diff --git a/flake.lock b/flake.lock index 619d6fb..042d3cd 100644 --- a/flake.lock +++ b/flake.lock @@ -58,11 +58,11 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1716151250, - "narHash": "sha256-EobYnFYGrF+gtUimpECPMOyYrBpPyuM6jx9SJZHHOAY=", + "lastModified": 1716153530, + "narHash": "sha256-riMwDwr4q5XbaE/Vd7FrYOrf9huJznTIPwemUqBPljw=", "ref": "refs/heads/master", - "rev": "e46f3dde6dba9b31fd6dfb8c105f011c53519ff8", - "revCount": 16, + "rev": "80e1cc126aeaaf1244b713407f12d69aa255b57d", + "revCount": 17, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/home/common/optional/sops.nix b/home/common/optional/sops.nix index 377d693..ab1bb1b 100644 --- a/home/common/optional/sops.nix +++ b/home/common/optional/sops.nix @@ -18,5 +18,13 @@ in defaultSopsFile = "${secretsFile}"; validateSopsFiles = false; + secrets = { + "ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = { + path = "${homeDirectory}/.ssh/ssh_host_ed25519_key"; + }; + "ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = { + path = "${homeDirectory}/.ssh/ssh_host_ed25519_key.pub"; + }; + }; }; } diff --git a/hosts/common/core/sops.nix b/hosts/common/core/sops.nix index 0cdbe31..ac5bda1 100644 --- a/hosts/common/core/sops.nix +++ b/hosts/common/core/sops.nix @@ -2,6 +2,7 @@ let secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; + homeDirectory = "/home/${configVars.username}"; in { imports = [ @@ -9,18 +10,13 @@ in ]; sops = { - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = "${secretsFile}"; validateSopsFiles = false; - secrets = { - "ssh_keys/deploy_key/deploy_key-ssh-ed25519" = { - path = "/etc/ssh/deploy_key-ssh-ed25519"; - }; - "ssh_keys/deploy_key/deploy_key-ssh-ed25519.pub" = { - path = "/etc/ssh/deploy_key-ssh-ed25519.pub"; - }; + age = { + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; }; }; } diff --git a/hosts/common/optional/openssh/default.nix b/hosts/common/optional/openssh/default.nix index 3a6f875..85c5aab 100644 --- a/hosts/common/optional/openssh/default.nix +++ b/hosts/common/optional/openssh/default.nix @@ -17,11 +17,5 @@ in }; }; - programs.ssh.extraConfig = '' - Host git.bitlab21.com - IdentitiesOnly yes - StrictHostKeyChecking no - IdentityFile /etc/ssh/deploy_key-ssh-ed25519 - ''; networking.firewall.allowedTCPPorts = [ sshPort ]; } diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 3396a4f..584c888 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -13,19 +13,16 @@ read -p "Confirm host had been setup using the above steps...(yes|no): " confirm [ "$confirm" != "yes" ] && echo "Exiting" && exit 0 # Target host details -#cd ~ -#read -p "Enter hostname: " hostname -#read -p "Enter username: " username -#read -p "Enter ip address: " ip -#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config -hostname="sparky" -ip="192.168.122.193" -username="media" -config=$hostname -## Generate key name and dir +cd ~ +read -p "Enter hostname: " hostname +read -p "Enter username: " username +read -p "Enter ip address: " ip +read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config + +# Generate key name and dir KEY_DIR="$HOME/keys/$hostname/" mkdir -p $KEY_DIR -KEY_NAME="root@$hostname-ssh-ed25519" +KEY_NAME="$username@$hostname-ssh-ed25519" # Delete key in known hosts if exists confirm_delete="" @@ -33,27 +30,23 @@ KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts) [ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete [ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts -## Generate new keys for target host if none exists -#echo "Creating ssh keys for new host." -#overwrite="" -#[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Target host key '$KEY_NAME' already exists, would you like to overwrite it? (yes|no) " overwrite -#[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N "" +# Generate new keys for target host if not exists +echo "Creating ssh keys for new host." +overwrite="" +[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Target host key '$KEY_NAME' already exists, would you like to overwrite it? (yes|no) " overwrite +[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N "" # Authorise source public key echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "root@$ip" -## Copy deploy_key to target root for personal repo authorisation -#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME" "root@$ip:/etc/ssh/ssh_host_ed25519_key" -#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub" - -## Generate age key from target host public ssh key -#echo "Generating age key from target host ssh key" -#nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname" -#[ $? != 0 ] && echo "Error generating age key" && exit 1 -#AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname") -#echo -e "Age key:\n$AGE_KEY\n" -#echo "This key needs to be inserted into .sops.yaml file. This will be prompted again later." +# Generate age key from target host public ssh key +echo "Generating age key from target host ssh key" +nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname" +[ $? != 0 ] && echo "Error generating age key" && exit 1 +AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname") +echo -e "Age key:\n$AGE_KEY\n" +echo "This key needs to be inserted into .sops.yaml file. This will be prompted again later." # Install Nixos to target cd "$HOME/nixos" @@ -82,13 +75,9 @@ echo "$ip is now online and port 22 is open!" echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "$username@$ip" -## Copy deploy_key to target root for personal repo authorisation -#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519" -#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519.pub" -# -# Copy deploy_key to target user home for personal repo authorisation -scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519" -scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub" +# Copy deploy_key to target for personal repo authorisation +scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "media@$ip:~/.ssh/deploy_key-ssh-ed25519" +scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "media@$ip:~/.ssh/deploy_key-ssh-ed25519.pub" echo "Configuring target host ssh connection to enable connection to gitea repos:" read -r -d '' config << EOM @@ -99,13 +88,6 @@ Host git.bitlab21.com EOM echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config' -# Generate age key from target host public ssh key -echo "Generating age key from target host ssh key" -TARGET_PUBKEY=$(ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "cat /etc/ssh/ssh_host_ed25519_key.pub") -nix-shell -p ssh-to-age --run "echo $TARGET_PUBKEY | ssh-to-age > $KEY_DIR/age_key_$hostname" -echo "$TARGET_PUBKEY" > "$KEY_DIR/$KEY_NAME.pub" -AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname") - echo -e " Complete! @@ -147,3 +129,5 @@ ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-s echo "Successfully installed Nixos on the target host!" echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'" + +