Compare commits

..

5 Commits

Author SHA1 Message Date
Sam 805f9ace72 parametised disk formatting and fixed secrets issue in bootstrapping 2024-05-28 14:06:33 +01:00
Sam 2910b2d267 auto: bootstrapping sparky 2024-05-27 16:19:00 +01:00
Sam 34cf736bea auto: bootstrapping sparky 2024-05-27 16:03:39 +01:00
Sam 967d09c24a auto: bootstrapping sparky 2024-05-27 15:42:50 +01:00
Sam 920aa6e8f6 auto: bootstrapping sparky 2024-05-27 15:04:34 +01:00
18 changed files with 261 additions and 260 deletions

View File

@ -29,11 +29,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716431128, "lastModified": 1716773194,
"narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=", "narHash": "sha256-rskkGmWlvYFb+CXedBiL8eWEuED0Es0XR4CkJ11RQKY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606", "rev": "10986091e47fb1180620b78438512b294b7e8f67",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -126,11 +126,38 @@
"type": "github" "type": "github"
} }
}, },
"git-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716213921,
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": { "gitignore": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
"pre-commit-hooks", "git-hooks",
"nixpkgs" "nixpkgs"
] ]
}, },
@ -155,11 +182,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716736760, "lastModified": 1716847642,
"narHash": "sha256-h3RmnNknKYtVA+EvUSra6QAwfZjC2q1G8YA7W0gat8Y=", "narHash": "sha256-rjEswRV0o23eBBils8lJXyIGha+l/VjV73IPg+ztxgk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "5d151429e1e79107acf6d06dcc5ace4e642ec239", "rev": "10c7c219b7dae5795fb67f465a0d86cbe29f25fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -228,11 +255,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1716758960, "lastModified": 1716900655,
"narHash": "sha256-CcI0sEjih/z9ChQg81QY0+fyY//gx9KZ6CoMxAwWJBA=", "narHash": "sha256-YQBKCTcP+CKP0LWSjVlP+qQ4kbk8ZWjir/nTPIl4+Bs=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "d0f16258f5867769ed35445b24286cc831ff730c", "rev": "c000be534d2c23315a746555e82a30b512c42f65",
"revCount": 60, "revCount": 69,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },
@ -291,20 +318,20 @@
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"flake-root": "flake-root", "flake-root": "flake-root",
"git-hooks": "git-hooks",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"pre-commit-hooks": "pre-commit-hooks",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1716746631, "lastModified": 1716833970,
"narHash": "sha256-0/G9FQaVm321BoCKREwRqr4l93ZwtvW+4x8gjN67bWs=", "narHash": "sha256-K3tVrTna4EN86GW9IeOQJkbj57zT2xNGJg1hh26xy5c=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "9697385115fe557468b2ddcbd1277602b3e58d5e", "rev": "a2afa5634495ee739e682e5ccb743c5c6dd90ec1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -313,33 +340,6 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716213921,
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",

View File

@ -8,4 +8,5 @@
home.packages = [ home.packages = [
pkgs.ripgrep pkgs.ripgrep
]; ];
home.stateVersion = "23.11";
} }

View File

@ -3,17 +3,28 @@ let
pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys);
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
hasOptinPersistence = config.environment.persistence ? "/persist";
# Disko setup
fsType = "btrfs";
dev = "/dev/vda";
encrypted = true;
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
in in
{ {
imports = imports =
[ [
# Disk configuration # Disk configuration
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
# Disk configuration
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; }) (import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; })
#(import ../common/disks/std-disk-config.nix { device = "/dev/vda" ; })
../common/optional/btrfs-impermanence.nix # Impermanence
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
(import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix
@ -39,11 +50,9 @@ in
files = [ files = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/deploy_key-ssh-ed25519"
]; ];
}; };
i18n.defaultLocale = "en_GB.UTF-8"; i18n.defaultLocale = "en_GB.UTF-8";
console = { console = {
font = "Lat2-Terminus16"; font = "Lat2-Terminus16";
@ -64,7 +73,7 @@ in
mutableUsers = true; mutableUsers = true;
extraUsers = { extraUsers = {
root = { root = {
initialPassword = "1234"; hashedPasswordFile = sopsHashedPasswordFile;
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
}; };
}; };
@ -81,7 +90,7 @@ in
validateSopsFiles = false; validateSopsFiles = false;
age = { age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ];
}; };
secrets = { secrets = {
"passwords/root".neededForUsers = true; "passwords/root".neededForUsers = true;
@ -104,7 +113,7 @@ in
ports = [22]; ports = [22];
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
hostKeys = [{ hostKeys = [{
path = "/persist/etc/ssh/ssh_host_ed25519_key"; path = "${lib.optionalString hasOptinPersistence "/persist"}/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519"; type = "ed25519";
}]; }];
settings = { settings = {

View File

@ -6,7 +6,6 @@ in
imports = [ imports = [
./sops.nix ./sops.nix
./locale.nix ./locale.nix
inputs.impermanence.nixosModules.impermanence
]; ];
nixpkgs = { nixpkgs = {
@ -44,4 +43,5 @@ in
pkgs.vim pkgs.vim
]; ];
system.stateVersion = "23.11";
} }

View File

@ -1,8 +1,11 @@
{lib, ...}: {lib, btrfsMountDevice, ...}:
let
device = btrfsMountDevice;
in
{ {
boot.initrd.postDeviceCommands = lib.mkAfter '' boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp mkdir /btrfs_tmp
mount /dev/mapper/crypted /btrfs_tmp mount ${device} /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")

View File

@ -0,0 +1,37 @@
{device ? throw "Must define a device, e.g. /dev/sda"}:
{
disko.devices = {
disk = {
vdb = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
passwordFile = "/tmp/luks_secret.key"; # Interactive
content = (import ./btrfs-persist.nix);
};
};
};
};
};
};
};
}

View File

@ -0,0 +1,45 @@
{device ? throw "Must define a device, e.g. /dev/sda"}:
{
disko.devices = {
disk.main = {
inherit device;
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "lvm_pv";
vg = "root_vg";
};
};
};
};
};
lvm_vg = {
root_vg = {
type = "lvm_vg";
lvs = {
root = {
size = "100%FREE";
content = (import ./btrfs-persist.nix);
};
};
};
};
};
}

View File

@ -0,0 +1,25 @@
{
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
};
"/persist" = {
mountOptions = [ "subvol=persist" ];
mountpoint = "/persist";
};
"/nix" = {
mountOptions = [ "subvol=nix" "noatime" ];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
}

View File

@ -0,0 +1,11 @@
{ device, fsType, encrypted, ... }:
let
# basic and perists configs. basic fs = ext4, persist fs = btrfs either encrypted or under lvm
basic = import ./gpt-bios-compact.nix { inherit device; };
btrfs-persist-lvm = import ./btrfs-lvm.nix { inherit device; };
btrfs-persist-luks = import ./btrfs-luks.nix { inherit device; };
in
if fsType == "ext4" then basic
else if fsType == "btrfs" && encrypted then btrfs-persist-luks
else if fsType == "btrfs" then btrfs-persist-lvm
else null # or some default value

View File

@ -3,7 +3,7 @@
disko.devices = { disko.devices = {
disk = { disk = {
vda = { vda = {
device = "/dev/vda"; inherit device;
type = "disk"; type = "disk";
content = { content = {
type = "gpt"; type = "gpt";

View File

@ -1,66 +0,0 @@
{device ? throw "Must define a device, e.g. /dev/sda"}:
{
disko.devices = {
disk = {
vdb = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
# disable settings.keyFile if you want to use interactive password entry
passwordFile = "/tmp/luks_secret.key"; # Interactive
# settings = {
# allowDiscards = true;
# keyFile = "${sopsHashedPasswordFile}";
# };
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
};
"/persist" = {
mountOptions = [ "subvol=persist" ];
mountpoint = "/persist";
};
"/nix" = {
mountOptions = [ "subvol=nix" "noatime" ];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
};
};
};
};
};
};
};
};
}

View File

@ -1,69 +0,0 @@
{device ? throw "Must define a device, e.g. /dev/sda"}:
{
disko.devices = {
disk.main = {
inherit device;
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "lvm_pv";
vg = "root_vg";
};
};
};
};
};
lvm_vg = {
root_vg = {
type = "lvm_vg";
lvs = {
root = {
size = "100%FREE";
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
};
"/persist" = {
mountOptions = [ "subvol=persist" ];
mountpoint = "/persist";
};
"/nix" = {
mountOptions = [ "subvol=nix" "noatime" ];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
};
};
};
};
};
};
}

View File

@ -8,9 +8,12 @@
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/var/lib/flatpak"
"/run/secrets-for-users"
]; ];
files = [ files = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/deploy_key-ssh-ed25519"
"/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key.pub"
]; ];
}; };

View File

@ -1,24 +1,55 @@
{ pkgs, inputs, config, lib, ... }: { pkgs, inputs, config, lib, ... }:
let let
username = "admin";
pubKeys = lib.filesystem.listFilesRecursive (../keys); pubKeys = lib.filesystem.listFilesRecursive (../keys);
hostname = config.networking.hostName;
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${username}".path;
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in in
{ {
users.users.admin = { users.users.${username} = {
isNormalUser = true; isNormalUser = true;
password = "nixos"; # Overridden if sops is working
shell = pkgs.zsh; # default shell shell = pkgs.zsh; # default shell
hashedPasswordFile = sopsHashedPasswordFile;
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = extraGroups =
[ "qemu-libvirtd" "libvirtd" [
"wheel" "video" "audio" "disk" "networkmanager" "wheel"
]; ];
packages = with pkgs; [
flatpak
gnome.gnome-software
];
};
sops.secrets = {
"passwords/${username}" = {
sopsFile = "${secretsFile}";
neededForUsers = true;
};
"ssh_keys/${username}/id_ed25519" = {
path = "/home/${username}/.ssh/id_ed25519";
mode = "0600";
owner = "${username}";
};
"ssh_keys/${username}/id_ed25519.pub" = {
path = "/home/${username}/.ssh/id_ed25519.pub";
mode = "0644";
owner = "${username}";
};
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
programs.fuse.userAllowOther = true;
environment.systemPackages = [ home-manager = {
]; extraSpecialArgs = { inherit inputs; };
users = {
${username} = import ../../../../home/${hostname}.nix;
};
};
} }

View File

@ -46,7 +46,5 @@
enableSSHSupport = true; enableSSHSupport = true;
}; };
system.stateVersion = "23.11";
} }

View File

@ -30,8 +30,5 @@ in
}; };
services.libinput.enable = true; services.libinput.enable = true;
system.stateVersion = "23.11";
} }

View File

@ -1,18 +1,25 @@
{ inputs, config, lib, pkgs, outputs,... }: { inputs, config, lib, pkgs, outputs,... }:
let let
dev = "/dev/vda"; # Disko setup
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/vda"; # depends on target hardware
encrypted = false; # currrently only applies to btrfs
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
in in
{ {
imports = imports =
[ [
# Disk configuration
inputs.disko.nixosModules.disko
(import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; })
../common/optional/btrfs-impermanence.nix
# Create users for this host # Create users for this host
../common/users/media ../common/users/media
# Disk configuration
inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; })
# Impermanence
inputs.impermanence.nixosModules.impermanence
(import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix
../common/core ../common/core
@ -31,13 +38,6 @@ in
}; };
}; };
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/flatpak"
];
};
networking = { networking = {
hostName = "sparky"; hostName = "sparky";
networkmanager.enable = true; networkmanager.enable = true;
@ -54,5 +54,4 @@ in
cinnamon.enable = true; cinnamon.enable = true;
}; };
}; };
} }

View File

@ -4,17 +4,19 @@ echo -e "
Before using this tool, ensure that the host has been setup correctly. Before using this tool, ensure that the host has been setup correctly.
Boot the latest Nixos-minimal install ISO on the host and access the tty. Boot the latest Nixos-minimal install ISO on the host and access the tty.
Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally Run
Run 'passwd' and set a temporary password (something simple like '1234') 'passwd' and set a temporary password for the root user.
for the root user.
Also, ensure secrets for the new host and users have been set in secrets.yaml
" "
read -p "Confirm host had been setup using the above steps...(yes|no): " confirm read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
[ "$confirm" != "yes" ] && echo "Exiting" && exit 0 [ "$confirm" != "yes" ] && echo "Exiting" && exit 0
hostname="sparky" read -p "Enter hostname of target: " hostname
ip="192.168.122.193" read -p "Enter IP of target: " ip
config="bootstrap" read -p "Enter config to install on target: " config
read -p "Enter username (if none, use 'root'): " username
# Delete key in known hosts if exists # Delete key in known hosts if exists
sed -i "/$ip/d" ~/.ssh/known_hosts sed -i "/$ip/d" ~/.ssh/known_hosts
@ -24,28 +26,29 @@ echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Create temp directory for ssh and luks keys to be copied to host: # Create temp directory for ssh and luks keys to be copied to host:
temp_ssh=$(mktemp -d) temp=$(mktemp -d)
touch /tmp/luks_secret.key touch /tmp/luks_secret.key
# Function to cleanup temporary directory on exit # Function to cleanup temporary directory on exit
cleanup() { cleanup() {
rm -rf "$temp_ssh" /tmp/luks_secret.key rm -rf "$temp" /tmp/luks_secret.key
} }
trap cleanup EXIT trap cleanup EXIT
# Create the directory where sshd expects to find the host keys # Create the directory for target host keys
install -d -m755 "$temp_ssh/persist/etc/ssh" install -d -m755 "$temp/persist/etc/ssh"
# Create ssh keys if not exists # Create ssh keys
echo "Creating '$hostname' ssh keys" echo "Creating '$hostname' ssh keys"
ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" # Extract luks key from secrets
chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub" luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ../nix-secrets/secrets.yaml")
echo "$luks_secret" > /tmp/luks_secret.key
# Generate age key from target host and user public ssh key # Generate age key from target host and user public ssh key
echo "Generating age key from target host and user ssh key" echo "Generating age key from target host and user ssh key"
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
echo -e "Host age key:\n$HOST_AGE_KEY\n" echo -e "Host age key:\n$HOST_AGE_KEY\n"
# Update .sops.yaml with new age key: # Update .sops.yaml with new age key:
@ -60,46 +63,20 @@ sed -i "{
/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/} /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
}" $SOPS_FILE }" $SOPS_FILE
# Commit and push changes to sops file
just update-sops-secrets && just update-flake-secrets && just update-flake just update-sops-secrets && just update-flake-secrets && just update-flake
# Extract luks key from secrets # Copy current nix config over to target
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"sparky""\"]' ../nix-secrets/secrets.yaml") cp -prv . "$temp/persist/etc/nixos"
echo "$luks_secret" > /tmp/luks_secret.key
# Install Nixos to target # Install Nixos to target
cd "$HOME/nixos" SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
git add . && git commit -m "auto: bootstrapping $hostname" && git push
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts ## Delete keys from local known_hosts
echo "Deleting host from known_hosts" echo "Deleting host from known_hosts"
sed -i "/$ip/d" ~/.ssh/known_hosts sed -i "/$ip/d" ~/.ssh/known_hosts
# Check host OS has booted (and not booted back into live cd)
while true;
do
read -p "Confirm live CD has been removed... (yes|no): " confirm
[ "$confirm" = "yes" ] && break
done
echo "Waiting for $ip to come back online and port 22 to be open..."
while ! ping -c 1 $ip &> /dev/null || ! nc -zvw3 $ip 22 &> /dev/null
do
echo "$ip is still offline or port 22 is not open. Checking again in 5 seconds..."
sleep 5
done
echo "$ip is now online and port 22 is open!"
# Authorise source public key
echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Copy deploy_key to target for personal repo authorisation
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
echo -e "###\nSuccessfully installed Nixos on the target host!\n###" echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
exit 0 exit 0