revert bootstrap

This commit is contained in:
Sam 2024-05-19 23:33:42 +01:00
parent 82f5d9ebfe
commit c914883610
5 changed files with 42 additions and 60 deletions

View File

@ -58,11 +58,11 @@
"nix-secrets": {
"flake": false,
"locked": {
"lastModified": 1716151250,
"narHash": "sha256-EobYnFYGrF+gtUimpECPMOyYrBpPyuM6jx9SJZHHOAY=",
"lastModified": 1716153530,
"narHash": "sha256-riMwDwr4q5XbaE/Vd7FrYOrf9huJznTIPwemUqBPljw=",
"ref": "refs/heads/master",
"rev": "e46f3dde6dba9b31fd6dfb8c105f011c53519ff8",
"revCount": 16,
"rev": "80e1cc126aeaaf1244b713407f12d69aa255b57d",
"revCount": 17,
"type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
},

View File

@ -18,5 +18,13 @@ in
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
secrets = {
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = {
path = "${homeDirectory}/.ssh/ssh_host_ed25519_key";
};
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = {
path = "${homeDirectory}/.ssh/ssh_host_ed25519_key.pub";
};
};
};
}

View File

@ -2,6 +2,7 @@
let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
homeDirectory = "/home/${configVars.username}";
in
{
imports = [
@ -9,18 +10,13 @@ in
];
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
secrets = {
"ssh_keys/deploy_key/deploy_key-ssh-ed25519" = {
path = "/etc/ssh/deploy_key-ssh-ed25519";
};
"ssh_keys/deploy_key/deploy_key-ssh-ed25519.pub" = {
path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
};
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
};
}

View File

@ -17,11 +17,5 @@ in
};
};
programs.ssh.extraConfig = ''
Host git.bitlab21.com
IdentitiesOnly yes
StrictHostKeyChecking no
IdentityFile /etc/ssh/deploy_key-ssh-ed25519
'';
networking.firewall.allowedTCPPorts = [ sshPort ];
}

View File

@ -13,19 +13,16 @@ read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
[ "$confirm" != "yes" ] && echo "Exiting" && exit 0
# Target host details
#cd ~
#read -p "Enter hostname: " hostname
#read -p "Enter username: " username
#read -p "Enter ip address: " ip
#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
hostname="sparky"
ip="192.168.122.193"
username="media"
config=$hostname
## Generate key name and dir
cd ~
read -p "Enter hostname: " hostname
read -p "Enter username: " username
read -p "Enter ip address: " ip
read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
# Generate key name and dir
KEY_DIR="$HOME/keys/$hostname/"
mkdir -p $KEY_DIR
KEY_NAME="root@$hostname-ssh-ed25519"
KEY_NAME="$username@$hostname-ssh-ed25519"
# Delete key in known hosts if exists
confirm_delete=""
@ -33,27 +30,23 @@ KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
[ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
[ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts
## Generate new keys for target host if none exists
#echo "Creating ssh keys for new host."
#overwrite=""
#[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Target host key '$KEY_NAME' already exists, would you like to overwrite it? (yes|no) " overwrite
#[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N ""
# Generate new keys for target host if not exists
echo "Creating ssh keys for new host."
overwrite=""
[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Target host key '$KEY_NAME' already exists, would you like to overwrite it? (yes|no) " overwrite
[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N ""
# Authorise source public key
echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "root@$ip"
## Copy deploy_key to target root for personal repo authorisation
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME" "root@$ip:/etc/ssh/ssh_host_ed25519_key"
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub"
## Generate age key from target host public ssh key
#echo "Generating age key from target host ssh key"
#nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname"
#[ $? != 0 ] && echo "Error generating age key" && exit 1
#AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
#echo -e "Age key:\n$AGE_KEY\n"
#echo "This key needs to be inserted into .sops.yaml file. This will be prompted again later."
# Generate age key from target host public ssh key
echo "Generating age key from target host ssh key"
nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname"
[ $? != 0 ] && echo "Error generating age key" && exit 1
AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
echo -e "Age key:\n$AGE_KEY\n"
echo "This key needs to be inserted into .sops.yaml file. This will be prompted again later."
# Install Nixos to target
cd "$HOME/nixos"
@ -82,13 +75,9 @@ echo "$ip is now online and port 22 is open!"
echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "$username@$ip"
## Copy deploy_key to target root for personal repo authorisation
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519"
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519.pub"
#
# Copy deploy_key to target user home for personal repo authorisation
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
# Copy deploy_key to target for personal repo authorisation
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "media@$ip:~/.ssh/deploy_key-ssh-ed25519"
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "media@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
echo "Configuring target host ssh connection to enable connection to gitea repos:"
read -r -d '' config << EOM
@ -99,13 +88,6 @@ Host git.bitlab21.com
EOM
echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config'
# Generate age key from target host public ssh key
echo "Generating age key from target host ssh key"
TARGET_PUBKEY=$(ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "cat /etc/ssh/ssh_host_ed25519_key.pub")
nix-shell -p ssh-to-age --run "echo $TARGET_PUBKEY | ssh-to-age > $KEY_DIR/age_key_$hostname"
echo "$TARGET_PUBKEY" > "$KEY_DIR/$KEY_NAME.pub"
AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
echo -e "
Complete!
@ -147,3 +129,5 @@ ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-s
echo "Successfully installed Nixos on the target host!"
echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"