diff --git a/flake.lock b/flake.lock index c7fb6a6..943884a 100644 --- a/flake.lock +++ b/flake.lock @@ -58,11 +58,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716456952, - "narHash": "sha256-fd57j4M++Fte1hrRZkDIqGbYbimqPNmERlFr/Fbh1Ek=", + "lastModified": 1716466093, + "narHash": "sha256-B0mG+hGm8GORE7Ect7VVLM6u9yQ5678VpId9AsspMeA=", "ref": "refs/heads/master", - "rev": "f5abdf254dbee888be5f65c96a4a571f2a91da91", - "revCount": 28, + "rev": "df65c3c791df7ad2e46a6917d3a75121138895de", + "revCount": 29, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/hosts/bootstrap/default.nix b/hosts/bootstrap/default.nix index 2569098..2862f4c 100644 --- a/hosts/bootstrap/default.nix +++ b/hosts/bootstrap/default.nix @@ -1,6 +1,8 @@ { inputs, config, lib, pkgs, outputs,... }: let pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); + secretsDirectory = builtins.toString inputs.nix-secrets; + secretsFile = "${secretsDirectory}/secrets.yaml"; in { imports = @@ -10,10 +12,10 @@ in (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) ../common/optional/btrfs-impermanence.nix inputs.impermanence.nixosModules.impermanence + inputs.sops-nix.nixosModules.sops # Import core options ./hardware-configuration.nix - ../common/core ]; nixpkgs = { @@ -40,6 +42,15 @@ in ]; }; + + i18n.defaultLocale = "en_GB.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "uk"; + useXkbConfig = false; + }; + + boot = { loader = { systemd-boot.enable = true; @@ -64,6 +75,21 @@ in enableIPv6 = false; }; + sops = { + defaultSopsFile = "${secretsFile}"; + validateSopsFiles = false; + + age = { + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; + secrets = { + "passwords/root".neededForUsers = true; + "ssh_keys/deploy_key/id_ed25519" = { + path = "/etc/ssh/deploy_key-ssh-ed25519"; + }; + }; + }; + services.openssh = { enable = true; ports = [22]; diff --git a/hosts/common/core/sops.nix b/hosts/common/core/sops.nix index dbd1b64..1da254d 100644 --- a/hosts/common/core/sops.nix +++ b/hosts/common/core/sops.nix @@ -3,6 +3,7 @@ let secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; + hostname = config.networking.hostName; in { imports = [ @@ -21,6 +22,15 @@ in "ssh_keys/deploy_key/id_ed25519" = { path = "/etc/ssh/deploy_key-ssh-ed25519"; }; + "ssh_keys/deploy_key/id_ed25519.pub" = { + path = "/etc/ssh/deploy_key-ssh-ed25519.pub"; + }; + "ssh_keys/${hostname}/id_ed25519" = { + path = "/etc/ssh/deploy_key-ssh-ed25519"; + }; + "ssh_keys/${hostname}/id_ed25519.pub" = { + path = "/etc/ssh/deploy_key-ssh-ed25519.pub"; + }; }; }; } diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 9c556e3..9916865 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -92,42 +92,6 @@ ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" # Copy deploy_key to target for personal repo authorisation scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519" -echo -e " -Complete! - -Now add the new target host age key to .sops.yaml. This is needed to enable the -new host to decrypt the secrets.yaml file from the ssh key we generated -previously. - -Enter the details as following: -keys: -- &hosts: - - &$hostname $HOST_AGE_KEY - -creation_rules: - - path_regex: secrets.yaml$ - key_groups: - - age: - - *$hostname - -Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run: - - 'sops --config .sops.yaml updatekeys secrets.yaml' - -or with just: - - 'just update-sops-secrets' - -Then commit and push these changes to remote so they can be accessed on the new -host. -" - -while true; -do - read -p "Confirm keys have been added to .sops.yaml using the above steps, and the changes (if any) have been commited and pushed...(yes|no): " confirm - [ "$confirm" = "yes" ] && break -done - ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'" echo -e "###\nSuccessfully installed Nixos on the target host!\n###"