add host private key with sops
This commit is contained in:
parent
8a1eba393a
commit
547504e3c4
|
@ -58,11 +58,11 @@
|
||||||
"nix-secrets": {
|
"nix-secrets": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716456952,
|
"lastModified": 1716466093,
|
||||||
"narHash": "sha256-fd57j4M++Fte1hrRZkDIqGbYbimqPNmERlFr/Fbh1Ek=",
|
"narHash": "sha256-B0mG+hGm8GORE7Ect7VVLM6u9yQ5678VpId9AsspMeA=",
|
||||||
"ref": "refs/heads/master",
|
"ref": "refs/heads/master",
|
||||||
"rev": "f5abdf254dbee888be5f65c96a4a571f2a91da91",
|
"rev": "df65c3c791df7ad2e46a6917d3a75121138895de",
|
||||||
"revCount": 28,
|
"revCount": 29,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
|
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
|
||||||
},
|
},
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
{ inputs, config, lib, pkgs, outputs,... }:
|
{ inputs, config, lib, pkgs, outputs,... }:
|
||||||
let
|
let
|
||||||
pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys);
|
pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys);
|
||||||
|
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||||
|
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
|
@ -10,10 +12,10 @@ in
|
||||||
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
|
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
|
||||||
../common/optional/btrfs-impermanence.nix
|
../common/optional/btrfs-impermanence.nix
|
||||||
inputs.impermanence.nixosModules.impermanence
|
inputs.impermanence.nixosModules.impermanence
|
||||||
|
inputs.sops-nix.nixosModules.sops
|
||||||
|
|
||||||
# Import core options
|
# Import core options
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../common/core
|
|
||||||
];
|
];
|
||||||
|
|
||||||
nixpkgs = {
|
nixpkgs = {
|
||||||
|
@ -40,6 +42,15 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
i18n.defaultLocale = "en_GB.UTF-8";
|
||||||
|
console = {
|
||||||
|
font = "Lat2-Terminus16";
|
||||||
|
keyMap = "uk";
|
||||||
|
useXkbConfig = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
loader = {
|
loader = {
|
||||||
systemd-boot.enable = true;
|
systemd-boot.enable = true;
|
||||||
|
@ -64,6 +75,21 @@ in
|
||||||
enableIPv6 = false;
|
enableIPv6 = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = "${secretsFile}";
|
||||||
|
validateSopsFiles = false;
|
||||||
|
|
||||||
|
age = {
|
||||||
|
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
};
|
||||||
|
secrets = {
|
||||||
|
"passwords/root".neededForUsers = true;
|
||||||
|
"ssh_keys/deploy_key/id_ed25519" = {
|
||||||
|
path = "/etc/ssh/deploy_key-ssh-ed25519";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ports = [22];
|
ports = [22];
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
let
|
let
|
||||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||||
|
hostname = config.networking.hostName;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -21,6 +22,15 @@ in
|
||||||
"ssh_keys/deploy_key/id_ed25519" = {
|
"ssh_keys/deploy_key/id_ed25519" = {
|
||||||
path = "/etc/ssh/deploy_key-ssh-ed25519";
|
path = "/etc/ssh/deploy_key-ssh-ed25519";
|
||||||
};
|
};
|
||||||
|
"ssh_keys/deploy_key/id_ed25519.pub" = {
|
||||||
|
path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
|
||||||
|
};
|
||||||
|
"ssh_keys/${hostname}/id_ed25519" = {
|
||||||
|
path = "/etc/ssh/deploy_key-ssh-ed25519";
|
||||||
|
};
|
||||||
|
"ssh_keys/${hostname}/id_ed25519.pub" = {
|
||||||
|
path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -92,42 +92,6 @@ ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
|
||||||
# Copy deploy_key to target for personal repo authorisation
|
# Copy deploy_key to target for personal repo authorisation
|
||||||
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
|
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
|
||||||
|
|
||||||
echo -e "
|
|
||||||
Complete!
|
|
||||||
|
|
||||||
Now add the new target host age key to .sops.yaml. This is needed to enable the
|
|
||||||
new host to decrypt the secrets.yaml file from the ssh key we generated
|
|
||||||
previously.
|
|
||||||
|
|
||||||
Enter the details as following:
|
|
||||||
keys:
|
|
||||||
- &hosts:
|
|
||||||
- &$hostname $HOST_AGE_KEY
|
|
||||||
|
|
||||||
creation_rules:
|
|
||||||
- path_regex: secrets.yaml$
|
|
||||||
key_groups:
|
|
||||||
- age:
|
|
||||||
- *$hostname
|
|
||||||
|
|
||||||
Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
|
|
||||||
|
|
||||||
'sops --config .sops.yaml updatekeys secrets.yaml'
|
|
||||||
|
|
||||||
or with just:
|
|
||||||
|
|
||||||
'just update-sops-secrets'
|
|
||||||
|
|
||||||
Then commit and push these changes to remote so they can be accessed on the new
|
|
||||||
host.
|
|
||||||
"
|
|
||||||
|
|
||||||
while true;
|
|
||||||
do
|
|
||||||
read -p "Confirm keys have been added to .sops.yaml using the above steps, and the changes (if any) have been commited and pushed...(yes|no): " confirm
|
|
||||||
[ "$confirm" = "yes" ] && break
|
|
||||||
done
|
|
||||||
|
|
||||||
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
|
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
|
||||||
|
|
||||||
echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
|
echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
|
||||||
|
|
Loading…
Reference in New Issue