change bootstap to get age key from target host

2024-05-19 21:55:25 +01:00 · 2024-05-19 21:55:25 +01:00 · 82f5d9ebfe
parent 521bafe3f8
commit 82f5d9ebfe
7 changed files with 119 additions and 94 deletions
--- a/flake.lock
+++ b/flake.lock
@ -58,11 +58,11 @@
    "nix-secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1716039101,
+        "lastModified": 1716151250,
-        "narHash": "sha256-jaliFlqz3HKW+tsW3Onqtbw3w6mLTYJJZZQrrPmxZ8Q=",
+        "narHash": "sha256-EobYnFYGrF+gtUimpECPMOyYrBpPyuM6jx9SJZHHOAY=",
        "ref": "refs/heads/master",
-        "rev": "7cef1d6f77d212a887e6660f85b28f8b20181d9b",
+        "rev": "e46f3dde6dba9b31fd6dfb8c105f011c53519ff8",
-        "revCount": 13,
+        "revCount": 16,
        "type": "git",
        "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
      },
--- a/home/common/optional/sops.nix
+++ b/home/common/optional/sops.nix
@ -13,23 +13,10 @@ in
  sops = {
    age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt";
    age.sshKeyPaths = ["${homeDirectory}/.ssh/deploy_key-ssh-ed25519" "${homeDirectory}/.ssh/ssh_host_ed25519_key"];
    defaultSopsFile = "${secretsFile}";
    validateSopsFiles = false;
    secrets = {
      "ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = {
        path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519";
      };
      "ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = {
        path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519.pub";
      };
      "ssh_keys/deploy_key/deploy_key-ssh-ed25519" = {
        path = "${homeDirectory}/.ssh/deploy_key-ssh-ed25519";
      };
      "ssh_keys/deploy_key/deploy_key-ssh-ed25519.pub" = {
        path = "${homeDirectory}/.ssh/deploy_key-ssh-ed25519.pub";
      };
    };
  };
 }
--- a/home/users/media/default.nix
+++ b/home/users/media/default.nix
@ -9,10 +9,17 @@
    inputs.impermanence.nixosModules.home-manager.impermanence
  ] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?
-  xdg.userDirs = {
+ xdg.userDirs = {
-     enable = true;
+    enable = true;
-     createDirectories = true;
+    createDirectories = false;
-     desktop = "${config.home.homeDirectory}/Desktop";
+    desktop = "/home/media/Desktop";
    documents = null;
    download = null;
    music = null;
    pictures = null;
    publicShare = null;
    templates = null;
    videos = null;
  };
  home.packages = [
--- a/hosts/common/core/sops.nix
+++ b/hosts/common/core/sops.nix
@ -2,7 +2,6 @@
 let
  secretsDirectory = builtins.toString inputs.nix-secrets;
  secretsFile = "${secretsDirectory}/secrets.yaml";
  homeDirectory = "/home/${configVars.username}";
 in
 {
  imports = [
@ -10,13 +9,18 @@ in
  ];
  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    defaultSopsFile = "${secretsFile}";
    validateSopsFiles = false;
-    age = {
+    secrets = {
-      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      "ssh_keys/deploy_key/deploy_key-ssh-ed25519" = {
-      keyFile = "/var/lib/sops-nix/key.txt";
+        path = "/etc/ssh/deploy_key-ssh-ed25519";
-      generateKey = true;
+      };
      "ssh_keys/deploy_key/deploy_key-ssh-ed25519.pub" = {
        path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
      };
    };
  };
 }
--- a/hosts/common/optional/openssh/default.nix
+++ b/hosts/common/optional/openssh/default.nix
@ -17,6 +17,11 @@ in
    };
  };
-
+  programs.ssh.extraConfig = ''
    Host git.bitlab21.com
        IdentitiesOnly yes
        StrictHostKeyChecking no
        IdentityFile /etc/ssh/deploy_key-ssh-ed25519
  '';
  networking.firewall.allowedTCPPorts = [ sshPort ];
 }
--- a/hosts/sparky/default.nix
+++ b/hosts/sparky/default.nix
@ -29,12 +29,6 @@
      };
    };
 environment.etc = {
  "xdg/user-dirs.defaults".text = ''
    DESKTOP=/home/media/Desktop
  '';
 };
  fileSystems."/persist".neededForBoot = true;
  environment.persistence."/persist" = {
    hideMounts = true;
@ -50,6 +44,12 @@ environment.etc = {
          "sync"
          "keep"
          ".ssh"
          ".config/dconf"
          ".config/cinnamon"
          ".config/nemo"
        ];
        files = [
          ".config/user-dirs.dirs"
        ];
    };
  };
@ -80,14 +80,14 @@ environment.etc = {
  services.libinput.enable = true;
  services.displayManager.defaultSession = "cinnamon";
-	services.xserver = {
+#	services.xserver = {
-		enable = true;
+#		enable = true;
-		displayManager.lightdm.enable = true;
+#		displayManager.lightdm.enable = true;
-		desktopManager = {
+#		desktopManager = {
-			cinnamon.enable = true;
+#			cinnamon.enable = true;
-		};
+#		};
-	};
+#	};
-
+#
  security.pam = {
    sshAgentAuth.enable = true;
    services = {
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@ -12,85 +12,108 @@ for the root user.
 read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
 [ "$confirm" != "yes" ] && echo "Exiting" && exit 0
-cd ~
+# Target host details
-read -p "Enter hostname: " hostname
+#cd ~
-read -p "Enter username: " username
+#read -p "Enter hostname: " hostname
-read -p "Enter ip address: " ip
+#read -p "Enter username: " username
-read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
+#read -p "Enter ip address: " ip
-
+#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
 hostname="sparky"
 ip="192.168.122.193"
 username="media"
 config=$hostname
 ## Generate key name and dir
 KEY_DIR="$HOME/keys/$hostname/"
 mkdir -p $KEY_DIR
 KEY_NAME="root@$hostname-ssh-ed25519"
-echo "Creating ssh keys for new host."
+# Delete key in known hosts if exists
 KEY_NAME="$username@$hostname-ssh-ed25519"
 KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
 confirm_delete=""
-
+KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
 [ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
 [ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts 
-echo "Copying deploy_key pubkey to target host"
+## Generate new keys for target host if none exists
-ssh-copy-id -i "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519.pub" )" "root@$ip"
+#echo "Creating ssh keys for new host."
 #overwrite=""
 #[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Target host key '$KEY_NAME' already exists, would you like to overwrite it? (yes|no) " overwrite
 #[  -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N ""
-overwrite=""
+# Authorise source public key
-[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite
+echo "Copying pubkey to target host"
 ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "root@$ip"
-[  -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N ""
+## Copy deploy_key to target root for personal repo authorisation
 #scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME" "root@$ip:/etc/ssh/ssh_host_ed25519_key"
 #scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"
-echo "Copying ssh key to target host:"
+## Generate age key from target host public ssh key
-scp -i "$KEY_DIR/$KEY_NAME"* "root@$ip:/etc/ssh/"
+#echo "Generating age key from target host ssh key"
-[ $? != 0 ] && echo "Error copying keys to target host" && exit 1
+#nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname"
 #[ $? != 0 ] && echo "Error generating age key" && exit 1
 #AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
 #echo -e "Age key:\n$AGE_KEY\n"
 #echo "This key needs to be inserted into .sops.yaml file. This will be prompted again later."
-echo "Generating age key from ssh key"
+# Install Nixos to target
 nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname"
 [ $? != 0 ] && echo "Error generating age key" && exit 1
 AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
 echo -e "Age key:\n$AGE_KEY\n"
 echo "This needs to be inserted into .sops.yaml file."
 # Install Nixos bootstrap
 cd "$HOME/nixos"
-SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#"$config" root@"$ip" -i "$KEY_DIR/ssh_ed25519_key_$hostname"
+SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#"$config" root@"$ip" -i "$HOME/.ssh/ssh_host_ed25519_key"
 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
 ## Delete keys from local known_hosts
 echo "Deleting host from known_hosts"
 sed -i "/$ip/d" ~/.ssh/known_hosts
 # Check host OS has booted (and not booted back into live cd)
 while true;
 do
-  read -p "Confirm live CD has been removed... (yes|no)" confirm
+  read -p "Confirm live CD has been removed... (yes|no): " confirm
  [ "$confirm" = "yes" ] && break
 done
 echo "Waiting for $ip to come back online and port 22 to be open..."
 while ! ping -c 1 $ip &> /dev/null || ! nc -zvw3 $ip 22 &> /dev/null
 do
    echo "$ip is still offline or port 22 is not open. Checking again in 5 seconds..."
    sleep 5
 done
 echo "$ip is now online and port 22 is open!"
-echo "Configuring ssh keys on target host to enable connection to gitea:"
+# Authorise source public key
-ssh-copy-id -i "$HOME/.ssh/deploy_key-ssh-ed25519.pub" "$username@$ip"
+echo "Copying pubkey to target host"
 ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "$username@$ip"
 ## Copy deploy_key to target root for personal repo authorisation
 #scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519"
 #scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519.pub"
 #
 # Copy deploy_key to target user home for personal repo authorisation
 scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
 scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
 echo "Configuring target host ssh connection to enable connection to gitea repos:"
 read -r -d '' config << EOM
 Host git.bitlab21.com
    IdentitiesOnly yes
    StrictHostKeyChecking no
    IdentityFile ~/.ssh/deploy_key-ssh-ed25519
 EOM
 # Append the string to file on target machine
 echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config'
 # Generate age key from target host public ssh key
 echo "Generating age key from target host ssh key"
 TARGET_PUBKEY=$(ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "cat /etc/ssh/ssh_host_ed25519_key.pub")
 nix-shell -p ssh-to-age --run "echo $TARGET_PUBKEY | ssh-to-age > $KEY_DIR/age_key_$hostname"
 echo "$TARGET_PUBKEY" > "$KEY_DIR/$KEY_NAME.pub"
 AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
 echo -e "
 Complete!
-Now add the age key to .sops.yaml, like this:
+Now add the new target host age key to .sops.yaml. This is needed to enable the
 new host to decrypt the secrets.yaml file from the ssh key we generated
 previously.
 Enter the details as following:
 keys:
 - &hosts:
    - &$hostname $AGE_KEY
@ -101,13 +124,16 @@ creation_rules:
      - age:
        - *$hostname
-Then to update the keys for the secrets.yaml file, run:
+Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
-'sops --config .sops.yaml updatekeys secrets.yaml'
+
-or with nix-shell:
+  'sops --config .sops.yaml updatekeys secrets.yaml' 
-'nix-shell -p sops --run 'sops --config .sops.yaml updatekeys secrets.yaml''
+
-then run 'nix flake lock --update-input nix-secrets $HOME/nixos'
+or with just:
-Finally, commit and push these changes to remote so they can be accessed on
+
-the new host.
+  'just update-sops-secrets'
 Then commit and push these changes to remote so they can be accessed on the new
 host.
 "
 while true;
@ -116,12 +142,8 @@ do
  [ "$confirm" = "yes" ] && break
 done
-echo "Copying gitea private ssh key to host"
+ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
-echo "New password is 'nixos'"
+ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
 rsync -av "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519" )" "$username@$ip":~/.ssh/deploy_key-ssh-ed25519
 ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
 ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
 echo "Successfully installed Nixos on the target host!"
 echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"