change bootstap to get age key from target host

This commit is contained in:
Sam 2024-05-19 21:55:25 +01:00
parent 521bafe3f8
commit 82f5d9ebfe
7 changed files with 119 additions and 94 deletions

View File

@ -58,11 +58,11 @@
"nix-secrets": {
"flake": false,
"locked": {
"lastModified": 1716039101,
"narHash": "sha256-jaliFlqz3HKW+tsW3Onqtbw3w6mLTYJJZZQrrPmxZ8Q=",
"lastModified": 1716151250,
"narHash": "sha256-EobYnFYGrF+gtUimpECPMOyYrBpPyuM6jx9SJZHHOAY=",
"ref": "refs/heads/master",
"rev": "7cef1d6f77d212a887e6660f85b28f8b20181d9b",
"revCount": 13,
"rev": "e46f3dde6dba9b31fd6dfb8c105f011c53519ff8",
"revCount": 16,
"type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
},

View File

@ -13,23 +13,10 @@ in
sops = {
age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt";
age.sshKeyPaths = ["${homeDirectory}/.ssh/deploy_key-ssh-ed25519" "${homeDirectory}/.ssh/ssh_host_ed25519_key"];
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
secrets = {
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = {
path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519";
};
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = {
path = "${homeDirectory}/.ssh/${username}@${hostname}-ssh-ed25519.pub";
};
"ssh_keys/deploy_key/deploy_key-ssh-ed25519" = {
path = "${homeDirectory}/.ssh/deploy_key-ssh-ed25519";
};
"ssh_keys/deploy_key/deploy_key-ssh-ed25519.pub" = {
path = "${homeDirectory}/.ssh/deploy_key-ssh-ed25519.pub";
};
};
};
}

View File

@ -11,8 +11,15 @@
xdg.userDirs = {
enable = true;
createDirectories = true;
desktop = "${config.home.homeDirectory}/Desktop";
createDirectories = false;
desktop = "/home/media/Desktop";
documents = null;
download = null;
music = null;
pictures = null;
publicShare = null;
templates = null;
videos = null;
};
home.packages = [

View File

@ -2,7 +2,6 @@
let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
homeDirectory = "/home/${configVars.username}";
in
{
imports = [
@ -10,13 +9,18 @@ in
];
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
secrets = {
"ssh_keys/deploy_key/deploy_key-ssh-ed25519" = {
path = "/etc/ssh/deploy_key-ssh-ed25519";
};
"ssh_keys/deploy_key/deploy_key-ssh-ed25519.pub" = {
path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
};
};
};
}

View File

@ -17,6 +17,11 @@ in
};
};
programs.ssh.extraConfig = ''
Host git.bitlab21.com
IdentitiesOnly yes
StrictHostKeyChecking no
IdentityFile /etc/ssh/deploy_key-ssh-ed25519
'';
networking.firewall.allowedTCPPorts = [ sshPort ];
}

View File

@ -29,12 +29,6 @@
};
};
environment.etc = {
"xdg/user-dirs.defaults".text = ''
DESKTOP=/home/media/Desktop
'';
};
fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist" = {
hideMounts = true;
@ -50,6 +44,12 @@ environment.etc = {
"sync"
"keep"
".ssh"
".config/dconf"
".config/cinnamon"
".config/nemo"
];
files = [
".config/user-dirs.dirs"
];
};
};
@ -80,14 +80,14 @@ environment.etc = {
services.libinput.enable = true;
services.displayManager.defaultSession = "cinnamon";
services.xserver = {
enable = true;
displayManager.lightdm.enable = true;
desktopManager = {
cinnamon.enable = true;
};
};
# services.xserver = {
# enable = true;
# displayManager.lightdm.enable = true;
# desktopManager = {
# cinnamon.enable = true;
# };
# };
#
security.pam = {
sshAgentAuth.enable = true;
services = {

View File

@ -12,85 +12,108 @@ for the root user.
read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
[ "$confirm" != "yes" ] && echo "Exiting" && exit 0
cd ~
read -p "Enter hostname: " hostname
read -p "Enter username: " username
read -p "Enter ip address: " ip
read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
# Target host details
#cd ~
#read -p "Enter hostname: " hostname
#read -p "Enter username: " username
#read -p "Enter ip address: " ip
#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
hostname="sparky"
ip="192.168.122.193"
username="media"
config=$hostname
## Generate key name and dir
KEY_DIR="$HOME/keys/$hostname/"
mkdir -p $KEY_DIR
KEY_NAME="root@$hostname-ssh-ed25519"
echo "Creating ssh keys for new host."
KEY_NAME="$username@$hostname-ssh-ed25519"
KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
# Delete key in known hosts if exists
confirm_delete=""
KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
[ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
[ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts
echo "Copying deploy_key pubkey to target host"
ssh-copy-id -i "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519.pub" )" "root@$ip"
## Generate new keys for target host if none exists
#echo "Creating ssh keys for new host."
#overwrite=""
#[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Target host key '$KEY_NAME' already exists, would you like to overwrite it? (yes|no) " overwrite
#[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N ""
overwrite=""
[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite
# Authorise source public key
echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "root@$ip"
[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N ""
## Copy deploy_key to target root for personal repo authorisation
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME" "root@$ip:/etc/ssh/ssh_host_ed25519_key"
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"
echo "Copying ssh key to target host:"
scp -i "$KEY_DIR/$KEY_NAME"* "root@$ip:/etc/ssh/"
[ $? != 0 ] && echo "Error copying keys to target host" && exit 1
## Generate age key from target host public ssh key
#echo "Generating age key from target host ssh key"
#nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname"
#[ $? != 0 ] && echo "Error generating age key" && exit 1
#AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
#echo -e "Age key:\n$AGE_KEY\n"
#echo "This key needs to be inserted into .sops.yaml file. This will be prompted again later."
echo "Generating age key from ssh key"
nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname"
[ $? != 0 ] && echo "Error generating age key" && exit 1
AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
echo -e "Age key:\n$AGE_KEY\n"
echo "This needs to be inserted into .sops.yaml file."
# Install Nixos bootstrap
# Install Nixos to target
cd "$HOME/nixos"
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#"$config" root@"$ip" -i "$KEY_DIR/ssh_ed25519_key_$hostname"
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#"$config" root@"$ip" -i "$HOME/.ssh/ssh_host_ed25519_key"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts
echo "Deleting host from known_hosts"
sed -i "/$ip/d" ~/.ssh/known_hosts
# Check host OS has booted (and not booted back into live cd)
while true;
do
read -p "Confirm live CD has been removed... (yes|no)" confirm
read -p "Confirm live CD has been removed... (yes|no): " confirm
[ "$confirm" = "yes" ] && break
done
echo "Waiting for $ip to come back online and port 22 to be open..."
while ! ping -c 1 $ip &> /dev/null || ! nc -zvw3 $ip 22 &> /dev/null
do
echo "$ip is still offline or port 22 is not open. Checking again in 5 seconds..."
sleep 5
done
echo "$ip is now online and port 22 is open!"
echo "Configuring ssh keys on target host to enable connection to gitea:"
ssh-copy-id -i "$HOME/.ssh/deploy_key-ssh-ed25519.pub" "$username@$ip"
# Authorise source public key
echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "$username@$ip"
## Copy deploy_key to target root for personal repo authorisation
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519"
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519.pub"
#
# Copy deploy_key to target user home for personal repo authorisation
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
echo "Configuring target host ssh connection to enable connection to gitea repos:"
read -r -d '' config << EOM
Host git.bitlab21.com
IdentitiesOnly yes
StrictHostKeyChecking no
IdentityFile ~/.ssh/deploy_key-ssh-ed25519
EOM
# Append the string to file on target machine
echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config'
# Generate age key from target host public ssh key
echo "Generating age key from target host ssh key"
TARGET_PUBKEY=$(ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "cat /etc/ssh/ssh_host_ed25519_key.pub")
nix-shell -p ssh-to-age --run "echo $TARGET_PUBKEY | ssh-to-age > $KEY_DIR/age_key_$hostname"
echo "$TARGET_PUBKEY" > "$KEY_DIR/$KEY_NAME.pub"
AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
echo -e "
Complete!
Now add the age key to .sops.yaml, like this:
Now add the new target host age key to .sops.yaml. This is needed to enable the
new host to decrypt the secrets.yaml file from the ssh key we generated
previously.
Enter the details as following:
keys:
- &hosts:
- &$hostname $AGE_KEY
@ -101,13 +124,16 @@ creation_rules:
- age:
- *$hostname
Then to update the keys for the secrets.yaml file, run:
Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
'sops --config .sops.yaml updatekeys secrets.yaml'
or with nix-shell:
'nix-shell -p sops --run 'sops --config .sops.yaml updatekeys secrets.yaml''
then run 'nix flake lock --update-input nix-secrets $HOME/nixos'
Finally, commit and push these changes to remote so they can be accessed on
the new host.
or with just:
'just update-sops-secrets'
Then commit and push these changes to remote so they can be accessed on the new
host.
"
while true;
@ -116,12 +142,8 @@ do
[ "$confirm" = "yes" ] && break
done
echo "Copying gitea private ssh key to host"
echo "New password is 'nixos'"
rsync -av "$(readlink -n "$HOME/.ssh/deploy_key-ssh-ed25519" )" "$username@$ip":~/.ssh/deploy_key-ssh-ed25519
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
echo "Successfully installed Nixos on the target host!"
echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"