sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

revert bootstrap

This commit is contained in:
Sam 2024-05-19 23:33:42 +01:00
parent 82f5d9ebfe
commit c914883610
5 changed files with 42 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
flake.lock
View File

@ -58,11 +58,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1716151250, "lastModified": 1716153530,
"narHash": "sha256-EobYnFYGrF+gtUimpECPMOyYrBpPyuM6jx9SJZHHOAY=", "narHash": "sha256-riMwDwr4q5XbaE/Vd7FrYOrf9huJznTIPwemUqBPljw=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "e46f3dde6dba9b31fd6dfb8c105f011c53519ff8", "rev": "80e1cc126aeaaf1244b713407f12d69aa255b57d",
"revCount": 16, "revCount": 17,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },

8
home/common/optional/sops.nix
View File

@ -18,5 +18,13 @@ in
defaultSopsFile = "${secretsFile}"; defaultSopsFile = "${secretsFile}";
validateSopsFiles = false; validateSopsFiles = false;
secrets = {
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519" = {
path = "${homeDirectory}/.ssh/ssh_host_ed25519_key";
};
"ssh_keys/${username}@${hostname}/${username}@${hostname}-ssh-ed25519.pub" = {
path = "${homeDirectory}/.ssh/ssh_host_ed25519_key.pub";
};
};
}; };
} }

14
hosts/common/core/sops.nix
View File

@ -2,6 +2,7 @@
let let
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
homeDirectory = "/home/${configVars.username}";
in in
{ {
imports = [ imports = [
@ -9,18 +10,13 @@ in
]; ];
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = "${secretsFile}"; defaultSopsFile = "${secretsFile}";
validateSopsFiles = false; validateSopsFiles = false;
secrets = { age = {
"ssh_keys/deploy_key/deploy_key-ssh-ed25519" = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
path = "/etc/ssh/deploy_key-ssh-ed25519"; keyFile = "/var/lib/sops-nix/key.txt";
}; generateKey = true;
"ssh_keys/deploy_key/deploy_key-ssh-ed25519.pub" = {
path = "/etc/ssh/deploy_key-ssh-ed25519.pub";
};
}; };
}; };
} }

6
hosts/common/optional/openssh/default.nix
View File

@ -17,11 +17,5 @@ in
}; };
}; };
programs.ssh.extraConfig = ''
Host git.bitlab21.com
IdentitiesOnly yes
StrictHostKeyChecking no
IdentityFile /etc/ssh/deploy_key-ssh-ed25519
'';
networking.firewall.allowedTCPPorts = [ sshPort ]; networking.firewall.allowedTCPPorts = [ sshPort ];
} }

66
scripts/bootstrap.sh
View File

@ -13,19 +13,16 @@ read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
[ "$confirm" != "yes" ] && echo "Exiting" && exit 0 [ "$confirm" != "yes" ] && echo "Exiting" && exit 0
# Target host details # Target host details
#cd ~ cd ~
#read -p "Enter hostname: " hostname read -p "Enter hostname: " hostname
#read -p "Enter username: " username read -p "Enter username: " username
#read -p "Enter ip address: " ip read -p "Enter ip address: " ip
#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
hostname="sparky"
ip="192.168.122.193" # Generate key name and dir
username="media"
config=$hostname
## Generate key name and dir
KEY_DIR="$HOME/keys/$hostname/" KEY_DIR="$HOME/keys/$hostname/"
mkdir -p $KEY_DIR mkdir -p $KEY_DIR
KEY_NAME="root@$hostname-ssh-ed25519" KEY_NAME="$username@$hostname-ssh-ed25519"
# Delete key in known hosts if exists # Delete key in known hosts if exists
confirm_delete="" confirm_delete=""
@ -33,27 +30,23 @@ KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
[ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete [ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
[ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts [ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts
## Generate new keys for target host if none exists # Generate new keys for target host if not exists
#echo "Creating ssh keys for new host." echo "Creating ssh keys for new host."
#overwrite="" overwrite=""
#[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Target host key '$KEY_NAME' already exists, would you like to overwrite it? (yes|no) " overwrite [ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Target host key '$KEY_NAME' already exists, would you like to overwrite it? (yes|no) " overwrite
#[ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N "" [ -z "$overwrite" ] || [ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$username@$hostname" -N ""
# Authorise source public key # Authorise source public key
echo "Copying pubkey to target host" echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "root@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "root@$ip"
## Copy deploy_key to target root for personal repo authorisation # Generate age key from target host public ssh key
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME" "root@$ip:/etc/ssh/ssh_host_ed25519_key" echo "Generating age key from target host ssh key"
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$KEY_DIR/$KEY_NAME.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub" nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname"
[ $? != 0 ] && echo "Error generating age key" && exit 1
## Generate age key from target host public ssh key AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
#echo "Generating age key from target host ssh key" echo -e "Age key:\n$AGE_KEY\n"
#nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname" echo "This key needs to be inserted into .sops.yaml file. This will be prompted again later."
#[ $? != 0 ] && echo "Error generating age key" && exit 1
#AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
#echo -e "Age key:\n$AGE_KEY\n"
#echo "This key needs to be inserted into .sops.yaml file. This will be prompted again later."
# Install Nixos to target # Install Nixos to target
cd "$HOME/nixos" cd "$HOME/nixos"
@ -82,13 +75,9 @@ echo "$ip is now online and port 22 is open!"
echo "Copying pubkey to target host" echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "$username@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key.pub")" "$username@$ip"
## Copy deploy_key to target root for personal repo authorisation # Copy deploy_key to target for personal repo authorisation
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519" scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "media@$ip:~/.ssh/deploy_key-ssh-ed25519"
#scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "root@$ip:/etc/ssh/deploy_key-ssh-ed25519.pub" scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "media@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
#
# Copy deploy_key to target user home for personal repo authorisation
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519"
scp -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub"
echo "Configuring target host ssh connection to enable connection to gitea repos:" echo "Configuring target host ssh connection to enable connection to gitea repos:"
read -r -d '' config << EOM read -r -d '' config << EOM
@ -99,13 +88,6 @@ Host git.bitlab21.com
EOM EOM
echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config' echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config'
# Generate age key from target host public ssh key
echo "Generating age key from target host ssh key"
TARGET_PUBKEY=$(ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "cat /etc/ssh/ssh_host_ed25519_key.pub")
nix-shell -p ssh-to-age --run "echo $TARGET_PUBKEY | ssh-to-age > $KEY_DIR/age_key_$hostname"
echo "$TARGET_PUBKEY" > "$KEY_DIR/$KEY_NAME.pub"
AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
echo -e " echo -e "
Complete! Complete!
@ -147,3 +129,5 @@ ssh -i "$(readlink -f "$HOME/.ssh/ssh_host_ed25519_key")" "$username@$ip" "nix-s
echo "Successfully installed Nixos on the target host!" echo "Successfully installed Nixos on the target host!"
echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'" echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"