auto: bootstrapping sparky

flake.lock

@@ -228,11 +228,11 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1716728838,
+        "lastModified": 1716729487,
-        "narHash": "sha256-Gmsb1Bovwg+6XTwuyohpv1Ez8em0phLDEPWyh1Z4vS4=",
+        "narHash": "sha256-mf+lK/G5cuJjXlsBTlLpOqBw7Qx+H1ZQ8x4MohX6OO8=",
         "ref": "refs/heads/master",
-        "rev": "46bedb594c7f12f800a3d224e549dede64da968b",
+        "rev": "36900f87c79f7b63a39b7c134963c5c17063a616",
-        "revCount": 44,
+        "revCount": 45,
         "type": "git",
         "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
       },

scripts/bootstrap.sh

@@ -23,28 +23,29 @@ sed -i "/$ip/d" ~/.ssh/known_hosts
 echo "Copying pubkey to target host"
 ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
 
-# Create temp directory for ssh keys to be copied to host:
+# Create temp directory for ssh and luks keys to be copied to host:
-temp=$(mktemp -d)
+temp_ssh=$(mktemp -d)
+touch /tmp/luks_secret.key
 
 # Function to cleanup temporary directory on exit
 cleanup() {
-  rm -rf "$temp"
+  rm -rf "$temp_ssh" /tmp/luks_secret.key
 }
 trap cleanup EXIT
 
 # Create the directory where sshd expects to find the host keys
-install -d -m755 "$temp/persist/etc/ssh"
+install -d -m755 "$temp_ssh/persist/etc/ssh"
 
 # Create ssh keys if not exists
 echo "Creating '$hostname' ssh keys"
-ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
+ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
 
-chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key"
+chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key"
-chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub"
+chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub"
 
 # Generate age key from target host and user public ssh key
 echo "Generating age key from target host and user ssh key"
-HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
+HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
 echo -e "Host age key:\n$HOST_AGE_KEY\n"
 
 # Update .sops.yaml with new age key:
@@ -62,19 +63,16 @@ sed -i "{
 just update-sops-secrets && just update-flake-secrets && just update-flake
 
 # Extract luks key from secrets
-luks_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml")
+luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml")
-echo "$luks_key" > /tmp/luks_secret.key
+echo "$luks_secret" > /tmp/luks_secret.key
 
 # Install Nixos to target
 cd "$HOME/nixos"
 git add . && git commit -m "auto: bootstrapping $hostname" && git push
 
-SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
+SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
 
-# Delete luks key
-rm /tmp/luks_secret.key
-
 ## Delete keys from local known_hosts
 echo "Deleting host from known_hosts"
 sed -i "/$ip/d" ~/.ssh/known_hosts