sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

auto: bootstrapping sparky

This commit is contained in:
Sam 2024-05-26 13:52:51 +01:00
parent b7d7f40171
commit dbcadf5315
3 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
flake.lock
View File

@ -228,11 +228,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1716726314, "lastModified": 1716727965,
"narHash": "sha256-51OoLeW7G0MgtY6veCsbPxN+SMg6RjMzNAj9jb0QWNk=", "narHash": "sha256-NTsv/rWrB2coS62aKKD9GDR2mhzL1MMU+5VYDhh1y6w=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "1260e25cdc7057ca61f947ec67b3aaf4de013852", "rev": "4973f9b8652f9a829510593f8b17448783054b5e",
"revCount": 40, "revCount": 41,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },

14
hosts/common/disks/luks-btrfs-subvolumes.nix
View File

@ -1,6 +1,4 @@
{device ? throw "Must define a device, e.g. /dev/sda", keyFile ? throw "LUKS password file not specified"}: {device ? throw "Must define a device, e.g. /dev/sda"}:
let
in
{ {
disko.devices = { disko.devices = {
disk = { disk = {
@ -28,11 +26,11 @@ in
type = "luks"; type = "luks";
name = "crypted"; name = "crypted";
# disable settings.keyFile if you want to use interactive password entry # disable settings.keyFile if you want to use interactive password entry
#passwordFile = "/tmp/secret.key"; # Interactive passwordFile = "/tmp/luks_secret.key"; # Interactive
settings = { # settings = {
allowDiscards = true; # allowDiscards = true;
inherit keyFile; # keyFile = "${sopsHashedPasswordFile}";
}; # };
content = { content = {
type = "btrfs"; type = "btrfs";
extraArgs = ["-f"]; extraArgs = ["-f"];

27
scripts/bootstrap.sh
View File

@ -23,28 +23,35 @@ sed -i "/$ip/d" ~/.ssh/known_hosts
echo "Copying pubkey to target host" echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Create temp directory for ssh keys to be copied to host: # Create temp directory for ssh and luks to be copied to host:
temp=$(mktemp -d) temp_ssh=$(mktemp -d)
temp_luks=$(mktemp -d)
# Function to cleanup temporary directory on exit # Function to cleanup temporary directory on exit
cleanup() { cleanup() {
rm -rf "$temp" rm -rf "$temp_ssh" "$temp_luks"
} }
trap cleanup EXIT trap cleanup EXIT
# Create the directory where sshd expects to find the host keys # Create the directory where services are to find the host keys
install -d -m755 "$temp/persist/etc/ssh" install -d -m755 "$temp_ssh/persist/etc/ssh"
install -d -m755 "$temp_luks/tmp"
# Extract luks key from secrets
luks_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"passwords""\"][""\"root""\"]' ../nix-secrets/secrets.yaml")
echo "$luks_key" > "$temp_luks/luks_secrets.key"
# Create ssh keys if not exists # Create ssh keys if not exists
echo "Creating '$hostname' ssh keys" echo "Creating '$hostname' ssh keys"
ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key" # Change permissions
chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key"
chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub"
# Generate age key from target host and user public ssh key # Generate age key from target host and user public ssh key
echo "Generating age key from target host and user ssh key" echo "Generating age key from target host and user ssh key"
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
echo -e "Host age key:\n$HOST_AGE_KEY\n" echo -e "Host age key:\n$HOST_AGE_KEY\n"
# Update .sops.yaml with new age key: # Update .sops.yaml with new age key:
@ -65,7 +72,7 @@ just update-sops-secrets && just update-flake-secrets && just update-flake
cd "$HOME/nixos" cd "$HOME/nixos"
git add . && git commit -m "auto: bootstrapping $hostname" && git push git add . && git commit -m "auto: bootstrapping $hostname" && git push
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp_ssh" "$temp_luks" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts ## Delete keys from local known_hosts