ahtlon/infrastructure
1
0
Fork 0
forked from kalipso/infrastructure
Code Pull Requests Activity

[sops] change reproducible secrets file structure

Browse Source
This commit is contained in:
kalipso
2025-02-22 19:10:44 +01:00
parent f4544b1b90
commit 21cb9ece11
4 changed files with 22 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
machines/.sops.yaml
View File

@@ -95,7 +95,7 @@ creation_rules:
- *admin_kalipso_dsktp - *admin_kalipso_dsktp
age: age:
- *admin_atlan - *admin_atlan
- path_regex: secrets/keys/itag/.*/.* - path_regex: .*/secrets/.*
key_groups: key_groups:
- pgp: - pgp:
- *admin_kalipso - *admin_kalipso

18
scripts/add_new_host_keys.sh
View File

@@ -16,22 +16,24 @@ if [ ! -e flake.nix ]
done done
fi fi
pwpath="machines/secrets/keys/itag" pwpath="machines"
hostkey="ssh_host_ed25519_key"
initrdkey="initrd_ed25519_key"
read -p "Enter new host name: " host read -p "Enter new host name: " host
if [ "$host" = "" ]; then exit 0 if [ "$host" = "" ]; then exit 0
fi fi
mkdir -p $pwpath/$host mkdir -p $pwpath/$host/secrets
cd $pwpath/$host cd $pwpath/$host/secrets
# Generate SSH keys # Generate SSH keys
ssh-keygen -f "$host" -t ed25519 -N "" ssh-keygen -f $hostkey -t ed25519 -N ""
ssh-keygen -f "$host"-init -t ed25519 -N "" ssh-keygen -f $initrdkey -t ed25519 -N ""
#encrypt the private keys #encrypt the private keys
sops -e -i ./"$host" sops -e -i ./$hostkey
sops -e -i ./"$host"-init sops -e -i ./$initrdkey
#generate encryption key #generate encryption key
tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -40,7 +42,7 @@ sops -e -i ./disk.key
# Info # Info
echo echo
echo "Hier ist der age public key für sops etc:" echo "Hier ist der age public key für sops etc:"
echo "$(ssh-to-age -i ./$host.pub)" echo "$(ssh-to-age -i ./"$hostkey".pub)"
echo echo
echo "Hier ist eine reproduzierbare mac-addresse:" echo "Hier ist eine reproduzierbare mac-addresse:"
echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'

10
scripts/remote-install-encrypt.sh
View File

@@ -25,7 +25,9 @@ fi
hostname=$1 hostname=$1
ipaddress=$2 ipaddress=$2
pwpath="machines/secrets/keys/itag" pwpath="machines/$hostname/secrets"
hostkey="ssh_host_ed25519_key"
initrdkey="initrd_ed25519_key"
# Create a temporary directory # Create a temporary directory
temp=$(mktemp -d) temp=$(mktemp -d)
@@ -40,13 +42,13 @@ trap cleanup EXIT
install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/etc/ssh/"
install -d -m755 "$temp/root/" install -d -m755 "$temp/root/"
diskKey=$(sops -d $pwpath/$hostname/disk.key) diskKey=$(sops -d $pwpath/disk.key)
echo "$diskKey" > /tmp/secret.key echo "$diskKey" > /tmp/secret.key
echo "$diskKey" > $temp/root/secret.key echo "$diskKey" > $temp/root/secret.key
sops -d "$pwpath/$hostname/$hostname" > "$temp/etc/ssh/$hostname" sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
sopd -d "$pwpath/$hostname/$hostname"-init > "$temp/etc/ssh/initrd" sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
# # Set the correct permissions so sshd will accept the key # # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname" chmod 600 "$temp/etc/ssh/$hostname"

2
scripts/unlock-boot.sh
View File

@@ -19,7 +19,7 @@ if [ ! -e flake.nix ]
done done
fi fi
diskkey=$(sops -d machines/secrets/keys/itag/$HOSTNAME/disk.key) diskkey=$(sops -d machines/$HOSTNAME/secrets/disk.key)
echo echo
if [ $# = 1 ] if [ $# = 1 ]