Compare commits
No commits in common. "3e5ebafed6435f47ed2e8dae3b87e45ae086d56b" and "0359491756e19f18f30096ead9c18abd5c2049e9" have entirely different histories.
3e5ebafed6
...
0359491756
54
flake.lock
54
flake.lock
|
@ -7,11 +7,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716431128,
|
||||
"narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
|
||||
"lastModified": 1715756862,
|
||||
"narHash": "sha256-cNGZK/RNvb29giR2KtnbwU5lx2Kw+wWqAaeWqfYlPts=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
|
||||
"rev": "cb1d6fba694ab3887600d606106f5a044ba1712c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -27,11 +27,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716448020,
|
||||
"narHash": "sha256-u1ddoBOILtLVX4NYzqSZ9Qaqusql1M4reLd1fs554hY=",
|
||||
"lastModified": 1715486357,
|
||||
"narHash": "sha256-4pRuzsHZOW5W4CsXI9uhKtiJeQSUoe1d2M9mWU98HC4=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "25dedb0d52c20448f6a63cc346df1adbd6ef417e",
|
||||
"rev": "44677a1c96810a8e8c4ffaeaad10c842402647c1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -40,29 +40,14 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"impermanence": {
|
||||
"locked": {
|
||||
"lastModified": 1708968331,
|
||||
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
|
||||
"owner": "nix-community",
|
||||
"repo": "impermanence",
|
||||
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "impermanence",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-secrets": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1716456952,
|
||||
"narHash": "sha256-fd57j4M++Fte1hrRZkDIqGbYbimqPNmERlFr/Fbh1Ek=",
|
||||
"lastModified": 1715783829,
|
||||
"narHash": "sha256-aNuuTd4nXt9SxYLgJSgBxuvIBmAyh5+2IT2iLepZKds=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "f5abdf254dbee888be5f65c96a4a571f2a91da91",
|
||||
"revCount": 28,
|
||||
"rev": "450e494f36a74c0786d1cb01db46731b01b713dc",
|
||||
"revCount": 5,
|
||||
"type": "git",
|
||||
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
|
||||
},
|
||||
|
@ -85,11 +70,11 @@
|
|||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1716061101,
|
||||
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
|
||||
"lastModified": 1715458492,
|
||||
"narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
|
||||
"rev": "8e47858badee5594292921c2668c11004c3b0142",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -101,11 +86,11 @@
|
|||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1716330097,
|
||||
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
|
||||
"lastModified": 1715534503,
|
||||
"narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
|
||||
"rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -119,7 +104,6 @@
|
|||
"inputs": {
|
||||
"disko": "disko",
|
||||
"home-manager": "home-manager",
|
||||
"impermanence": "impermanence",
|
||||
"nix-secrets": "nix-secrets",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
|
@ -134,11 +118,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716400300,
|
||||
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
|
||||
"lastModified": 1715482972,
|
||||
"narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
|
||||
"owner": "mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "b549832718b8946e875c016a4785d204fcfc2e53",
|
||||
"rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
16
flake.nix
16
flake.nix
|
@ -17,10 +17,6 @@
|
|||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
impermanence = {
|
||||
url = "github:nix-community/impermanence";
|
||||
};
|
||||
|
||||
# Secrets management
|
||||
sops-nix = {
|
||||
url = "github:mic92/sops-nix";
|
||||
|
@ -38,7 +34,6 @@
|
|||
nixpkgs,
|
||||
home-manager,
|
||||
disko,
|
||||
#impermanence,
|
||||
...
|
||||
} @ inputs:
|
||||
let
|
||||
|
@ -78,18 +73,11 @@
|
|||
bootstrap = nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs;
|
||||
modules = [
|
||||
disko.nixosModules.disko
|
||||
./hosts/common/disks/gpt-bios-compact.nix
|
||||
./hosts/bootstrap
|
||||
];
|
||||
};
|
||||
sparky = nixpkgs.lib.nixosSystem {
|
||||
inherit specialArgs;
|
||||
modules = [
|
||||
./hosts/sparky
|
||||
home-manager.nixosModules.home-manager{
|
||||
home-manager.extraSpecialArgs = specialArgs;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
# # Standalone home-manager configuration entrypoint
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{ config, lib, pkgs, outputs, ... }:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./zsh.nix
|
||||
] ;
|
||||
}
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
{ pkgs, config, ... }: {
|
||||
|
||||
programs.zsh = {
|
||||
enable = true;
|
||||
enableCompletion = true;
|
||||
autosuggestion.enable = true;
|
||||
syntaxHighlighting.enable = true;
|
||||
|
||||
shellAliases = {
|
||||
ll = "ls -l";
|
||||
};
|
||||
history.size = 10000;
|
||||
history.path = "${config.xdg.dataHome}/zsh/history";
|
||||
|
||||
initExtra = ''
|
||||
bindkey -v
|
||||
bindkey "^H" backward-delete-char
|
||||
bindkey "^?" backward-delete-char
|
||||
set -o vi
|
||||
export TERM=xterm
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,10 +1,8 @@
|
|||
{ inputs, config, osConfig, ... }:
|
||||
{ inputs, config, ... }:
|
||||
let
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
homeDirectory = config.home.homeDirectory;
|
||||
username = config.home.username;
|
||||
hostname = osConfig.networking.hostName;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
|
@ -12,10 +10,18 @@ in
|
|||
];
|
||||
|
||||
sops = {
|
||||
age.sshKeyPaths = ["${homeDirectory}/.ssh/id_ed25519"];
|
||||
age.keyFile = "${homeDirectory}/.config/sops/age/keys.txt";
|
||||
|
||||
defaultSopsFile = "${secretsFile}";
|
||||
validateSopsFiles = false;
|
||||
|
||||
secrets = {
|
||||
"ssh_keys/sam/gitea" = {
|
||||
path = "${homeDirectory}/.ssh/gitea";
|
||||
};
|
||||
"ssh_keys/sam/gitea.pub" = {
|
||||
path = "${homeDirectory}/.ssh/gitea.pub";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -5,13 +5,12 @@
|
|||
...
|
||||
}: {
|
||||
imports = [
|
||||
# Import users
|
||||
./users/admin
|
||||
|
||||
./common/core
|
||||
./common/optional/sops.nix
|
||||
|
||||
# Import optional
|
||||
./common/optional/git.nix
|
||||
|
||||
# Import users
|
||||
./users/admin
|
||||
];
|
||||
|
|
|
@ -5,9 +5,6 @@
|
|||
...
|
||||
}: {
|
||||
imports = [
|
||||
# Import users
|
||||
./users/sam
|
||||
|
||||
./common/core
|
||||
./common/optional/desktop/hyprland
|
||||
./common/optional/desktop/waybar.nix
|
||||
|
@ -15,6 +12,9 @@
|
|||
|
||||
# Import optional
|
||||
./common/optional/git.nix
|
||||
|
||||
# Import users
|
||||
./users/sam
|
||||
];
|
||||
|
||||
# ------
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
# Import users
|
||||
./users/media
|
||||
|
||||
./common/core
|
||||
./common/optional/sops.nix
|
||||
|
||||
# Import optional
|
||||
./common/optional/git.nix
|
||||
|
||||
];
|
||||
}
|
|
@ -11,6 +11,28 @@
|
|||
home.packages = [
|
||||
];
|
||||
|
||||
programs.zsh = {
|
||||
enable = true;
|
||||
enableCompletion = true;
|
||||
autosuggestion.enable = true;
|
||||
syntaxHighlighting.enable = true;
|
||||
|
||||
shellAliases = {
|
||||
ll = "ls -l";
|
||||
};
|
||||
history.size = 10000;
|
||||
history.path = "${config.xdg.dataHome}/zsh/history";
|
||||
|
||||
initExtra = ''
|
||||
bindkey -v
|
||||
bindkey "^H" backward-delete-char
|
||||
bindkey "^?" backward-delete-char
|
||||
set -o vi
|
||||
export TERM=xterm
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
home.file = {
|
||||
};
|
||||
|
||||
|
|
|
@ -1,39 +0,0 @@
|
|||
{ config, pkgs, lib, outputs, inputs, ... }:
|
||||
|
||||
{
|
||||
home.username = "media";
|
||||
home.homeDirectory = "/home/media";
|
||||
home.stateVersion = "23.11";
|
||||
|
||||
imports = [
|
||||
inputs.impermanence.nixosModules.home-manager.impermanence
|
||||
] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?
|
||||
|
||||
xdg.userDirs = {
|
||||
enable = true;
|
||||
createDirectories = false;
|
||||
desktop = "/home/media/Desktop";
|
||||
documents = null;
|
||||
download = null;
|
||||
music = null;
|
||||
pictures = null;
|
||||
publicShare = null;
|
||||
templates = null;
|
||||
videos = null;
|
||||
};
|
||||
|
||||
home.packages = [
|
||||
];
|
||||
|
||||
home.file = {
|
||||
};
|
||||
|
||||
home.sessionPath = [
|
||||
];
|
||||
|
||||
home.sessionVariables = {
|
||||
};
|
||||
|
||||
programs.home-manager.enable = true;
|
||||
}
|
||||
|
|
@ -17,6 +17,28 @@
|
|||
#pkgs.age
|
||||
];
|
||||
|
||||
programs.zsh = {
|
||||
enable = true;
|
||||
enableCompletion = true;
|
||||
programs.zsh.autosuggestion.enable = true;
|
||||
syntaxHighlighting.enable = true;
|
||||
|
||||
shellAliases = {
|
||||
ll = "ls -l";
|
||||
};
|
||||
history.size = 10000;
|
||||
history.path = "${config.xdg.dataHome}/zsh/history";
|
||||
|
||||
initExtra = ''
|
||||
bindkey -v
|
||||
bindkey "^H" backward-delete-char
|
||||
bindkey "^?" backward-delete-char
|
||||
set -o vi
|
||||
export TERM=xterm
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
home.file = {
|
||||
".icons/bibata".source = "${pkgs.bibata-cursors}/share/icons/Bibata-Modern-Classic";
|
||||
};
|
||||
|
@ -49,5 +71,6 @@
|
|||
IMAGE_EDITOR="";
|
||||
};
|
||||
|
||||
programs.home-manager.enable = true;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,62 +1,49 @@
|
|||
{ inputs, config, lib, pkgs, outputs,... }:
|
||||
let
|
||||
pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys);
|
||||
in
|
||||
{ lib, pkgs, configLib, configVars, ... }:
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Disk configuration
|
||||
inputs.disko.nixosModules.disko
|
||||
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
|
||||
../common/optional/btrfs-impermanence.nix
|
||||
inputs.impermanence.nixosModules.impermanence
|
||||
|
||||
imports = [
|
||||
# Import core options
|
||||
./hardware-configuration.nix
|
||||
../common/core
|
||||
|
||||
# Import optional options
|
||||
# ../common/optional/openssh
|
||||
|
||||
# Create users for this host
|
||||
../common/users/admin
|
||||
];
|
||||
|
||||
nixpkgs = {
|
||||
overlays = [
|
||||
outputs.overlays.additions
|
||||
outputs.overlays.modifications
|
||||
outputs.overlays.unstable-packages
|
||||
];
|
||||
config = {
|
||||
allowUnfree = true;
|
||||
#virtualisation.virtualbox.guest.enable = true;
|
||||
virtualisation.libvirtd = {
|
||||
qemu = {
|
||||
package = pkgs.qemu_kvm; # only emulates host arch, smaller download
|
||||
swtpm.enable = true; # allows for creating emulated TPM
|
||||
ovmf.packages = [(pkgs.OVMF.override {
|
||||
secureBoot = true;
|
||||
tpmSupport = true;
|
||||
}).fd]; # or use pkgs.OVMFFull.fd, which enables more stuff
|
||||
};
|
||||
};
|
||||
#fileSystems."/boot".options = ["umask=0077"]; # Removes permissions and security warnings.
|
||||
#boot.loader.efi.canTouchEfiVariables = true;
|
||||
#boot.loader.grub.device = "/dev/vda";
|
||||
boot.loader.grub.enable = true;
|
||||
# boot.loader.systemd-boot = {
|
||||
# enable = true;
|
||||
# # we use Git for version control, so we don't need to keep too many generations.
|
||||
# # FIXME lower this even more after testing complete
|
||||
# configurationLimit = lib.mkDefault 10;
|
||||
# # pick the highest resolution for systemd-boot's console.
|
||||
# consoleMode = lib.mkDefault "max";
|
||||
# };
|
||||
boot.initrd.systemd.enable = true;
|
||||
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
keyMap = "uk";
|
||||
useXkbConfig = false;
|
||||
};
|
||||
|
||||
fileSystems."/persist".neededForBoot = true;
|
||||
environment.persistence."/persist" = {
|
||||
hideMounts = true;
|
||||
directories = [
|
||||
"/etc/nixos"
|
||||
];
|
||||
files = [
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
"/etc/ssh/deploy_key-ssh-ed25519"
|
||||
];
|
||||
};
|
||||
|
||||
boot = {
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
timeout = 3;
|
||||
};
|
||||
};
|
||||
|
||||
users = {
|
||||
mutableUsers = true;
|
||||
extraUsers = {
|
||||
root = {
|
||||
initialPassword = "1234";
|
||||
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "bootstrap";
|
||||
|
@ -64,39 +51,38 @@ in
|
|||
enableIPv6 = false;
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
services = {
|
||||
qemuGuest.enable = true;
|
||||
openssh = {
|
||||
enable = true;
|
||||
ports = [22];
|
||||
ports = [22]; # FIXME: Make this use configVars.networking
|
||||
settings.PermitRootLogin = "yes";
|
||||
# Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
|
||||
# this mitigates the security issue caused by enabling u2fAuth in pam
|
||||
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||
hostKeys = [{
|
||||
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}];
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
PermitRootLogin = "yes";
|
||||
PubKeyAuthentication = "yes";
|
||||
StreamLocalBindUnlink = "yes";
|
||||
UsePAM = true;
|
||||
};
|
||||
};
|
||||
|
||||
programs.ssh.extraConfig = ''
|
||||
Host git.bitlab21.com
|
||||
IdentitiesOnly yes
|
||||
StrictHostKeyChecking no
|
||||
IdentityFile /etc/ssh/deploy_key-ssh-ed25519
|
||||
'';
|
||||
|
||||
security.pam = {
|
||||
sshAgentAuth.enable = true;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||
|
||||
#FIXME the above is deprecated in 24.05 but we will wait until release
|
||||
#sshAgentAuth.enable = true;
|
||||
services = {
|
||||
qemuGuest.enable = true;
|
||||
sudo.u2fAuth = true;
|
||||
};
|
||||
};
|
||||
|
||||
# ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
|
||||
# programs.ssh.startAgent = true;
|
||||
|
||||
environment.systemPackages = builtins.attrValues {
|
||||
inherit(pkgs)
|
||||
wget
|
||||
curl
|
||||
git
|
||||
rsync;
|
||||
};
|
||||
|
||||
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
system.stateVersion = "23.11";
|
||||
|
|
|
@ -10,9 +10,17 @@
|
|||
|
||||
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[
|
||||
];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
{ pkgs, lib, inputs, config, ...}:
|
||||
{
|
||||
{pkgs, ...}: {
|
||||
imports = [
|
||||
./sops.nix
|
||||
./locale.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
|
@ -10,7 +8,6 @@
|
|||
pkgs.curl
|
||||
pkgs.just
|
||||
pkgs.git
|
||||
pkgs.neovim
|
||||
];
|
||||
|
||||
}
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
{
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
keyMap = "uk";
|
||||
useXkbConfig = false;
|
||||
};
|
||||
}
|
|
@ -1,8 +1,8 @@
|
|||
{ pkgs, inputs, config, username, ... }:
|
||||
|
||||
{ pkgs, inputs, config, configVars, ... }:
|
||||
let
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
homeDirectory = "/home/${configVars.username}";
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
|
@ -15,12 +15,8 @@ in
|
|||
|
||||
age = {
|
||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
};
|
||||
secrets = {
|
||||
"passwords/root".neededForUsers = true;
|
||||
"ssh_keys/deploy_key/id_ed25519" = {
|
||||
path = "/etc/ssh/deploy_key-ssh-ed25519";
|
||||
};
|
||||
keyFile = "/var/lib/sops-nix/key.txt";
|
||||
generateKey = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,63 +0,0 @@
|
|||
{
|
||||
disko.devices = {
|
||||
disk = {
|
||||
vdb = {
|
||||
type = "disk";
|
||||
device = "/dev/vdb";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
size = "512M";
|
||||
type = "EF00";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
mountOptions = [
|
||||
"defaults"
|
||||
];
|
||||
};
|
||||
};
|
||||
luks = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "luks";
|
||||
name = "crypted";
|
||||
# disable settings.keyFile if you want to use interactive password entry
|
||||
#passwordFile = "/tmp/secret.key"; # Interactive
|
||||
settings = {
|
||||
allowDiscards = true;
|
||||
keyFile = "/tmp/secret.key";
|
||||
};
|
||||
additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
|
||||
content = {
|
||||
type = "btrfs";
|
||||
extraArgs = [ "-f" ];
|
||||
subvolumes = {
|
||||
"/root" = {
|
||||
mountpoint = "/";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
"/home" = {
|
||||
mountpoint = "/home";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
"/nix" = {
|
||||
mountpoint = "/nix";
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
};
|
||||
"/swap" = {
|
||||
mountpoint = "/.swapvol";
|
||||
swap.swapfile.size = "20M";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,9 +1,11 @@
|
|||
{device ? throw "Must define a device, e.g. /dev/sda"}:
|
||||
{
|
||||
disko.devices = {
|
||||
disk.main = {
|
||||
inherit device;
|
||||
disk = {
|
||||
#FIXME change to proper device or make dynamic like figdetingbits
|
||||
sda = {
|
||||
type = "disk";
|
||||
# FIXME change to proper device or make dynamic like figdetingbits
|
||||
device = "/dev/sda";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
|
@ -20,37 +22,24 @@
|
|||
};
|
||||
};
|
||||
root = {
|
||||
name = "root";
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "lvm_pv";
|
||||
vg = "root_vg";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
lvm_vg = {
|
||||
root_vg = {
|
||||
type = "lvm_vg";
|
||||
lvs = {
|
||||
root = {
|
||||
size = "100%FREE";
|
||||
content = {
|
||||
type = "btrfs";
|
||||
extraArgs = ["-f"];
|
||||
extraArgs = [ "-f" ]; # Override existing partition
|
||||
# Subvolumes must set a mountpoint in order to be mounted,
|
||||
# unless their parent is mounted
|
||||
subvolumes = {
|
||||
"/root" = {
|
||||
mountpoint = "/";
|
||||
};
|
||||
|
||||
"/persist" = {
|
||||
mountOptions = [ "subvol=persist" ];
|
||||
mountOptions = [ "compress=zstd" ];
|
||||
mountpoint = "/persist";
|
||||
};
|
||||
|
||||
"/nix" = {
|
||||
mountOptions = [ "subvol=nix" "noatime" ];
|
||||
mountOptions = [ "compress=zstd" "noatime" ];
|
||||
mountpoint = "/nix";
|
||||
};
|
||||
|
||||
|
@ -66,4 +55,5 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,29 +0,0 @@
|
|||
{lib, ...}:
|
||||
{
|
||||
boot.initrd.postDeviceCommands = lib.mkAfter ''
|
||||
mkdir /btrfs_tmp
|
||||
mount /dev/root_vg/root /btrfs_tmp
|
||||
if [[ -e /btrfs_tmp/root ]]; then
|
||||
mkdir -p /btrfs_tmp/old_roots
|
||||
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
|
||||
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
|
||||
fi
|
||||
|
||||
delete_subvolume_recursively() {
|
||||
IFS=$'\n'
|
||||
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
|
||||
delete_subvolume_recursively "/btrfs_tmp/$i"
|
||||
done
|
||||
btrfs subvolume delete "$1"
|
||||
}
|
||||
|
||||
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
|
||||
delete_subvolume_recursively "$i"
|
||||
done
|
||||
|
||||
btrfs subvolume create /btrfs_tmp/root
|
||||
umount /btrfs_tmp
|
||||
'';
|
||||
|
||||
}
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
sshPort = 22;
|
||||
in
|
||||
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
ports = [ sshPort ];
|
||||
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||
hostKeys = [{
|
||||
path = "/persist/etc/ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}];
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
PermitRootLogin = "no";
|
||||
PubKeyAuthentication = "yes";
|
||||
StreamLocalBindUnlink = "yes";
|
||||
UsePAM = true;
|
||||
};
|
||||
};
|
||||
security.pam = {
|
||||
sshAgentAuth.enable = true;
|
||||
};
|
||||
programs.ssh.extraConfig = ''
|
||||
Host git.bitlab21.com
|
||||
IdentitiesOnly yes
|
||||
StrictHostKeyChecking no
|
||||
IdentityFile /etc/ssh/deploy_key-ssh-ed25519
|
||||
'';
|
||||
networking.firewall.allowedTCPPorts = [ sshPort ];
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
sshPort = 22;
|
||||
in
|
||||
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
ports = [ sshPort ];
|
||||
|
||||
settings = {
|
||||
# Harden
|
||||
PasswordAuthentication = true;
|
||||
PermitRootLogin = "no";
|
||||
# Automatically remove stale sockets
|
||||
StreamLocalBindUnlink = "yes";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ sshPort ];
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILywv6g5k5cOVplxgbbStrGf3qYVukgCcd80TJSBM8e8 sam@nixos
|
|
@ -1 +0,0 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFc+y7KKEbutJe9u9UPP3rWqchjS7/yrpyoQRd178c7u sam
|
|
@ -1,49 +0,0 @@
|
|||
{ pkgs, inputs, config, lib, ... }:
|
||||
let
|
||||
pubKeys = lib.filesystem.listFilesRecursive (../keys);
|
||||
hostname = config.networking.hostName;
|
||||
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/media".path;
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
in
|
||||
{
|
||||
users.users.media = {
|
||||
isNormalUser = true;
|
||||
shell = pkgs.zsh; # default shell
|
||||
#hashedPasswordFile = sopsHashedPasswordFile;
|
||||
password = "nixos";
|
||||
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
|
||||
|
||||
extraGroups =
|
||||
[ "qemu-libvirtd" "libvirtd"
|
||||
"wheel" "video" "audio" "disk" "networkmanager"
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
sops.secrets."passwords/media" = {
|
||||
sopsFile = "${secretsFile}";
|
||||
neededForUsers = true;
|
||||
};
|
||||
|
||||
sops.secrets."ssh_keys/media/id_ed25519" = {
|
||||
path = "/home/media/.ssh/id_ed25519";
|
||||
};
|
||||
|
||||
sops.secrets."ssh_keys/media/id_ed25519.pub" = {
|
||||
path = "/home/media/.ssh/id_ed25519.pub";
|
||||
};
|
||||
|
||||
programs.zsh.enable = true;
|
||||
programs.fuse.userAllowOther = true;
|
||||
|
||||
home-manager = {
|
||||
extraSpecialArgs = { inherit inputs; };
|
||||
users = {
|
||||
media = import ../../../../home/${hostname}.nix;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
];
|
||||
}
|
|
@ -1,18 +1,14 @@
|
|||
{ pkgs, inputs, config, lib, ... }:
|
||||
let
|
||||
hostname = config.networking.hostName;
|
||||
pubKeys = lib.filesystem.listFilesRecursive (../keys);
|
||||
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/sam".path;
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
hostname = config.networking.hostName;
|
||||
in
|
||||
{
|
||||
users.users.sam = {
|
||||
mutableUsers = true;
|
||||
isNormalUser = true;
|
||||
#password = "nixos"; # Overridden if sops is working
|
||||
shell = pkgs.zsh; # default shell
|
||||
initialPassword = "nixos";
|
||||
hashedPasswordFile = sopsHashedPasswordFile;
|
||||
|
||||
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
|
||||
|
||||
extraGroups = [
|
||||
|
@ -24,13 +20,9 @@ in
|
|||
|
||||
};
|
||||
|
||||
sops.secrets."passwords/sam" = {
|
||||
sopsFile = "${secretsFile}";
|
||||
neededForUsers = true;
|
||||
};
|
||||
|
||||
programs.zsh.enable = true;
|
||||
|
||||
#home-manager.users.sam =
|
||||
home-manager = {
|
||||
extraSpecialArgs = { inherit inputs; };
|
||||
users = {
|
||||
|
|
|
@ -41,6 +41,13 @@
|
|||
|
||||
time.timeZone = "Europe/London";
|
||||
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
keyMap = "uk";
|
||||
useXkbConfig = false;
|
||||
};
|
||||
|
||||
programs.gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
{ inputs, config, lib, pkgs, outputs,... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Import core options
|
||||
./hardware-configuration.nix
|
||||
../common/core
|
||||
|
||||
# Import optional options
|
||||
../common/optional/pipewire.nix
|
||||
../common/optional/hyprland.nix
|
||||
../common/optional/displayManager/sddm.nix
|
||||
../common/optional/openssh
|
||||
|
||||
# Create users for this host
|
||||
../common/users/sam
|
||||
|
||||
];
|
||||
|
||||
nixpkgs = {
|
||||
overlays = [
|
||||
outputs.overlays.additions
|
||||
outputs.overlays.modifications
|
||||
outputs.overlays.unstable-packages
|
||||
];
|
||||
config = {
|
||||
allowUnfree = true;
|
||||
};
|
||||
};
|
||||
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
|
@ -11,7 +11,7 @@
|
|||
../common/optional/pipewire.nix
|
||||
../common/optional/hyprland.nix
|
||||
../common/optional/displayManager/sddm.nix
|
||||
../common/optional/openssh.nix
|
||||
../common/optional/openssh
|
||||
|
||||
# Create users for this host
|
||||
../common/users/sam
|
||||
|
@ -42,6 +42,13 @@
|
|||
|
||||
time.timeZone = "Europe/London";
|
||||
|
||||
i18n.defaultLocale = "en_GB.UTF-8";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
keyMap = "uk";
|
||||
useXkbConfig = false;
|
||||
};
|
||||
|
||||
services.printing.enable = true;
|
||||
|
||||
services.libinput.enable = true;
|
||||
|
|
|
@ -1,107 +0,0 @@
|
|||
{ inputs, config, lib, pkgs, outputs,... }:
|
||||
let
|
||||
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
|
||||
secretsDirectory = builtins.toString inputs.nix-secrets;
|
||||
secretsFile = "${secretsDirectory}/secrets.yaml";
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Disk configuration
|
||||
inputs.disko.nixosModules.disko
|
||||
(import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })
|
||||
../common/optional/btrfs-impermanence.nix
|
||||
inputs.impermanence.nixosModules.impermanence
|
||||
|
||||
# Create users for this host
|
||||
../common/users/media
|
||||
|
||||
# Import core options
|
||||
./hardware-configuration.nix
|
||||
../common/core
|
||||
|
||||
# Import optional options
|
||||
../common/optional/openssh.nix
|
||||
|
||||
];
|
||||
|
||||
nixpkgs = {
|
||||
overlays = [
|
||||
outputs.overlays.additions
|
||||
outputs.overlays.modifications
|
||||
outputs.overlays.unstable-packages
|
||||
];
|
||||
config = {
|
||||
allowUnfree = true;
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/persist".neededForBoot = true;
|
||||
environment.persistence."/persist" = {
|
||||
hideMounts = true;
|
||||
directories = [
|
||||
"/etc/nixos"
|
||||
"/var/log"
|
||||
"/var/lib/nixos"
|
||||
"/var/lib/systemd/coredump"
|
||||
"/etc/NetworkManager/system-connections"
|
||||
];
|
||||
files = [
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
];
|
||||
users.media= {
|
||||
directories = [
|
||||
"sync"
|
||||
"keep"
|
||||
".ssh"
|
||||
".config/dconf"
|
||||
".config/cinnamon"
|
||||
".config/nemo"
|
||||
];
|
||||
files = [
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
users = {
|
||||
mutableUsers = true;
|
||||
extraUsers = {
|
||||
root = {
|
||||
hashedPasswordFile = sopsHashedPasswordFile;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
boot = {
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
timeout = 3;
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "sparky";
|
||||
networkmanager.enable = true;
|
||||
enableIPv6 = false;
|
||||
};
|
||||
|
||||
services = {
|
||||
qemuGuest.enable = true;
|
||||
};
|
||||
#services.libinput.enable = true;
|
||||
#services.displayManager.defaultSession = "cinnamon";
|
||||
|
||||
# services.xserver = {
|
||||
# enable = true;
|
||||
# displayManager.lightdm.enable = true;
|
||||
# desktopManager = {
|
||||
# cinnamon.enable = true;
|
||||
# };
|
||||
# };
|
||||
#
|
||||
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
system.stateVersion = "23.11";
|
||||
}
|
|
@ -1,24 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
11
justfile
11
justfile
|
@ -4,15 +4,15 @@ SOPS_FILE := "../nix-secrets/secrets.yaml"
|
|||
default:
|
||||
@just --list
|
||||
|
||||
# fetches from remote and updates flake.lock with latest revisions of nix-secrets for next time a rebuild occurs
|
||||
update-flake-secrets:
|
||||
# ensure the latest revisions of nix-secrets are used next time a rebuild occurs
|
||||
update-nix-secrets:
|
||||
(cd ../nix-secrets && git fetch && git rebase) || true
|
||||
nix flake lock --update-input nix-secrets
|
||||
|
||||
# full system rebuild from flake (stages changes and automatically detects host)
|
||||
rebuild-system:
|
||||
git add *.nix
|
||||
sudo nixos-rebuild switch --flake .#$(hostname)
|
||||
sudo nixos-rebuild switch --flake $HOME/nixos#$(hostname)
|
||||
|
||||
# updates all flake inputs for system
|
||||
update-flake:
|
||||
|
@ -23,10 +23,9 @@ edit-sops:
|
|||
echo "Editing {{SOPS_FILE}}"
|
||||
nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops {{SOPS_FILE}}"
|
||||
|
||||
# update keys in secrets.yaml and push to remote
|
||||
update-sops-secrets:
|
||||
# update
|
||||
update-secrets:
|
||||
cd $HOME/nix-secrets && (\
|
||||
nix-shell -p sops --run "sops updatekeys -y secrets.yaml" && \
|
||||
git add -u && (git commit -m "updated secrets" || true) && git push \
|
||||
)
|
||||
|
||||
|
|
|
@ -12,100 +12,87 @@ for the root user.
|
|||
read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
|
||||
[ "$confirm" != "yes" ] && echo "Exiting" && exit 0
|
||||
|
||||
# Target host details
|
||||
#cd ~
|
||||
#read -p "Enter hostname: " hostname
|
||||
#read -p "Enter username: " username
|
||||
#read -p "Enter ip address: " ip
|
||||
#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
|
||||
hostname="bootstrap"
|
||||
ip="192.168.122.192"
|
||||
config="bootstrap"
|
||||
cd ~
|
||||
read -p "Enter hostname: " hostname
|
||||
read -p "Enter username: " username
|
||||
read -p "Enter ip address: " ip
|
||||
|
||||
# Generate key name and dir
|
||||
HOST_KEY_DIR="$HOME/keys/hosts/$hostname"
|
||||
mkdir -p "$HOST_KEY_DIR"
|
||||
KEY_DIR="$HOME/keys/$hostname/"
|
||||
mkdir -p $KEY_DIR
|
||||
ssh-copy-id -i "$(readlink -n "$HOME/.ssh/gitea.pub" )" "root@$ip"
|
||||
|
||||
# Create ssh keys if not exists
|
||||
echo "Creating '$hostname' ssh keys"
|
||||
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname"
|
||||
echo "Creating ssh keys for new host. Will create in current directory: "$KEY_DIR
|
||||
KEY_NAME="ssh_ed25519_key_$hostname"
|
||||
|
||||
# Delete key in known hosts if exists
|
||||
sed -i "/$ip/d" ~/.ssh/known_hosts
|
||||
KNOWN_HOSTS=$(grep "$ip" ~/.ssh/known_hosts)
|
||||
confirm_delete=""
|
||||
|
||||
# Authorise source public key
|
||||
echo "Copying pubkey to target host"
|
||||
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
|
||||
[ "$KNOWN_HOSTS" != "" ] && echo -e "Host found in: ~/.ssh/known_hosts\n\n$KNOWN_HOSTS\n" && read -p "Delete existing hosts from ~/.ssh/known_hosts? (yes|no) " confirm_delete
|
||||
[ "$confirm_delete" = "yes" ] && sed -i "/$ip/d" ~/.ssh/known_hosts
|
||||
|
||||
# Generate age key from target host and user public ssh key
|
||||
echo "Generating age key from target host and user ssh key"
|
||||
nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key"
|
||||
HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key")
|
||||
echo -e "Host age key:\n$HOST_AGE_KEY\n"
|
||||
echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later."
|
||||
overwrite=""
|
||||
[ -f "$KEY_DIR/$KEY_NAME" ] && read -p "Key exists, would you like to overwrite it? (yes|no) " overwrite
|
||||
|
||||
# Create temp directory for ssh keys to be copied to host:
|
||||
temp=$(mktemp -d)
|
||||
[ "$overwrite" == "yes" ] && ssh-keygen -t ed25519 -f "$KEY_DIR/$KEY_NAME" -C "$hostname@$ip" -N ""
|
||||
|
||||
# Function to cleanup temporary directory on exit
|
||||
cleanup() {
|
||||
rm -rf "$temp"
|
||||
}
|
||||
trap cleanup EXIT
|
||||
echo "Copying ssh key to target host:"
|
||||
# Rsync currently not available in Nixos. Use scp instead.
|
||||
#rsync -av "ssh_ed25519_key_$hostname"* "root@$ip:/etc/ssh/"
|
||||
scp -i "$KEY_DIR/ssh_ed25519_key_$hostname"* "root@$ip:/etc/ssh/"
|
||||
[ $? != 0 ] && echo "Error copying keys to target host" && exit 1
|
||||
|
||||
# Create the directory where sshd expects to find the host keys
|
||||
install -d -m755 "$temp/persist/etc/ssh"
|
||||
echo "Generating age key from ssh key"
|
||||
nix-shell -p ssh-to-age --run "cat $KEY_DIR/$KEY_NAME.pub | ssh-to-age > $KEY_DIR/age_key_$hostname"
|
||||
[ $? != 0 ] && echo "Error generating age key" && exit 1
|
||||
|
||||
cat "$HOST_KEY_DIR/ssh_host_ed25519_key" > "$temp/persist/etc/ssh/ssh_host_ed25519_key"
|
||||
cat "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" > "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
AGE_KEY=$(cat "$KEY_DIR/age_key_$hostname")
|
||||
|
||||
chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key"
|
||||
chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
echo -e "Age key:\n$AGE_KEY\n"
|
||||
echo "This needs to be inserted into .sops.yaml file."
|
||||
|
||||
# Install Nixos to target
|
||||
# Install Nixos bootstrap
|
||||
cd "$HOME/nixos"
|
||||
git add . && git commit -m "auto: bootstrapping $hostname" && git push
|
||||
[ $? != 0 ] && echo "Error commiting current changes" && exit 1
|
||||
|
||||
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
|
||||
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --flake .#bootstrap root@"$ip" -i "$KEY_DIR/ssh_ed25519_key_$hostname"
|
||||
[ $? != 0 ] && echo "Error installing Nixos" && exit 1
|
||||
|
||||
## Delete keys from local known_hosts
|
||||
echo "Deleting host from known_hosts"
|
||||
sed -i "/$ip/d" ~/.ssh/known_hosts
|
||||
|
||||
# Check host OS has booted (and not booted back into live cd)
|
||||
while true;
|
||||
do
|
||||
read -p "Confirm live CD has been removed... (yes|no): " confirm
|
||||
read -p "Confirm live CD has been removed... (yes|no)" confirm
|
||||
[ "$confirm" = "yes" ] && break
|
||||
done
|
||||
|
||||
echo "Waiting for $ip to come back online and port 22 to be open..."
|
||||
|
||||
while ! ping -c 1 $ip &> /dev/null || ! nc -zvw3 $ip 22 &> /dev/null
|
||||
do
|
||||
echo "$ip is still offline or port 22 is not open. Checking again in 5 seconds..."
|
||||
sleep 5
|
||||
done
|
||||
|
||||
echo "$ip is now online and port 22 is open!"
|
||||
|
||||
# Authorise source public key
|
||||
echo "Copying pubkey to target host"
|
||||
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
|
||||
echo "Configuring ssh keys on target host to enable connection to gitea:"
|
||||
ssh-copy-id -i "$HOME/.ssh/gitea.pub" "$username@$ip"
|
||||
read -r -d '' config << EOM
|
||||
Host git.bitlab21.com
|
||||
IdentitiesOnly yes
|
||||
StrictHostKeyChecking no
|
||||
IdentityFile ~/.ssh/gitea
|
||||
EOM
|
||||
|
||||
# Copy deploy_key to target for personal repo authorisation
|
||||
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
|
||||
# Append the string to file on target machine
|
||||
echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config'
|
||||
|
||||
echo -e "
|
||||
Complete!
|
||||
|
||||
Now add the new target host age key to .sops.yaml. This is needed to enable the
|
||||
new host to decrypt the secrets.yaml file from the ssh key we generated
|
||||
previously.
|
||||
|
||||
Enter the details as following:
|
||||
Now add the age key to .sops.yaml, like this:
|
||||
keys:
|
||||
- &hosts:
|
||||
- &$hostname $HOST_AGE_KEY
|
||||
- &$hostname $AGE_KEY
|
||||
|
||||
creation_rules:
|
||||
- path_regex: secrets.yaml$
|
||||
|
@ -113,16 +100,13 @@ creation_rules:
|
|||
- age:
|
||||
- *$hostname
|
||||
|
||||
Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
|
||||
|
||||
'sops --config .sops.yaml updatekeys secrets.yaml'
|
||||
|
||||
or with just:
|
||||
|
||||
'just update-sops-secrets'
|
||||
|
||||
Then commit and push these changes to remote so they can be accessed on the new
|
||||
host.
|
||||
Then to update the keys for the secrets.yaml file, run:
|
||||
'sops --config .sops.yaml updatekeys secrets.yaml'
|
||||
or with nix-shell:
|
||||
'nix-shell -p sops --run 'sops --config .sops.yaml updatekeys secrets.yaml''
|
||||
then run 'nix flake lock --update-input nix-secrets $HOME/nixos'
|
||||
Finally, commit and push these changes to remote so they can be accessed on
|
||||
the new host.
|
||||
"
|
||||
|
||||
while true;
|
||||
|
@ -131,8 +115,12 @@ do
|
|||
[ "$confirm" = "yes" ] && break
|
||||
done
|
||||
|
||||
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
|
||||
echo "Copying gitea private ssh key to host"
|
||||
echo "New password is 'nixos'"
|
||||
|
||||
echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
|
||||
rsync -av "$(readlink -n "$HOME/.ssh/gitea" )" "$username@$ip":~/.ssh/gitea
|
||||
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git'"
|
||||
ssh "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git'"
|
||||
|
||||
exit 0
|
||||
echo "Successfully installed Nixos on the target host!"
|
||||
echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'"
|
||||
|
|
|
@ -1,35 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
echo "Generating an age key based on the new ssh_host_ed25519_key."
|
||||
|
||||
target_key=$(ssh-keyscan -p $ssh_port -t ssh-ed25519 "$target_destination" 2>&1 | grep ssh-ed25519 | cut -f2- -d" ")
|
||||
age_key=$(nix shell nixpkgs#ssh-to-age.out -c sh -c "echo $target_key | ssh-to-age")
|
||||
|
||||
if grep -qv '^age1' <<<"$age_key"; then
|
||||
echo "The result from generated age key does not match the expected format."
|
||||
echo "Result: $age_key"
|
||||
echo "Expected format: age10000000000000000000000000000000000000000000000000000000000"
|
||||
exit 1
|
||||
else
|
||||
echo "$age_key"
|
||||
fi
|
||||
|
||||
echo "Updating nix-secrets/.sops.yaml"
|
||||
cd ../nix-secrets
|
||||
|
||||
SOPS_FILE=".sops.yaml"
|
||||
sed -i "{
|
||||
# Remove any * and & entries for this host
|
||||
/[*&]$target_hostname/ d;
|
||||
# Inject a new age: entry
|
||||
# n matches the first line following age: and p prints it, then we transform it while reusing the spacing
|
||||
/age:/{n; p; s/\(.*- \*\).*/\1$target_hostname/};
|
||||
# Inject a new hosts: entry
|
||||
/&hosts:/{n; p; s/\(.*- &\).*/\1$target_hostname $age_key/}
|
||||
}" $SOPS_FILE
|
||||
|
||||
echo "Updating nix-secrets/.sops.yaml"
|
||||
cd -
|
||||
just rekey
|
||||
|
||||
echo "Updating flake lock on source machine with new .sops.yaml info"
|
||||
nix flake lock --update-input nix-secrets
|
|
@ -1,60 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
# usage: ./generate_ssh_keys.sh --type "host" --username "root" --hostname "hostname"
|
||||
#
|
||||
|
||||
while [[ $# -gt 0 ]]
|
||||
do
|
||||
key="$1"
|
||||
|
||||
case $key in
|
||||
--type)
|
||||
type="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
--username)
|
||||
username="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
--hostname)
|
||||
hostname="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
*) # unknown option
|
||||
echo "Unknown option $1"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ -z "$type" || -z "$username" || -z "$hostname" ]]; then
|
||||
echo "All arguments are not specified."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ $type != "user" && $type != "host" ]]; then
|
||||
echo "Invalid type. It should be either 'user' or 'host'"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
HOST_KEY_DIR="$HOME/keys/hosts/$hostname"
|
||||
USER_KEY_DIR="$HOME/keys/users/$username"
|
||||
mkdir -p "$HOST_KEY_DIR" "$USER_KEY_DIR"
|
||||
|
||||
if [[ $type == "user" ]]; then
|
||||
keyfile="id_ed25519"
|
||||
name="$username"
|
||||
else
|
||||
keyfile="ssh_host_ed25519_key"
|
||||
name="root@$hostname"
|
||||
fi
|
||||
|
||||
keydir=$([[ $type == "user" ]] && echo "$USER_KEY_DIR" || echo "$HOST_KEY_DIR")
|
||||
fullpath="$keydir/$keyfile"
|
||||
overwrite=""
|
||||
[ -f "$fullpath" ] && read -p "Target key '$fullpath' already exists, would you like to overwrite it? (yes|no) " overwrite
|
||||
[ "$overwrite" = "yes" ] || [ -z "$overwrite" ] && ssh-keygen -t ed25519 -f "$fullpath" -C "$name" -N ""
|
||||
|
Loading…
Reference in New Issue