diff --git a/flake.lock b/flake.lock index 288083a..c7fb6a6 100644 --- a/flake.lock +++ b/flake.lock @@ -27,11 +27,11 @@ ] }, "locked": { - "lastModified": 1716448020, - "narHash": "sha256-u1ddoBOILtLVX4NYzqSZ9Qaqusql1M4reLd1fs554hY=", + "lastModified": 1716457508, + "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=", "owner": "nix-community", "repo": "home-manager", - "rev": "25dedb0d52c20448f6a63cc346df1adbd6ef417e", + "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05", "type": "github" }, "original": { diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 7817091..1499cc6 100755 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -12,24 +12,10 @@ for the root user. read -p "Confirm host had been setup using the above steps...(yes|no): " confirm [ "$confirm" != "yes" ] && echo "Exiting" && exit 0 -# Target host details -#cd ~ -#read -p "Enter hostname: " hostname -#read -p "Enter username: " username -#read -p "Enter ip address: " ip -#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config hostname="bootstrap" ip="192.168.122.192" config="bootstrap" -# Generate key name and dir -HOST_KEY_DIR="$HOME/keys/hosts/$hostname" -mkdir -p "$HOST_KEY_DIR" - -# Create ssh keys if not exists -echo "Creating '$hostname' ssh keys" -bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname" - # Delete key in known hosts if exists sed -i "/$ip/d" ~/.ssh/known_hosts @@ -37,13 +23,6 @@ sed -i "/$ip/d" ~/.ssh/known_hosts echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" -# Generate age key from target host and user public ssh key -echo "Generating age key from target host and user ssh key" -nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key" -HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key") -echo -e "Host age key:\n$HOST_AGE_KEY\n" -echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later." - # Create temp directory for ssh keys to be copied to host: temp=$(mktemp -d) @@ -56,12 +35,30 @@ trap cleanup EXIT # Create the directory where sshd expects to find the host keys install -d -m755 "$temp/persist/etc/ssh" -cat "$HOST_KEY_DIR/ssh_host_ed25519_key" > "$temp/persist/etc/ssh/ssh_host_ed25519_key" -cat "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" > "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" +# Create ssh keys if not exists +echo "Creating '$hostname' ssh keys" +ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key" chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" +# Generate age key from target host and user public ssh key +echo "Generating age key from target host and user ssh key" +HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") +echo -e "Host age key:\n$HOST_AGE_KEY\n" + +# Update .sops.yaml with new age key: +SOPS_FILE="../nix-secrets/sops.yaml" +sed -i "{ +# Remove any * and & entries for this host +/[*&]$hostname/ d; +# Inject a new age: entry +# n matches the first line following age: and p prints it, then we transform it while reusing the spacing +/age:/{n; p; s/\(.*- \*\).*/\1$hostname/}; +# Inject a new hosts: entry +/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/} +}" $SOPS_FILE + # Install Nixos to target cd "$HOME/nixos" git add . && git commit -m "auto: bootstrapping $hostname" && git push diff --git a/scripts/generate_age_keys.sh b/scripts/generate_age_keys.sh deleted file mode 100755 index 15e12b8..0000000 --- a/scripts/generate_age_keys.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env bash -echo "Generating an age key based on the new ssh_host_ed25519_key." - -target_key=$(ssh-keyscan -p $ssh_port -t ssh-ed25519 "$target_destination" 2>&1 | grep ssh-ed25519 | cut -f2- -d" ") -age_key=$(nix shell nixpkgs#ssh-to-age.out -c sh -c "echo $target_key | ssh-to-age") - -if grep -qv '^age1' <<<"$age_key"; then - echo "The result from generated age key does not match the expected format." - echo "Result: $age_key" - echo "Expected format: age10000000000000000000000000000000000000000000000000000000000" - exit 1 -else - echo "$age_key" -fi - -echo "Updating nix-secrets/.sops.yaml" -cd ../nix-secrets - -SOPS_FILE=".sops.yaml" -sed -i "{ -# Remove any * and & entries for this host -/[*&]$target_hostname/ d; -# Inject a new age: entry -# n matches the first line following age: and p prints it, then we transform it while reusing the spacing -/age:/{n; p; s/\(.*- \*\).*/\1$target_hostname/}; -# Inject a new hosts: entry -/&hosts:/{n; p; s/\(.*- &\).*/\1$target_hostname $age_key/} -}" $SOPS_FILE - -echo "Updating nix-secrets/.sops.yaml" -cd - -just rekey - -echo "Updating flake lock on source machine with new .sops.yaml info" -nix flake lock --update-input nix-secrets