auto: bootstrapping bootstrap-nixos
This commit is contained in:
parent
871d4f7256
commit
806c8364d7
|
@ -1,30 +1,45 @@
|
||||||
{ lib, pkgs, modulesPath, inputs, ... }:
|
{ inputs, config, lib, pkgs, outputs,... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports =
|
||||||
|
[
|
||||||
|
# Disk configuration
|
||||||
inputs.disko.nixosModules.disko
|
inputs.disko.nixosModules.disko
|
||||||
../common/disks/std-disk-config.nix
|
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
|
||||||
|
../common/optional/btrfs-impermanence.nix
|
||||||
|
inputs.impermanence.nixosModules.impermanence
|
||||||
|
|
||||||
# Import core options
|
# Import core options
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../common/core
|
../common/core
|
||||||
|
|
||||||
# Import optional options
|
# Import optional options
|
||||||
# ../common/optional/openssh
|
../common/optional/openssh.nix
|
||||||
|
|
||||||
# Create users for this host
|
];
|
||||||
../common/users/admin
|
|
||||||
];
|
|
||||||
|
|
||||||
# #virtualisation.virtualbox.guest.enable = true;
|
nixpkgs = {
|
||||||
# virtualisation.libvirtd = {
|
overlays = [
|
||||||
# qemu = {
|
outputs.overlays.additions
|
||||||
# package = pkgs.qemu_kvm; # only emulates host arch, smaller download
|
outputs.overlays.modifications
|
||||||
# swtpm.enable = true; # allows for creating emulated TPM
|
outputs.overlays.unstable-packages
|
||||||
# ovmf.packages = [(pkgs.OVMF.override {
|
];
|
||||||
# secureBoot = true;
|
config = {
|
||||||
# tpmSupport = true;
|
allowUnfree = true;
|
||||||
# }).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff
|
};
|
||||||
# };
|
};
|
||||||
# };
|
|
||||||
|
fileSystems."/persist".neededForBoot = true;
|
||||||
|
environment.persistence."/persist" = {
|
||||||
|
hideMounts = true;
|
||||||
|
directories = [
|
||||||
|
"/etc/nixos"
|
||||||
|
];
|
||||||
|
files = [
|
||||||
|
"/etc/ssh/ssh_host_ed25519_key"
|
||||||
|
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||||
|
"/etc/ssh/deploy_key-ssh-ed25519"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
loader = {
|
loader = {
|
||||||
|
@ -34,11 +49,13 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
i18n.defaultLocale = "en_GB.UTF-8";
|
users = {
|
||||||
console = {
|
mutableUsers = true;
|
||||||
font = "Lat2-Terminus16";
|
extraUsers = {
|
||||||
keyMap = "uk";
|
root = {
|
||||||
useXkbConfig = false;
|
initialPassword = "1234";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
@ -47,39 +64,40 @@
|
||||||
enableIPv6 = false;
|
enableIPv6 = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services.openssh = {
|
||||||
qemuGuest.enable = true;
|
enable = true;
|
||||||
openssh = {
|
ports = 22;
|
||||||
enable = true;
|
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||||
ports = [22]; # FIXME: Make this use configVars.networking
|
hostKeys = [{
|
||||||
settings.PermitRootLogin = "yes";
|
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
||||||
# Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
|
type = "ed25519";
|
||||||
# this mitigates the security issue caused by enabling u2fAuth in pam
|
}];
|
||||||
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
settings = {
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
PermitRootLogin = "yes";
|
||||||
|
PubKeyAuthentication = "yes";
|
||||||
|
StreamLocalBindUnlink = "yes";
|
||||||
|
UsePAM = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
programs.ssh.extraConfig = ''
|
||||||
|
Host git.bitlab21.com
|
||||||
|
IdentitiesOnly yes
|
||||||
|
StrictHostKeyChecking no
|
||||||
|
IdentityFile /etc/ssh/deploy_key-ssh-ed25519
|
||||||
|
''
|
||||||
|
|
||||||
security.pam = {
|
security.pam = {
|
||||||
sshAgentAuth.enable = true;
|
sshAgentAuth.enable = true;
|
||||||
#FIXME the above is deprecated in 24.05 but we will wait until release
|
|
||||||
#sshAgentAuth.enable = true;
|
|
||||||
services = {
|
|
||||||
sudo.u2fAuth = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ sshPort ];
|
||||||
|
|
||||||
# ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
|
services = {
|
||||||
# programs.ssh.startAgent = true;
|
qemuGuest.enable = true;
|
||||||
|
|
||||||
environment.systemPackages = builtins.attrValues {
|
|
||||||
inherit(pkgs)
|
|
||||||
wget
|
|
||||||
curl
|
|
||||||
git
|
|
||||||
rsync;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
system.stateVersion = "23.11";
|
system.stateVersion = "23.11";
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,7 @@
|
||||||
{ inputs, config, lib, pkgs, outputs,... }:
|
{ inputs, config, lib, pkgs, outputs,... }:
|
||||||
|
let
|
||||||
|
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
|
||||||
|
in
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
|
@ -59,6 +62,15 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users = {
|
||||||
|
mutableUsers = true;
|
||||||
|
extraUsers = {
|
||||||
|
root = {
|
||||||
|
hashedPasswordFile = sopsHashedPasswordFile;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
loader = {
|
loader = {
|
||||||
systemd-boot.enable = true;
|
systemd-boot.enable = true;
|
||||||
|
|
|
@ -18,31 +18,17 @@ read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
|
||||||
#read -p "Enter username: " username
|
#read -p "Enter username: " username
|
||||||
#read -p "Enter ip address: " ip
|
#read -p "Enter ip address: " ip
|
||||||
#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
|
#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
|
||||||
hostname="sparky"
|
hostname="bootstrap-nixos"
|
||||||
username="media"
|
|
||||||
ip="192.168.122.192"
|
ip="192.168.122.192"
|
||||||
config="sparky"
|
config="bootstrap"
|
||||||
|
|
||||||
echo "
|
|
||||||
Details entered:
|
|
||||||
Hostname: $hostname
|
|
||||||
Username: $username
|
|
||||||
IP address: $ip
|
|
||||||
System to build: $config
|
|
||||||
"
|
|
||||||
read -p "Is this correct? (yes|no): " check_details
|
|
||||||
[ "$check_details" != "yes" ] && echo "Try again. Exiting" && exit 0
|
|
||||||
|
|
||||||
# Generate key name and dir
|
# Generate key name and dir
|
||||||
HOST_KEY_DIR="$HOME/keys/hosts/$hostname"
|
HOST_KEY_DIR="$HOME/keys/hosts/$hostname"
|
||||||
USER_KEY_DIR="$HOME/keys/users/$username"
|
mkdir -p "$HOST_KEY_DIR"
|
||||||
mkdir -p "$HOST_KEY_DIR" "$USER_KEY_DIR"
|
|
||||||
|
|
||||||
# Create ssh keys if not exists
|
# Create ssh keys if not exists
|
||||||
echo "Creating '$hostname' ssh keys"
|
echo "Creating '$hostname' ssh keys"
|
||||||
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname"
|
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname"
|
||||||
echo "Creating '$username' ssh keys"
|
|
||||||
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "user" --username "$username" --hostname "$hostname"
|
|
||||||
|
|
||||||
# Delete key in known hosts if exists
|
# Delete key in known hosts if exists
|
||||||
sed -i "/$ip/d" ~/.ssh/known_hosts
|
sed -i "/$ip/d" ~/.ssh/known_hosts
|
||||||
|
@ -54,11 +40,8 @@ ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
|
||||||
# Generate age key from target host and user public ssh key
|
# Generate age key from target host and user public ssh key
|
||||||
echo "Generating age key from target host and user ssh key"
|
echo "Generating age key from target host and user ssh key"
|
||||||
nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key"
|
nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key"
|
||||||
nix-shell -p ssh-to-age --run "cat $USER_KEY_DIR/id_ed25519.pub | ssh-to-age > $USER_KEY_DIR/age_user_key"
|
|
||||||
HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key")
|
HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key")
|
||||||
USER_AGE_KEY=$(cat "$USER_KEY_DIR/age_user_key")
|
|
||||||
echo -e "Host age key:\n$HOST_AGE_KEY\n"
|
echo -e "Host age key:\n$HOST_AGE_KEY\n"
|
||||||
echo -e "User age key:\n$USER_AGE_KEY\n"
|
|
||||||
echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later."
|
echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later."
|
||||||
|
|
||||||
# Create temp directory for ssh keys to be copied to host:
|
# Create temp directory for ssh keys to be copied to host:
|
||||||
|
@ -105,30 +88,12 @@ do
|
||||||
done
|
done
|
||||||
echo "$ip is now online and port 22 is open!"
|
echo "$ip is now online and port 22 is open!"
|
||||||
|
|
||||||
## Copy host ssh keys to target
|
|
||||||
#scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key" "root@$ip:/etc/ssh/ssh_host_ed25519_key"
|
|
||||||
#scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"
|
|
||||||
#
|
|
||||||
# Authorise source public key
|
# Authorise source public key
|
||||||
echo "Copying pubkey to target host"
|
echo "Copying pubkey to target host"
|
||||||
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$username@$ip"
|
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
|
||||||
|
|
||||||
# Copy user ssh keys to target
|
|
||||||
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519" "$username@$ip:~/.ssh/id_ed25519"
|
|
||||||
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519.pub" "$username@$ip:~/.ssh/id_ed25519.pub"
|
|
||||||
|
|
||||||
# Copy deploy_key to target for personal repo authorisation
|
# Copy deploy_key to target for personal repo authorisation
|
||||||
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
|
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
|
||||||
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
|
|
||||||
|
|
||||||
echo "Configuring target host ssh connection to enable connection to gitea repos:"
|
|
||||||
read -r -d '' config << EOM
|
|
||||||
Host git.bitlab21.com
|
|
||||||
IdentitiesOnly yes
|
|
||||||
StrictHostKeyChecking no
|
|
||||||
IdentityFile ~/.ssh/deploy_key-ssh-ed25519
|
|
||||||
EOM
|
|
||||||
echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config'
|
|
||||||
|
|
||||||
echo -e "
|
echo -e "
|
||||||
Complete!
|
Complete!
|
||||||
|
@ -139,8 +104,6 @@ previously.
|
||||||
|
|
||||||
Enter the details as following:
|
Enter the details as following:
|
||||||
keys:
|
keys:
|
||||||
- &users:
|
|
||||||
- &$username $USER_AGE_KEY
|
|
||||||
- &hosts:
|
- &hosts:
|
||||||
- &$hostname $HOST_AGE_KEY
|
- &$hostname $HOST_AGE_KEY
|
||||||
|
|
||||||
|
@ -148,7 +111,6 @@ creation_rules:
|
||||||
- path_regex: secrets.yaml$
|
- path_regex: secrets.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *$username
|
|
||||||
- *$hostname
|
- *$hostname
|
||||||
|
|
||||||
Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
|
Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
|
||||||
|
@ -169,10 +131,8 @@ do
|
||||||
[ "$confirm" = "yes" ] && break
|
[ "$confirm" = "yes" ] && break
|
||||||
done
|
done
|
||||||
|
|
||||||
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git ~/keep/nixos/'"
|
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
|
||||||
#ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git ~/keep/'"
|
|
||||||
|
|
||||||
echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
|
echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
|
||||||
#echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"
|
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
Loading…
Reference in New Issue