From 8679f1456629df3b31af44d86a589b55e81d3ab9 Mon Sep 17 00:00:00 2001 From: Sam Date: Wed, 22 May 2024 23:38:48 +0100 Subject: [PATCH] minimal bootstrap install --- flake.lock | 20 ++++++++++---------- scripts/generate_age_keys.sh | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 10 deletions(-) create mode 100755 scripts/generate_age_keys.sh diff --git a/flake.lock b/flake.lock index 21e71d0..38191df 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1716383025, - "narHash": "sha256-kYfXAqbmbL0bu3J/AoiSkWVOCNlpJEemxivbTUaS+fU=", + "lastModified": 1716394172, + "narHash": "sha256-B+pNhV8GFeCj9/MoH+qtGqKbgv6fU4hGaw2+NoYYtB0=", "owner": "nix-community", "repo": "disko", - "rev": "d957a010f83923626609d00cf73ed1b81f5a8a4b", + "rev": "23c63fb09334c3e8958b57e2ddc3870b75b9111d", "type": "github" }, "original": { @@ -58,11 +58,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716384287, - "narHash": "sha256-d29bda7PZxvxkkA505pea74AiuBlMEjZvrKnHog8bio=", + "lastModified": 1716409441, + "narHash": "sha256-9H4tYbE2JAB+2+zc+ZfjKgaFa/dVsg80Bn1pv7lsw14=", "ref": "refs/heads/master", - "rev": "960f344fa38bcfcd439d885aa503bf54e8599bc0", - "revCount": 23, + "rev": "87aeda54c8ce2f34e22585c158021636801c8c1f", + "revCount": 24, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, @@ -134,11 +134,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1716244104, - "narHash": "sha256-XXbqfkyWe0d0O+zqRQWi2oXi6wYDmTzXedFkBRwx1VI=", + "lastModified": 1716400300, + "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=", "owner": "mic92", "repo": "sops-nix", - "rev": "fddd52460e3332eedd8a0043af5675338a5b3e0b", + "rev": "b549832718b8946e875c016a4785d204fcfc2e53", "type": "github" }, "original": { diff --git a/scripts/generate_age_keys.sh b/scripts/generate_age_keys.sh new file mode 100755 index 0000000..15e12b8 --- /dev/null +++ b/scripts/generate_age_keys.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +echo "Generating an age key based on the new ssh_host_ed25519_key." + +target_key=$(ssh-keyscan -p $ssh_port -t ssh-ed25519 "$target_destination" 2>&1 | grep ssh-ed25519 | cut -f2- -d" ") +age_key=$(nix shell nixpkgs#ssh-to-age.out -c sh -c "echo $target_key | ssh-to-age") + +if grep -qv '^age1' <<<"$age_key"; then + echo "The result from generated age key does not match the expected format." + echo "Result: $age_key" + echo "Expected format: age10000000000000000000000000000000000000000000000000000000000" + exit 1 +else + echo "$age_key" +fi + +echo "Updating nix-secrets/.sops.yaml" +cd ../nix-secrets + +SOPS_FILE=".sops.yaml" +sed -i "{ +# Remove any * and & entries for this host +/[*&]$target_hostname/ d; +# Inject a new age: entry +# n matches the first line following age: and p prints it, then we transform it while reusing the spacing +/age:/{n; p; s/\(.*- \*\).*/\1$target_hostname/}; +# Inject a new hosts: entry +/&hosts:/{n; p; s/\(.*- &\).*/\1$target_hostname $age_key/} +}" $SOPS_FILE + +echo "Updating nix-secrets/.sops.yaml" +cd - +just rekey + +echo "Updating flake lock on source machine with new .sops.yaml info" +nix flake lock --update-input nix-secrets