sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

auto: bootstrapping sparky

This commit is contained in:
Sam 2024-05-26 13:55:47 +01:00
parent dbcadf5315
commit 29ef289456
2 changed files with 14 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
flake.lock
View File

@ -228,11 +228,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1716727965, "lastModified": 1716728141,
"narHash": "sha256-NTsv/rWrB2coS62aKKD9GDR2mhzL1MMU+5VYDhh1y6w=", "narHash": "sha256-p9o7xF5Q1II/ngoYw0R+LMTXX3Mehy16e+cs6f1AZgI=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "4973f9b8652f9a829510593f8b17448783054b5e", "rev": "5a984789ff07c749772ece6fcb80373bc218048e",
"revCount": 41, "revCount": 42,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },

21
scripts/bootstrap.sh
View File

@ -24,34 +24,33 @@ echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Create temp directory for ssh and luks to be copied to host: # Create temp directory for ssh and luks to be copied to host:
temp_ssh=$(mktemp -d) temp=$(mktemp -d)
temp_luks=$(mktemp -d)
# Function to cleanup temporary directory on exit # Function to cleanup temporary directory on exit
cleanup() { cleanup() {
rm -rf "$temp_ssh" "$temp_luks" rm -rf "$temp"
} }
trap cleanup EXIT trap cleanup EXIT
# Create the directory where services are to find the host keys # Create the directory where services are to find the host keys
install -d -m755 "$temp_ssh/persist/etc/ssh" install -d -m755 "$temp/persist/etc/ssh"
install -d -m755 "$temp_luks/tmp" install -d -m755 "$temp/tmp"
# Extract luks key from secrets # Extract luks key from secrets
luks_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml") luks_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml")
echo "$luks_key" > "$temp_luks/luks_secrets.key" echo "$luks_key" > "$temp/tmp/luks_secrets.key"
# Create ssh keys if not exists # Create ssh keys if not exists
echo "Creating '$hostname' ssh keys" echo "Creating '$hostname' ssh keys"
ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
# Change permissions # Change permissions
chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key"
chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub" chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub"
# Generate age key from target host and user public ssh key # Generate age key from target host and user public ssh key
echo "Generating age key from target host and user ssh key" echo "Generating age key from target host and user ssh key"
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
echo -e "Host age key:\n$HOST_AGE_KEY\n" echo -e "Host age key:\n$HOST_AGE_KEY\n"
# Update .sops.yaml with new age key: # Update .sops.yaml with new age key:
@ -72,7 +71,7 @@ just update-sops-secrets && just update-flake-secrets && just update-flake
cd "$HOME/nixos" cd "$HOME/nixos"
git add . && git commit -m "auto: bootstrapping $hostname" && git push git add . && git commit -m "auto: bootstrapping $hostname" && git push
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp_ssh" "$temp_luks" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts ## Delete keys from local known_hosts