add host private key with sops

This commit is contained in:
Sam 2024-05-23 13:19:21 +01:00
parent 8a1eba393a
commit 547504e3c4
4 changed files with 41 additions and 41 deletions

View File

@ -58,11 +58,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1716456952, "lastModified": 1716466093,
"narHash": "sha256-fd57j4M++Fte1hrRZkDIqGbYbimqPNmERlFr/Fbh1Ek=", "narHash": "sha256-B0mG+hGm8GORE7Ect7VVLM6u9yQ5678VpId9AsspMeA=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "f5abdf254dbee888be5f65c96a4a571f2a91da91", "rev": "df65c3c791df7ad2e46a6917d3a75121138895de",
"revCount": 28, "revCount": 29,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },

View File

@ -1,6 +1,8 @@
{ inputs, config, lib, pkgs, outputs,... }: { inputs, config, lib, pkgs, outputs,... }:
let let
pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys);
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in in
{ {
imports = imports =
@ -10,10 +12,10 @@ in
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; }) (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
../common/optional/btrfs-impermanence.nix ../common/optional/btrfs-impermanence.nix
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.sops-nix.nixosModules.sops
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix
../common/core
]; ];
nixpkgs = { nixpkgs = {
@ -40,6 +42,15 @@ in
]; ];
}; };
i18n.defaultLocale = "en_GB.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "uk";
useXkbConfig = false;
};
boot = { boot = {
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = true;
@ -64,6 +75,21 @@ in
enableIPv6 = false; enableIPv6 = false;
}; };
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
secrets = {
"passwords/root".neededForUsers = true;
"ssh_keys/deploy_key/id_ed25519" = {
path = "/etc/ssh/deploy_key-ssh-ed25519";
};
};
};
services.openssh = { services.openssh = {
enable = true; enable = true;
ports = [22]; ports = [22];

View File

@ -3,6 +3,7 @@
let let
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
hostname = config.networking.hostName;
in in
{ {
imports = [ imports = [
@ -21,6 +22,15 @@ in
"ssh_keys/deploy_key/id_ed25519" = { "ssh_keys/deploy_key/id_ed25519" = {
path = "/etc/ssh/deploy_key-ssh-ed25519"; path = "/etc/ssh/deploy_key-ssh-ed25519";
}; };
"ssh_keys/deploy_key/id_ed25519.pub" = {
path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
};
"ssh_keys/${hostname}/id_ed25519" = {
path = "/etc/ssh/deploy_key-ssh-ed25519";
};
"ssh_keys/${hostname}/id_ed25519.pub" = {
path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
};
}; };
}; };
} }

View File

@ -92,42 +92,6 @@ ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Copy deploy_key to target for personal repo authorisation # Copy deploy_key to target for personal repo authorisation
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519" scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
echo -e "
Complete!
Now add the new target host age key to .sops.yaml. This is needed to enable the
new host to decrypt the secrets.yaml file from the ssh key we generated
previously.
Enter the details as following:
keys:
- &hosts:
- &$hostname $HOST_AGE_KEY
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *$hostname
Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
'sops --config .sops.yaml updatekeys secrets.yaml'
or with just:
'just update-sops-secrets'
Then commit and push these changes to remote so they can be accessed on the new
host.
"
while true;
do
read -p "Confirm keys have been added to .sops.yaml using the above steps, and the changes (if any) have been commited and pushed...(yes|no): " confirm
[ "$confirm" = "yes" ] && break
done
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'" ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
echo -e "###\nSuccessfully installed Nixos on the target host!\n###" echo -e "###\nSuccessfully installed Nixos on the target host!\n###"