#!/usr/bin/env bash echo -e " Before using this tool, ensure that the host has been setup correctly. Boot the latest Nixos-minimal install ISO on the host and access the tty. Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally Run 'passwd' and set a temporary password (something simple like '1234') for the root user. " read -p "Confirm host had been setup using the above steps...(yes|no): " confirm [ "$confirm" != "yes" ] && echo "Exiting" && exit 0 # Target host details #cd ~ #read -p "Enter hostname: " hostname #read -p "Enter username: " username #read -p "Enter ip address: " ip #read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config hostname="sparky" username="media" ip="192.168.122.192" config="sparky" echo " Details entered: Hostname: $hostname Username: $username IP address: $ip System to build: $config " read -p "Is this correct? (yes|no): " check_details [ "$check_details" != "yes" ] && echo "Try again. Exiting" && exit 0 # Generate key name and dir HOST_KEY_DIR="$HOME/keys/hosts/$hostname" USER_KEY_DIR="$HOME/keys/users/$username" mkdir -p "$HOST_KEY_DIR" "$USER_KEY_DIR" # Create ssh keys if not exists echo "Creating '$hostname' ssh keys" bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname" echo "Creating '$username' ssh keys" bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "user" --username "$username" --hostname "$hostname" # Delete key in known hosts if exists sed -i "/$ip/d" ~/.ssh/known_hosts # Authorise source public key echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip" # Generate age key from target host and user public ssh key echo "Generating age key from target host and user ssh key" nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key" nix-shell -p ssh-to-age --run "cat $USER_KEY_DIR/id_ed25519.pub | ssh-to-age > $USER_KEY_DIR/age_user_key" HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key") USER_AGE_KEY=$(cat "$USER_KEY_DIR/age_user_key") echo -e "Host age key:\n$HOST_AGE_KEY\n" echo -e "User age key:\n$USER_AGE_KEY\n" echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later." # Create temp directory for ssh keys to be copied to host: temp=$(mktemp -d) # Function to cleanup temporary directory on exit cleanup() { rm -rf "$temp" } trap cleanup EXIT # Create the directory where sshd expects to find the host keys install -d -m755 "$temp/persist/etc/ssh" cat "$HOST_KEY_DIR/ssh_host_ed25519_key" > "$temp/persist/etc/ssh/ssh_host_ed25519_key" cat "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" > "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key" chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub" # Install Nixos to target cd "$HOME/nixos" git add . && git commit -m "auto: bootstrapping $hostname" && git push [ $? != 0 ] && echo "Error commiting current changes" && exit 1 SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519" [ $? != 0 ] && echo "Error installing Nixos" && exit 1 ## Delete keys from local known_hosts echo "Deleting host from known_hosts" sed -i "/$ip/d" ~/.ssh/known_hosts # Check host OS has booted (and not booted back into live cd) while true; do read -p "Confirm live CD has been removed... (yes|no): " confirm [ "$confirm" = "yes" ] && break done echo "Waiting for $ip to come back online and port 22 to be open..." while ! ping -c 1 $ip &> /dev/null || ! nc -zvw3 $ip 22 &> /dev/null do echo "$ip is still offline or port 22 is not open. Checking again in 5 seconds..." sleep 5 done echo "$ip is now online and port 22 is open!" ## Copy host ssh keys to target #scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key" "root@$ip:/etc/ssh/ssh_host_ed25519_key" #scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" "root@$ip:/etc/ssh/ssh_host_ed25519_key.pub" # # Authorise source public key echo "Copying pubkey to target host" ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "$username@$ip" # Copy user ssh keys to target scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519" "$username@$ip:~/.ssh/id_ed25519" scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$USER_KEY_DIR/id_ed25519.pub" "$username@$ip:~/.ssh/id_ed25519.pub" # Copy deploy_key to target for personal repo authorisation scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519" scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519.pub")" "$username@$ip:~/.ssh/deploy_key-ssh-ed25519.pub" echo "Configuring target host ssh connection to enable connection to gitea repos:" read -r -d '' config << EOM Host git.bitlab21.com IdentitiesOnly yes StrictHostKeyChecking no IdentityFile ~/.ssh/deploy_key-ssh-ed25519 EOM echo "$config" | ssh "$username@$ip" 'mkdir -p ~/.ssh/ && cat > ~/.ssh/config' echo -e " Complete! Now add the new target host age key to .sops.yaml. This is needed to enable the new host to decrypt the secrets.yaml file from the ssh key we generated previously. Enter the details as following: keys: - &users: - &$username $USER_AGE_KEY - &hosts: - &$hostname $HOST_AGE_KEY creation_rules: - path_regex: secrets.yaml$ key_groups: - age: - *$username - *$hostname Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run: 'sops --config .sops.yaml updatekeys secrets.yaml' or with just: 'just update-sops-secrets' Then commit and push these changes to remote so they can be accessed on the new host. " while true; do read -p "Confirm keys have been added to .sops.yaml using the above steps, and the changes (if any) have been commited and pushed...(yes|no): " confirm [ "$confirm" = "yes" ] && break done ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git ~/keep/nixos/'" #ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$username@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nix-secrets.git ~/keep/'" echo -e "###\nSuccessfully installed Nixos on the target host!\n###" #echo "Please remote into the new host and run 'sudo nixos-generate-config && cp /etc/nixos/hardware-configuration.nix /home/$username/nixos/hosts/$hostname/'" exit 0