVars.networking.addresses.gateway.ip; merlinIp = configVars.networking.addresses.merlin.ip; diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 98b07ba..ad53ed8 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -40,33 +40,40 @@ trap cleanup EXIT # Create the directory for target host keys install -d -m755 "$temp$persist/etc/ssh" -# Create ssh keys -echo "Creating '$hostname' ssh keys" -ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" +# Extract ssh keys from secrets +echo "Extracting ssh keys" +ssh_private_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") +echo "$ssh_private_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key +ssh_pub_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519.pub""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") +echo "$ssh_pub_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key.pub -# Extract luks key from secrets -luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") -echo "$luks_secret" > /tmp/luks_secret.key +# # Extract luks key from secrets +# luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml") +# echo "$luks_secret" > /tmp/luks_secret.key -# Generate age key from target host and user public ssh key -echo "Generating age key from target host and user ssh key" -HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") -echo -e "Host age key:\n$HOST_AGE_KEY\n" +# # Create ssh keys +# echo "Creating '$hostname' ssh keys" +# ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" -# Update .sops.yaml with new age key: -SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml" -sed -i "{ -# Remove any * and & entries for this host -/[*&]$hostname/ d; -# Inject a new age: entry -# n matches the first line following age: and p prints it, then we transform it while reusing the spacing -/age:/{n; p; s/\(.*- \*\).*/\1$hostname/}; -# Inject a new hosts: entry -/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/} -}" "$SOPS_FILE" +# # Generate age key from target host and user public ssh key +# echo "Generating age key from target host and user ssh key" +# HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") +# echo -e "Host age key:\n$HOST_AGE_KEY\n" -# Commit and push changes to sops file -just update-sops-secrets && just update-flake-secrets && just update-flake +# # Update .sops.yaml with new age key: +# SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml" +# sed -i "{ +# # Remove any * and & entries for this host +# /[*&]$hostname/ d; +# # Inject a new age: entry +# # n matches the first line following age: and p prints it, then we transform it while reusing the spacing +# /age:/{n; p; s/\(.*- \*\).*/\1$hostname/}; +# # Inject a new hosts: entry +# /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/} +# }" "$SOPS_FILE" + +# # Commit and push changes to sops file +# just update-sops-secrets && just update-flake-secrets && just update-flake # Copy current nix config over to target echo "copying current nix config to host"