sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sam:805f9ace72b9b8c5b80fd91a0b189e092b1810ce
Branches Tags
sam:master
sam:docker
sam:docker-entrypoint
sam:incus
sam:lxd
sam:nebula
sam:overseer
sam:disko
sam:development
sam:change-decrypt-key
sam:media
sam:impermanence
sam:fileserver-host
sam:sops
sam:modules
..
compare: sam:748a03aa7bad65e60a5ba3d42ac21d7171d8c38b
Branches Tags
sam:master
sam:docker
sam:docker-entrypoint
sam:incus
sam:lxd
sam:nebula
sam:overseer
sam:disko
sam:development
sam:change-decrypt-key
sam:media
sam:impermanence
sam:fileserver-host
sam:sops
sam:modules

No commits in common. "805f9ace72b9b8c5b80fd91a0b189e092b1810ce" and "748a03aa7bad65e60a5ba3d42ac21d7171d8c38b" have entirely different histories.
805f9ace72 ... 748a03aa7b

18 changed files with 259 additions and 260 deletions
Show Stats Expand all files Collapse all files

84
flake.lock
View File

@ -29,11 +29,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716773194, "lastModified": 1716431128,
"narHash": "sha256-rskkGmWlvYFb+CXedBiL8eWEuED0Es0XR4CkJ11RQKY=", "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "10986091e47fb1180620b78438512b294b7e8f67", "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -126,38 +126,11 @@
"type": "github" "type": "github"
} }
}, },
"git-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716213921,
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": { "gitignore": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixvim", "nixvim",
"git-hooks", "pre-commit-hooks",
"nixpkgs" "nixpkgs"
] ]
}, },
@ -182,11 +155,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1716847642, "lastModified": 1716736760,
"narHash": "sha256-rjEswRV0o23eBBils8lJXyIGha+l/VjV73IPg+ztxgk=", "narHash": "sha256-h3RmnNknKYtVA+EvUSra6QAwfZjC2q1G8YA7W0gat8Y=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "10c7c219b7dae5795fb67f465a0d86cbe29f25fa", "rev": "5d151429e1e79107acf6d06dcc5ace4e642ec239",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -255,11 +228,11 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1716900655, "lastModified": 1716758960,
"narHash": "sha256-YQBKCTcP+CKP0LWSjVlP+qQ4kbk8ZWjir/nTPIl4+Bs=", "narHash": "sha256-CcI0sEjih/z9ChQg81QY0+fyY//gx9KZ6CoMxAwWJBA=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "c000be534d2c23315a746555e82a30b512c42f65", "rev": "d0f16258f5867769ed35445b24286cc831ff730c",
"revCount": 69, "revCount": 60,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },
@ -318,20 +291,20 @@
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"flake-root": "flake-root", "flake-root": "flake-root",
"git-hooks": "git-hooks",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"pre-commit-hooks": "pre-commit-hooks",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1716833970, "lastModified": 1716746631,
"narHash": "sha256-K3tVrTna4EN86GW9IeOQJkbj57zT2xNGJg1hh26xy5c=", "narHash": "sha256-0/G9FQaVm321BoCKREwRqr4l93ZwtvW+4x8gjN67bWs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "a2afa5634495ee739e682e5ccb743c5c6dd90ec1", "rev": "9697385115fe557468b2ddcbd1277602b3e58d5e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -340,6 +313,33 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1716213921,
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",

1
home/common/core/default.nix
View File

@ -8,5 +8,4 @@
home.packages = [ home.packages = [
pkgs.ripgrep pkgs.ripgrep
]; ];
home.stateVersion = "23.11";
} }

25
hosts/bootstrap/default.nix
View File

@ -3,28 +3,17 @@ let
pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys); pubKeys = lib.filesystem.listFilesRecursive (../common/users/keys);
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/root".path;
hasOptinPersistence = config.environment.persistence ? "/persist";
# Disko setup
fsType = "btrfs";
dev = "/dev/vda";
encrypted = true;
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
in in
{ {
imports = imports =
[ [
# Disk configuration # Disk configuration
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
# Disk configuration
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; }) (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; })
#(import ../common/disks/std-disk-config.nix { device = "/dev/vda" ; })
# Impermanence ../common/optional/btrfs-impermanence.nix
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
(import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix
@ -50,9 +39,11 @@ in
files = [ files = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/deploy_key-ssh-ed25519"
]; ];
}; };
i18n.defaultLocale = "en_GB.UTF-8"; i18n.defaultLocale = "en_GB.UTF-8";
console = { console = {
font = "Lat2-Terminus16"; font = "Lat2-Terminus16";
@ -73,7 +64,7 @@ in
mutableUsers = true; mutableUsers = true;
extraUsers = { extraUsers = {
root = { root = {
hashedPasswordFile = sopsHashedPasswordFile; initialPassword = "1234";
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
}; };
}; };
@ -90,7 +81,7 @@ in
validateSopsFiles = false; validateSopsFiles = false;
age = { age = {
sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}; };
secrets = { secrets = {
"passwords/root".neededForUsers = true; "passwords/root".neededForUsers = true;
@ -113,7 +104,7 @@ in
ports = [22]; ports = [22];
authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
hostKeys = [{ hostKeys = [{
path = "${lib.optionalString hasOptinPersistence "/persist"}/persist/etc/ssh/ssh_host_ed25519_key"; path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519"; type = "ed25519";
}]; }];
settings = { settings = {

2
hosts/common/core/default.nix
View File

@ -6,6 +6,7 @@ in
imports = [ imports = [
./sops.nix ./sops.nix
./locale.nix ./locale.nix
inputs.impermanence.nixosModules.impermanence
]; ];
nixpkgs = { nixpkgs = {
@ -43,5 +44,4 @@ in
pkgs.vim pkgs.vim
]; ];
system.stateVersion = "23.11";
} }

37
hosts/common/disks/btrfs-luks.nix
View File

@ -1,37 +0,0 @@
{device ? throw "Must define a device, e.g. /dev/sda"}:
{
disko.devices = {
disk = {
vdb = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
passwordFile = "/tmp/luks_secret.key"; # Interactive
content = (import ./btrfs-persist.nix);
};
};
};
};
};
};
};
}

45
hosts/common/disks/btrfs-lvm.nix
View File

@ -1,45 +0,0 @@
{device ? throw "Must define a device, e.g. /dev/sda"}:
{
disko.devices = {
disk.main = {
inherit device;
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "lvm_pv";
vg = "root_vg";
};
};
};
};
};
lvm_vg = {
root_vg = {
type = "lvm_vg";
lvs = {
root = {
size = "100%FREE";
content = (import ./btrfs-persist.nix);
};
};
};
};
};
}

25
hosts/common/disks/btrfs-persist.nix
View File

@ -1,25 +0,0 @@
{
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
};
"/persist" = {
mountOptions = [ "subvol=persist" ];
mountpoint = "/persist";
};
"/nix" = {
mountOptions = [ "subvol=nix" "noatime" ];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
}

11
hosts/common/disks/default.nix
View File

@ -1,11 +0,0 @@
{ device, fsType, encrypted, ... }:
let
# basic and perists configs. basic fs = ext4, persist fs = btrfs either encrypted or under lvm
basic = import ./gpt-bios-compact.nix { inherit device; };
btrfs-persist-lvm = import ./btrfs-lvm.nix { inherit device; };
btrfs-persist-luks = import ./btrfs-luks.nix { inherit device; };
in
if fsType == "ext4" then basic
else if fsType == "btrfs" && encrypted then btrfs-persist-luks
else if fsType == "btrfs" then btrfs-persist-lvm
else null # or some default value

2
hosts/common/disks/gpt-bios-compact.nix
View File

@ -3,7 +3,7 @@
disko.devices = { disko.devices = {
disk = { disk = {
vda = { vda = {
inherit device; device = "/dev/vda";
type = "disk"; type = "disk";
content = { content = {
type = "gpt"; type = "gpt";

66
hosts/common/disks/luks-btrfs-subvolumes.nix Normal file
View File

@ -0,0 +1,66 @@
{device ? throw "Must define a device, e.g. /dev/sda"}:
{
disko.devices = {
disk = {
vdb = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "crypted";
# disable settings.keyFile if you want to use interactive password entry
passwordFile = "/tmp/luks_secret.key"; # Interactive
# settings = {
# allowDiscards = true;
# keyFile = "${sopsHashedPasswordFile}";
# };
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
};
"/persist" = {
mountOptions = [ "subvol=persist" ];
mountpoint = "/persist";
};
"/nix" = {
mountOptions = [ "subvol=nix" "noatime" ];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
};
};
};
};
};
};
};
};
}

69
hosts/common/disks/std-disk-config.nix Normal file
View File

@ -0,0 +1,69 @@
{device ? throw "Must define a device, e.g. /dev/sda"}:
{
disko.devices = {
disk.main = {
inherit device;
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "lvm_pv";
vg = "root_vg";
};
};
};
};
};
lvm_vg = {
root_vg = {
type = "lvm_vg";
lvs = {
root = {
size = "100%FREE";
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
};
"/persist" = {
mountOptions = [ "subvol=persist" ];
mountpoint = "/persist";
};
"/nix" = {
mountOptions = [ "subvol=nix" "noatime" ];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
};
};
};
};
};
};
}

7
hosts/common/disks/btrfs-impermanence.nix → hosts/common/optional/btrfs-impermanence.nix
View File

@ -1,11 +1,8 @@
{lib, btrfsMountDevice, ...}: {lib, ...}:
let
device = btrfsMountDevice;
in
{ {
boot.initrd.postDeviceCommands = lib.mkAfter '' boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp mkdir /btrfs_tmp
mount ${device} /btrfs_tmp mount /dev/mapper/crypted /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")

3
hosts/common/optional/persistence.nix
View File

@ -8,12 +8,9 @@
"/var/lib/nixos" "/var/lib/nixos"
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections" "/etc/NetworkManager/system-connections"
"/var/lib/flatpak"
"/run/secrets-for-users"
]; ];
files = [ files = [
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/deploy_key-ssh-ed25519"
"/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_ed25519_key.pub"
]; ];
}; };

45
hosts/common/users/admin/default.nix
View File

@ -1,55 +1,24 @@
{ pkgs, inputs, config, lib, ... }: { pkgs, inputs, config, lib, ... }:
let let
username = "admin";
pubKeys = lib.filesystem.listFilesRecursive (../keys); pubKeys = lib.filesystem.listFilesRecursive (../keys);
hostname = config.networking.hostName;
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${username}".path;
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in in
{ {
users.users.${username} = { users.users.admin = {
isNormalUser = true; isNormalUser = true;
password = "nixos"; # Overridden if sops is working
shell = pkgs.zsh; # default shell shell = pkgs.zsh; # default shell
hashedPasswordFile = sopsHashedPasswordFile;
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = extraGroups =
[ [ "qemu-libvirtd" "libvirtd"
"wheel" "wheel" "video" "audio" "disk" "networkmanager"
]; ];
packages = with pkgs; [
flatpak
gnome.gnome-software
];
};
sops.secrets = {
"passwords/${username}" = {
sopsFile = "${secretsFile}";
neededForUsers = true;
};
"ssh_keys/${username}/id_ed25519" = {
path = "/home/${username}/.ssh/id_ed25519";
mode = "0600";
owner = "${username}";
};
"ssh_keys/${username}/id_ed25519.pub" = {
path = "/home/${username}/.ssh/id_ed25519.pub";
mode = "0644";
owner = "${username}";
};
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
programs.fuse.userAllowOther = true;
home-manager = { environment.systemPackages = [
extraSpecialArgs = { inherit inputs; }; ];
users = {
${username} = import ../../../../home/${hostname}.nix;
};
};
} }

2
hosts/fileserver/default.nix
View File

@ -46,5 +46,7 @@
enableSSHSupport = true; enableSSHSupport = true;
}; };
system.stateVersion = "23.11";
} }

3
hosts/nixdev/default.nix
View File

@ -30,5 +30,8 @@ in
}; };
services.libinput.enable = true; services.libinput.enable = true;
system.stateVersion = "23.11";
} }

25
hosts/sparky/default.nix
View File

@ -1,24 +1,17 @@
{ inputs, config, lib, pkgs, outputs,... }: { inputs, config, lib, pkgs, outputs,... }:
let let
# Disko setup dev = "/dev/vda";
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/vda"; # depends on target hardware
encrypted = false; # currrently only applies to btrfs
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
in in
{ {
imports = imports =
[ [
# Create users for this host
../common/users/media
# Disk configuration # Disk configuration
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; fsType = fsType; encrypted = encrypted; }) (import ../common/disks/luks-btrfs-subvolumes.nix { device = "/dev/vda" ; })
../common/optional/btrfs-impermanence.nix
# Impermanence # Create users for this host
inputs.impermanence.nixosModules.impermanence ../common/users/media
(import ../common/disks/btrfs-impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix
@ -38,6 +31,13 @@ in
}; };
}; };
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/flatpak"
];
};
networking = { networking = {
hostName = "sparky"; hostName = "sparky";
networkmanager.enable = true; networkmanager.enable = true;
@ -54,4 +54,5 @@ in
cinnamon.enable = true; cinnamon.enable = true;
}; };
}; };
} }

67
scripts/bootstrap.sh
View File

@ -4,19 +4,17 @@ echo -e "
Before using this tool, ensure that the host has been setup correctly. Before using this tool, ensure that the host has been setup correctly.
Boot the latest Nixos-minimal install ISO on the host and access the tty. Boot the latest Nixos-minimal install ISO on the host and access the tty.
Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally Run Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally
'passwd' and set a temporary password for the root user. Run 'passwd' and set a temporary password (something simple like '1234')
for the root user.
Also, ensure secrets for the new host and users have been set in secrets.yaml
" "
read -p "Confirm host had been setup using the above steps...(yes|no): " confirm read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
[ "$confirm" != "yes" ] && echo "Exiting" && exit 0 [ "$confirm" != "yes" ] && echo "Exiting" && exit 0
read -p "Enter hostname of target: " hostname hostname="sparky"
read -p "Enter IP of target: " ip ip="192.168.122.193"
read -p "Enter config to install on target: " config config="bootstrap"
read -p "Enter username (if none, use 'root'): " username
# Delete key in known hosts if exists # Delete key in known hosts if exists
sed -i "/$ip/d" ~/.ssh/known_hosts sed -i "/$ip/d" ~/.ssh/known_hosts
@ -26,29 +24,28 @@ echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Create temp directory for ssh and luks keys to be copied to host: # Create temp directory for ssh and luks keys to be copied to host:
temp=$(mktemp -d) temp_ssh=$(mktemp -d)
touch /tmp/luks_secret.key touch /tmp/luks_secret.key
# Function to cleanup temporary directory on exit # Function to cleanup temporary directory on exit
cleanup() { cleanup() {
rm -rf "$temp" /tmp/luks_secret.key rm -rf "$temp_ssh" /tmp/luks_secret.key
} }
trap cleanup EXIT trap cleanup EXIT
# Create the directory for target host keys # Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/persist/etc/ssh" install -d -m755 "$temp_ssh/persist/etc/ssh"
# Create ssh keys # Create ssh keys if not exists
echo "Creating '$hostname' ssh keys" echo "Creating '$hostname' ssh keys"
ssh-keygen -t ed25519 -f "$temp/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N "" ssh-keygen -t ed25519 -f "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
# Extract luks key from secrets chmod 600 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key"
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ../nix-secrets/secrets.yaml") chmod 644 "$temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub"
echo "$luks_secret" > /tmp/luks_secret.key
# Generate age key from target host and user public ssh key # Generate age key from target host and user public ssh key
echo "Generating age key from target host and user ssh key" echo "Generating age key from target host and user ssh key"
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age") HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp_ssh/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
echo -e "Host age key:\n$HOST_AGE_KEY\n" echo -e "Host age key:\n$HOST_AGE_KEY\n"
# Update .sops.yaml with new age key: # Update .sops.yaml with new age key:
@ -63,20 +60,46 @@ sed -i "{
/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/} /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
}" $SOPS_FILE }" $SOPS_FILE
# Commit and push changes to sops file
just update-sops-secrets && just update-flake-secrets && just update-flake just update-sops-secrets && just update-flake-secrets && just update-flake
# Copy current nix config over to target # Extract luks key from secrets
cp -prv . "$temp/persist/etc/nixos" luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"sparky""\"]' ../nix-secrets/secrets.yaml")
echo "$luks_secret" > /tmp/luks_secret.key
# Install Nixos to target # Install Nixos to target
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" cd "$HOME/nixos"
git add . && git commit -m "auto: bootstrapping $hostname" && git push
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp_ssh" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1 [ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts ## Delete keys from local known_hosts
echo "Deleting host from known_hosts" echo "Deleting host from known_hosts"
sed -i "/$ip/d" ~/.ssh/known_hosts sed -i "/$ip/d" ~/.ssh/known_hosts
# Check host OS has booted (and not booted back into live cd)
while true;
do
read -p "Confirm live CD has been removed... (yes|no): " confirm
[ "$confirm" = "yes" ] && break
done
echo "Waiting for $ip to come back online and port 22 to be open..."
while ! ping -c 1 $ip &> /dev/null || ! nc -zvw3 $ip 22 &> /dev/null
do
echo "$ip is still offline or port 22 is not open. Checking again in 5 seconds..."
sleep 5
done
echo "$ip is now online and port 22 is open!"
# Authorise source public key
echo "Copying pubkey to target host"
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
# Copy deploy_key to target for personal repo authorisation
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
echo -e "###\nSuccessfully installed Nixos on the target host!\n###" echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
exit 0 exit 0