add host private key with sops
This commit is contained in:
parent
8a1eba393a
commit
547504e3c4
|
@ -58,11 +58,11 @@
|
|||
"nix-secrets": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1716456952,
|
||||
"narHash": "sha256-fd57j4M++Fte1hrRZkDIqGbYbimqPNmERlFr/Fbh1Ek=",
|
||||
"lastModified": 1716466093,
|
||||
"narHash": "sha256-B0mG+hGm8GORE7Ect7VVLM6u9yQ5678VpId9AsspMeA=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "f5abdf254dbee888be5f65c96a4a571f2a91da91",
|
||||
"revCount": 28,
|
||||
"rev": "df65c3c791df7ad2e46a6917d3a75121138895de",
|
||||
"revCount": 29,
|
||||
"type": "git",
|
||||
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
|
||||
},
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{ inputs, config, lib, pkgs, outputs,... }:
|
||||
let
|
||||
pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys);
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
in
|
||||
{
|
||||
imports =
|
||||
|
@ -10,10 +12,10 @@ in
|
|||
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
|
||||
../common/optional/btrfs-impermanence.nix
|
||||
inputs.impermanence.nixosModules.impermanence
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
|
||||
# Import core options
|
||||
./hardware-configuration.nix
|
||||
../common/core
|
||||
];
|
||||
|
||||
nixpkgs = {
|
||||
|
@ -40,6 +42,15 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
keyMap = "uk";
|
||||
useXkbConfig = false;
|
||||
};
|
||||
|
||||
|
||||
boot = {
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
|
@ -64,6 +75,21 @@ in
|
|||
enableIPv6 = false;
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = "${secretsFile}";
|
||||
validateSopsFiles = false;
|
||||
|
||||
age = {
|
||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
};
|
||||
secrets = {
|
||||
"passwords/root".neededForUsers = true;
|
||||
"ssh_keys/deploy_key/id_ed25519" = {
|
||||
path = "/etc/ssh/deploy_key-ssh-ed25519";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
ports = [22];
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
let
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
hostname = config.networking.hostName;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
|
@ -21,6 +22,15 @@ in
|
|||
"ssh_keys/deploy_key/id_ed25519" = {
|
||||
path = "/etc/ssh/deploy_key-ssh-ed25519";
|
||||
};
|
||||
"ssh_keys/deploy_key/id_ed25519.pub" = {
|
||||
path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
|
||||
};
|
||||
"ssh_keys/${hostname}/id_ed25519" = {
|
||||
path = "/etc/ssh/deploy_key-ssh-ed25519";
|
||||
};
|
||||
"ssh_keys/${hostname}/id_ed25519.pub" = {
|
||||
path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -92,42 +92,6 @@ ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
|
|||
# Copy deploy_key to target for personal repo authorisation
|
||||
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
|
||||
|
||||
echo -e "
|
||||
Complete!
|
||||
|
||||
Now add the new target host age key to .sops.yaml. This is needed to enable the
|
||||
new host to decrypt the secrets.yaml file from the ssh key we generated
|
||||
previously.
|
||||
|
||||
Enter the details as following:
|
||||
keys:
|
||||
- &hosts:
|
||||
- &$hostname $HOST_AGE_KEY
|
||||
|
||||
creation_rules:
|
||||
- path_regex: secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *$hostname
|
||||
|
||||
Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
|
||||
|
||||
'sops --config .sops.yaml updatekeys secrets.yaml'
|
||||
|
||||
or with just:
|
||||
|
||||
'just update-sops-secrets'
|
||||
|
||||
Then commit and push these changes to remote so they can be accessed on the new
|
||||
host.
|
||||
"
|
||||
|
||||
while true;
|
||||
do
|
||||
read -p "Confirm keys have been added to .sops.yaml using the above steps, and the changes (if any) have been commited and pushed...(yes|no): " confirm
|
||||
[ "$confirm" = "yes" ] && break
|
||||
done
|
||||
|
||||
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
|
||||
|
||||
echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
|
||||
|
|
Loading…
Reference in New Issue