auto: bootstrapping bootstrap-nixos

This commit is contained in:
Sam 2024-05-22 21:10:41 +01:00
parent 871d4f7256
commit 806c8364d7
3 changed files with 83 additions and 93 deletions

View File

@ -1,30 +1,45 @@
{ lib, pkgs, modulesPath, inputs, ... }: { inputs, config, lib, pkgs, outputs,... }:
{ {
imports = [ imports =
[
# Disk configuration
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
../common/disks/std-disk-config.nix (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
../common/optional/btrfs-impermanence.nix
inputs.impermanence.nixosModules.impermanence
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix
../common/core ../common/core
# Import optional options
# ../common/optional/openssh
# Create users for this host # Import optional options
../common/users/admin ../common/optional/openssh.nix
]; ];
# #virtualisation.virtualbox.guest.enable = true; nixpkgs = {
# virtualisation.libvirtd = { overlays = [
# qemu = { outputs.overlays.additions
# package = pkgs.qemu_kvm; # only emulates host arch, smaller download outputs.overlays.modifications
# swtpm.enable = true; # allows for creating emulated TPM outputs.overlays.unstable-packages
# ovmf.packages = [(pkgs.OVMF.override { ];
# secureBoot = true; config = {
# tpmSupport = true; allowUnfree = true;
# }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff };
# }; };
# };
fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/etc/nixos"
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/deploy_key-ssh-ed25519"
];
};
boot = { boot = {
loader = { loader = {
@ -34,11 +49,13 @@
}; };
}; };
i18n.defaultLocale = "en_GB.UTF-8"; users = {
console = { mutableUsers = true;
font = "Lat2-Terminus16"; extraUsers = {
keyMap = "uk"; root = {
useXkbConfig = false; initialPassword = "1234";
};
};
}; };
networking = { networking = {
@ -47,38 +64,39 @@
enableIPv6 = false; enableIPv6 = false;
}; };
services = { services.openssh = {
qemuGuest.enable = true;
openssh = {
enable = true; enable = true;
ports = [22]; # FIXME: Make this use configVars.networking ports = 22;
settings.PermitRootLogin = "yes";
# Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
# this mitigates the security issue caused by enabling u2fAuth in pam
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
hostKeys = [{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}];
settings = {
PasswordAuthentication = false;
PermitRootLogin = "yes";
PubKeyAuthentication = "yes";
StreamLocalBindUnlink = "yes";
UsePAM = true;
}; };
}; };
programs.ssh.extraConfig = ''
Host git.bitlab21.com
IdentitiesOnly yes
StrictHostKeyChecking no
IdentityFile /etc/ssh/deploy_key-ssh-ed25519
''
security.pam = { security.pam = {
sshAgentAuth.enable = true; sshAgentAuth.enable = true;
#FIXME the above is deprecated in 24.05 but we will wait until release };
#sshAgentAuth.enable = true;
networking.firewall.allowedTCPPorts = [ sshPort ];
services = { services = {
sudo.u2fAuth = true; qemuGuest.enable = true;
}; };
};
# ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
# programs.ssh.startAgent = true;
environment.systemPackages = builtins.attrValues {
inherit(pkgs)
wget
curl
git
rsync;
};
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "23.11"; system.stateVersion = "23.11";

View File

@ -1,4 +1,7 @@
{ inputs, config, lib, pkgs, outputs,... }: { inputs, config, lib, pkgs, outputs,... }:
let
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
in
{ {
imports = imports =
[ [
@ -59,6 +62,15 @@
}; };
}; };
users = {
mutableUsers = true;
extraUsers = {
root = {
hashedPasswordFile = sopsHashedPasswordFile;
};
};
};
boot = { boot = {
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = true;

View File

@ -18,31 +18,17 @@ read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
#read -p "Enter username: " username #read -p "Enter username: " username
#read -p "Enter ip address: " ip #read -p "Enter ip address: " ip
#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config #read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
hostname="sparky" hostname="bootstrap-nixos"
username="media"
ip="192.168.122.192" ip="192.168.122.192"
config="sparky" config="bootstrap"
echo "
Details entered:
Hostname: $hostname
Username: $username
IP address: $ip
System to build: $config
"
read -p "Is this correct? (yes|no): " check_details
[ "$check_details" != "yes" ] && echo "Try again. Exiting" && exit 0
# Generate key name and dir # Generate key name and dir
HOST_KEY_DIR="$HOME/keys/hosts/$hostname" HOST_KEY_DIR="$HOME/keys/hosts/$hostname"
USER_KEY_DIR="$HOME/keys/users/$username" mkdir -p "$HOST_KEY_DIR"
mkdir -p "$HOST_KEY_DIR" "$USER_KEY_DIR"
# Create ssh keys if not exists # Create ssh keys if not exists
echo "Creating '$hostname' ssh keys" echo "Creating '$hostname' ssh keys"
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname" bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname"
echo "Creating '$username' ssh keys"
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "user" --username "$username" --hostname "$hostname"
# Delete key in known hosts if exists # Delete key in known hosts if exists
sed -i "/$ip/d" ~/.ssh/known_hosts sed -i "/$ip/d" ~/.ssh/known_hosts
@ -54,11 +40,8 @@ ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Generate age key from target host and user public ssh key # Generate age key from target host and user public ssh key
echo "Generating age key from target host and user ssh key" echo "Generating age key from target host and user ssh key"
nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key" nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key"
nix-shell -p ssh-to-age --run "cat $USER_KEY_DIR/id_ed25519.pub | ssh-to-age > $USER_KEY_DIR/age_user_key"
HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key") HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key")
USER_AGE_KEY=$(cat "$USER_KEY_DIR/age_user_key")
echo -e "Host age key:\n$HOST_AGE_KEY\n" echo -e "Host age key:\n$HOST_AGE_KEY\n"
echo -e "User age key:\n$USER_AGE_KEY\n"
echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later." echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later."
# Create temp directory for ssh keys to be copied to host: # Create temp directory for ssh keys to be copied to host:
@ -105,30 +88,12 @@ do
done done
echo "$ip is now online and port 22 is open!" echo "$ip is now online and port 22 is open!"
## Copy host ssh keys to target
#scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key" "root@$ip:/etc/ssh/ssh_host_ed25519_key"
#scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"
#
# Authorise source public key # Authorise source public key
echo "Copying pubkey to target host" echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$username@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Copy user ssh keys to target
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519" "$username@$ip:~/.ssh/id_ed25519"
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519.pub" "$username@$ip:~/.ssh/id_ed25519.pub"
# Copy deploy_key to target for personal repo authorisation # Copy deploy_key to target for personal repo authorisation
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519" scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
echo "Configuring target host ssh connection to enable connection to gitea repos:"
read -r -d '' config << EOM
Host git.bitlab21.com
IdentitiesOnly yes
StrictHostKeyChecking no
IdentityFile ~/.ssh/deploy_key-ssh-ed25519
EOM
echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config'
echo -e " echo -e "
Complete! Complete!
@ -139,8 +104,6 @@ previously.
Enter the details as following: Enter the details as following:
keys: keys:
- &users:
- &$username $USER_AGE_KEY
- &hosts: - &hosts:
- &$hostname $HOST_AGE_KEY - &$hostname $HOST_AGE_KEY
@ -148,7 +111,6 @@ creation_rules:
- path_regex: secrets.yaml$ - path_regex: secrets.yaml$
key_groups: key_groups:
- age: - age:
- *$username
- *$hostname - *$hostname
Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run: Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
@ -169,10 +131,8 @@ do
[ "$confirm" = "yes" ] && break [ "$confirm" = "yes" ] && break
done done
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git ~/keep/nixos/'" ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
#ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git ~/keep/'"
echo -e "###\nSuccessfully installed Nixos on the target host!\n###" echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
#echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"
exit 0 exit 0