change bootstap to get age key from target host

2024-05-19 21:55:25 +01:00 · 2024-05-19 21:55:25 +01:00 · 82f5d9ebfe
parent 521bafe3f8
commit 82f5d9ebfe
7 changed files with 119 additions and 94 deletions
--- a/flake.lock
+++ b/flake.lock
@ -58,11 +58,11 @@
    "nix-secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1716039101,
-        "narHash": "sha256-jaliFlqz3HKW+tsW3Onqtbw3w6mLTYJJZZQrrPmxZ8Q=",
+        "lastModified": 1716151250,
+        "narHash": "sha256-EobYnFYGrF+gtUimpECPMOyYrBpPyuM6jx9SJZHHOAY=",
        "ref": "refs/heads/master",
-        "rev": "7cef1d6f77d212a887e6660f85b28f8b20181d9b",
-        "revCount": 13,
+        "rev": "e46f3dde6dba9b31fd6dfb8c105f011c53519ff8",
+        "revCount": 16,
        "type": "git",
        "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
      },
--- a/home/common/optional/sops.nix
+++ b/home/common/optional/sops.nix
@ -13,23 +13,10 @@ in

  sops = {
    age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt";
+    age.sshKeyPaths = ["${homeDirectory}/.ssh/deploy_key-ssh-ed25519" "${homeDirectory}/.ssh/ssh_host_ed25519_key"];

    defaultSopsFile = "${secretsFile}";
    validateSopsFiles = false;

-    secrets = {
-      "ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = {
-        path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519";
-      };
-      "ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = {
-        path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519.pub";
-      };
-      "ssh_keys/deploy_key/deploy_key-ssh-ed25519" = {
-        path = "${homeDirectory}/.ssh/deploy_key-ssh-ed25519";
-      };
-      "ssh_keys/deploy_key/deploy_key-ssh-ed25519.pub" = {
-        path = "${homeDirectory}/.ssh/deploy_key-ssh-ed25519.pub";
-      };
-    };
  };
 }
--- a/home/users/media/default.nix
+++ b/home/users/media/default.nix
@ -11,8 +11,15 @@

 xdg.userDirs = {
    enable = true;
-     createDirectories = true;
-     desktop = "${config.home.homeDirectory}/Desktop";
+    createDirectories = false;
+    desktop = "/home/media/Desktop";
+    documents = null;
+    download = null;
+    music = null;
+    pictures = null;
+    publicShare = null;
+    templates = null;
+    videos = null;
  };

  home.packages = [
--- a/hosts/common/core/sops.nix
+++ b/hosts/common/core/sops.nix
@ -2,7 +2,6 @@
 let
  secretsDirectory = builtins.toString inputs.nix-secrets;
  secretsFile = "${secretsDirectory}/secrets.yaml";
-  homeDirectory = "/home/${configVars.username}";
 in
 {
  imports = [
@ -10,13 +9,18 @@ in
  ];

  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
    defaultSopsFile = "${secretsFile}";
    validateSopsFiles = false;

-    age = {
-      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-      keyFile = "/var/lib/sops-nix/key.txt";
-      generateKey = true;
+    secrets = {
+      "ssh_keys/deploy_key/deploy_key-ssh-ed25519" = {
+        path = "/etc/ssh/deploy_key-ssh-ed25519";
+      };
+      "ssh_keys/deploy_key/deploy_key-ssh-ed25519.pub" = {
+        path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
+      };
    };
  };
 }
--- a/hosts/common/optional/openssh/default.nix
+++ b/hosts/common/optional/openssh/default.nix
@ -17,6 +17,11 @@ in
    };

  };
-
+  programs.ssh.extraConfig = ''
+    Host git.bitlab21.com
+        IdentitiesOnly yes
+        StrictHostKeyChecking no
+        IdentityFile /etc/ssh/deploy_key-ssh-ed25519
+  '';
  networking.firewall.allowedTCPPorts = [ sshPort ];
 }
--- a/hosts/sparky/default.nix
+++ b/hosts/sparky/default.nix
@ -29,12 +29,6 @@
      };
    };

-environment.etc = {
-  "xdg/user-dirs.defaults".text = ''
-    DESKTOP=/home/media/Desktop
-  '';
-};
-  
  fileSystems."/persist".neededForBoot = true;
  environment.persistence."/persist" = {
    hideMounts = true;
@ -50,6 +44,12 @@ environment.etc = {
          "sync"
          "keep"
          ".ssh"
+          ".config/dconf"
+          ".config/cinnamon"
+          ".config/nemo"
+        ];
+        files = [
+          ".config/user-dirs.dirs"
        ];
    };
  };
@ -80,14 +80,14 @@ environment.etc = {
  services.libinput.enable = true;
  services.displayManager.defaultSession = "cinnamon";

-	services.xserver = {
-		enable = true;
-		displayManager.lightdm.enable = true;
-		desktopManager = {
-			cinnamon.enable = true;
-		};
-	};
-
+#	services.xserver = {
+#		enable = true;
+#		displayManager.lightdm.enable = true;
+#		desktopManager = {
+#			cinnamon.enable = true;
+#		};
+#	};
+#
  security.pam = {
    sshAgentAuth.enable = true;
    services = {
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@ -12,85 +12,108 @@ for the root user.
 read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
 [ "$confirm" != "yes" ] && echo "Exiting" && exit 0

-cd ~
-read -p "Enter hostname: " hostname
-read -p "Enter username: " username
-read -p "Enter ip address: " ip
-read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
-
+# Target host details
+#cd ~
+#read -p "Enter hostname: " hostname
+#read -p "Enter username: " username
+#read -p "Enter ip address: " ip
+#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
+hostname="sparky"
+ip="192.168.122.193"
+username="media"
+config=$hostname
+## Generate key name and dir
 KEY_DIR="$HOME/keys/$hostname/"
 mkdir -p $KEY_DIR
+KEY_NAME="root@$hostname-ssh-ed25519"

-echo "Creating ssh keys for new host."
-KEY_NAME="$username@$hostname-ssh-ed25519"
-
-KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
+# Delete key in known hosts if exists
 confirm_delete=""
-
+KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
 [ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
 [ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts 

-echo "Copying deploy_key pubkey to target host"
-ssh-copy-id -i "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519.pub" )" "root@$ip"
+## Generate new keys for target host if none exists
+#echo "Creating ssh keys for new host."
+#overwrite=""
+#[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Target host key '$KEY_NAME' already exists, would you like to overwrite it? (yes|no) " overwrite
+#[  -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N ""

-overwrite=""
-[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite
+# Authorise source public key
+echo "Copying pubkey to target host"
+ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "root@$ip"

-[  -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N ""
+## Copy deploy_key to target root for personal repo authorisation
+#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME" "root@$ip:/etc/ssh/ssh_host_ed25519_key"
+#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"

-echo "Copying ssh key to target host:"
-scp -i "$KEY_DIR/$KEY_NAME"* "root@$ip:/etc/ssh/"
-[ $? != 0 ] && echo "Error copying keys to target host" && exit 1
+## Generate age key from target host public ssh key
+#echo "Generating age key from target host ssh key"
+#nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname"
+#[ $? != 0 ] && echo "Error generating age key" && exit 1
+#AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
+#echo -e "Age key:\n$AGE_KEY\n"
+#echo "This key needs to be inserted into .sops.yaml file. This will be prompted again later."

-echo "Generating age key from ssh key"
-nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname"
-[ $? != 0 ] && echo "Error generating age key" && exit 1
-
-AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
-
-echo -e "Age key:\n$AGE_KEY\n"
-echo "This needs to be inserted into .sops.yaml file."
-
-# Install Nixos bootstrap
+# Install Nixos to target
 cd "$HOME/nixos"
-SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#"$config" root@"$ip" -i "$KEY_DIR/ssh_ed25519_key_$hostname"
+SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#"$config" root@"$ip" -i "$HOME/.ssh/ssh_host_ed25519_key"
 [ $? != 0 ] && echo "Error installing Nixos" && exit 1

+## Delete keys from local known_hosts
 echo "Deleting host from known_hosts"
 sed -i "/$ip/d" ~/.ssh/known_hosts

+# Check host OS has booted (and not booted back into live cd)
 while true;
 do
-  read -p "Confirm live CD has been removed... (yes|no)" confirm
+  read -p "Confirm live CD has been removed... (yes|no): " confirm
  [ "$confirm" = "yes" ] && break
 done
-
 echo "Waiting for $ip to come back online and port 22 to be open..."
-
 while ! ping -c 1 $ip &> /dev/null || ! nc -zvw3 $ip 22 &> /dev/null
 do
    echo "$ip is still offline or port 22 is not open. Checking again in 5 seconds..."
    sleep 5
 done
-
 echo "$ip is now online and port 22 is open!"

-echo "Configuring ssh keys on target host to enable connection to gitea:"
-ssh-copy-id -i "$HOME/.ssh/deploy_key-ssh-ed25519.pub" "$username@$ip"
+# Authorise source public key
+echo "Copying pubkey to target host"
+ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "$username@$ip"
+
+## Copy deploy_key to target root for personal repo authorisation
+#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519"
+#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519.pub"
+#
+# Copy deploy_key to target user home for personal repo authorisation
+scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
+scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
+
+echo "Configuring target host ssh connection to enable connection to gitea repos:"
 read -r -d '' config << EOM
 Host git.bitlab21.com
    IdentitiesOnly yes
    StrictHostKeyChecking no
    IdentityFile ~/.ssh/deploy_key-ssh-ed25519
 EOM
-
-# Append the string to file on target machine
 echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config'

+# Generate age key from target host public ssh key
+echo "Generating age key from target host ssh key"
+TARGET_PUBKEY=$(ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "cat /etc/ssh/ssh_host_ed25519_key.pub")
+nix-shell -p ssh-to-age --run "echo $TARGET_PUBKEY | ssh-to-age > $KEY_DIR/age_key_$hostname"
+echo "$TARGET_PUBKEY" > "$KEY_DIR/$KEY_NAME.pub"
+AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
+
 echo -e "
 Complete!

-Now add the age key to .sops.yaml, like this:
+Now add the new target host age key to .sops.yaml. This is needed to enable the
+new host to decrypt the secrets.yaml file from the ssh key we generated
+previously.
+
+Enter the details as following:
 keys:
 - &hosts:
    - &$hostname $AGE_KEY
@ -101,13 +124,16 @@ creation_rules:
      - age:
        - *$hostname

-Then to update the keys for the secrets.yaml file, run:
+Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
+
  'sops --config .sops.yaml updatekeys secrets.yaml' 
-or with nix-shell:
-'nix-shell -p sops --run 'sops --config .sops.yaml updatekeys secrets.yaml''
-then run 'nix flake lock --update-input nix-secrets $HOME/nixos'
-Finally, commit and push these changes to remote so they can be accessed on
-the new host.
+
+or with just:
+
+  'just update-sops-secrets'
+
+Then commit and push these changes to remote so they can be accessed on the new
+host.
 "

 while true;
@ -116,12 +142,8 @@ do
  [ "$confirm" = "yes" ] && break
 done

-echo "Copying gitea private ssh key to host"
-echo "New password is 'nixos'"
-
-rsync -av "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519" )" "$username@$ip":~/.ssh/deploy_key-ssh-ed25519
-ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
-ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
+ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
+ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"

 echo "Successfully installed Nixos on the target host!"
 echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"