139 lines
4.5 KiB
Bash
Executable File
139 lines
4.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
echo -e "
|
|
Before using this tool, ensure that the host has been setup correctly.
|
|
Boot the latest Nixos-minimal install ISO on the host and access the tty.
|
|
|
|
Use 'ip a' to get the ip address, then 'sudo su' to change to root. Finally
|
|
Run 'passwd' and set a temporary password (something simple like '1234')
|
|
for the root user.
|
|
"
|
|
|
|
read -p "Confirm host had been setup using the above steps...(yes|no): " confirm
|
|
[ "$confirm" != "yes" ] && echo "Exiting" && exit 0
|
|
|
|
# Target host details
|
|
#cd ~
|
|
#read -p "Enter hostname: " hostname
|
|
#read -p "Enter username: " username
|
|
#read -p "Enter ip address: " ip
|
|
#read -p "Enter nixosSystem to build, e.g. 'bootstrap': " config
|
|
hostname="bootstrap-nixos"
|
|
ip="192.168.122.192"
|
|
config="bootstrap"
|
|
|
|
# Generate key name and dir
|
|
HOST_KEY_DIR="$HOME/keys/hosts/$hostname"
|
|
mkdir -p "$HOST_KEY_DIR"
|
|
|
|
# Create ssh keys if not exists
|
|
echo "Creating '$hostname' ssh keys"
|
|
bash "/$HOME/nixos/scripts/generate_ssh_keys.sh" --type "host" --username "root" --hostname "$hostname"
|
|
|
|
# Delete key in known hosts if exists
|
|
sed -i "/$ip/d" ~/.ssh/known_hosts
|
|
|
|
# Authorise source public key
|
|
echo "Copying pubkey to target host"
|
|
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
|
|
|
|
# Generate age key from target host and user public ssh key
|
|
echo "Generating age key from target host and user ssh key"
|
|
nix-shell -p ssh-to-age --run "cat $HOST_KEY_DIR/ssh_host_ed25519_key.pub | ssh-to-age > $HOST_KEY_DIR/age_host_key"
|
|
HOST_AGE_KEY=$(cat "$HOST_KEY_DIR/age_host_key")
|
|
echo -e "Host age key:\n$HOST_AGE_KEY\n"
|
|
echo "These keys needs to be inserted into .sops.yaml file. This will be prompted again later."
|
|
|
|
# Create temp directory for ssh keys to be copied to host:
|
|
temp=$(mktemp -d)
|
|
|
|
# Function to cleanup temporary directory on exit
|
|
cleanup() {
|
|
rm -rf "$temp"
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
# Create the directory where sshd expects to find the host keys
|
|
install -d -m755 "$temp/persist/etc/ssh"
|
|
|
|
cat "$HOST_KEY_DIR/ssh_host_ed25519_key" > "$temp/persist/etc/ssh/ssh_host_ed25519_key"
|
|
cat "$HOST_KEY_DIR/ssh_host_ed25519_key.pub" > "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub"
|
|
|
|
chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key"
|
|
chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub"
|
|
|
|
# Install Nixos to target
|
|
cd "$HOME/nixos"
|
|
git add . && git commit -m "auto: bootstrapping $hostname" && git push
|
|
[ $? != 0 ] && echo "Error commiting current changes" && exit 1
|
|
|
|
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
|
|
[ $? != 0 ] && echo "Error installing Nixos" && exit 1
|
|
|
|
## Delete keys from local known_hosts
|
|
echo "Deleting host from known_hosts"
|
|
sed -i "/$ip/d" ~/.ssh/known_hosts
|
|
|
|
# Check host OS has booted (and not booted back into live cd)
|
|
while true;
|
|
do
|
|
read -p "Confirm live CD has been removed... (yes|no): " confirm
|
|
[ "$confirm" = "yes" ] && break
|
|
done
|
|
echo "Waiting for $ip to come back online and port 22 to be open..."
|
|
while ! ping -c 1 $ip &> /dev/null || ! nc -zvw3 $ip 22 &> /dev/null
|
|
do
|
|
echo "$ip is still offline or port 22 is not open. Checking again in 5 seconds..."
|
|
sleep 5
|
|
done
|
|
echo "$ip is now online and port 22 is open!"
|
|
|
|
# Authorise source public key
|
|
echo "Copying pubkey to target host"
|
|
ssh-copy-id -i "$(readlink -f "$HOME/.ssh/id_ed25519.pub")" "root@$ip"
|
|
|
|
# Copy deploy_key to target for personal repo authorisation
|
|
scp -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "$(readlink -f "$HOME/.ssh/deploy_key-ssh-ed25519")" "root@$ip:/persist/etc/ssh/deploy_key-ssh-ed25519"
|
|
|
|
echo -e "
|
|
Complete!
|
|
|
|
Now add the new target host age key to .sops.yaml. This is needed to enable the
|
|
new host to decrypt the secrets.yaml file from the ssh key we generated
|
|
previously.
|
|
|
|
Enter the details as following:
|
|
keys:
|
|
- &hosts:
|
|
- &$hostname $HOST_AGE_KEY
|
|
|
|
creation_rules:
|
|
- path_regex: secrets.yaml$
|
|
key_groups:
|
|
- age:
|
|
- *$hostname
|
|
|
|
Then update (i.e. re-encrypt) the secrets.yaml file with the new keys, run:
|
|
|
|
'sops --config .sops.yaml updatekeys secrets.yaml'
|
|
|
|
or with just:
|
|
|
|
'just update-sops-secrets'
|
|
|
|
Then commit and push these changes to remote so they can be accessed on the new
|
|
host.
|
|
"
|
|
|
|
while true;
|
|
do
|
|
read -p "Confirm keys have been added to .sops.yaml using the above steps, and the changes (if any) have been commited and pushed...(yes|no): " confirm
|
|
[ "$confirm" = "yes" ] && break
|
|
done
|
|
|
|
ssh -i "$(readlink -f "$HOME/.ssh/id_ed25519")" "root@$ip" "nix-shell -p git --run 'git clone git@git.bitlab21.com:sam/nixos.git /persist/etc/nixos/'"
|
|
|
|
echo -e "###\nSuccessfully installed Nixos on the target host!\n###"
|
|
|
|
exit 0
|