From 8c488d50a82ee0ce7d4ada1c9406594f00f29aee Mon Sep 17 00:00:00 2001 From: ahtlon Date: Tue, 31 Dec 2024 03:39:28 +0100 Subject: [PATCH] add install script --- machines/.sops.yaml | 7 +++++ machines/testvm/disk.key | 31 ++++++++++++++++++++++ outputs.nix | 1 + scripts/remote-install-encrypt.sh | 44 +++++++++++++++++++++++++++++++ 4 files changed, 83 insertions(+) create mode 100644 machines/testvm/disk.key create mode 100755 scripts/remote-install-encrypt.sh diff --git a/machines/.sops.yaml b/machines/.sops.yaml index db170a93..f9aa3ccf 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -43,3 +43,10 @@ creation_rules: age: - *machine_vpn - *admin_atlan + - path_regex: testvm/disk.key + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + age: + - *admin_atlan diff --git a/machines/testvm/disk.key b/machines/testvm/disk.key new file mode 100644 index 00000000..6d407359 --- /dev/null +++ b/machines/testvm/disk.key @@ -0,0 +1,31 @@ +{ + "data": "ENC[AES256_GCM,data:GH71ek6+a++P9sDUjO0IPojdU1epX98wcTqmoEgsu0j+,iv:LysgsJdPDvKOUz7l0IyV58QHN2RHvHP14bt1p4571NM=,tag:1WrqC3S+Z6bkE2d76RYtXA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOVI3b1dBa2d5SElHcFdq\nVHZwWlpIU3NpYm8zQnY3aVhOVkxnU1pkZUJNCkJ6bzhqdU5EVy9Wa0creXJHZ1pu\nbkRPVTR1K0o0dmlYbGVIbVRiWjFyL1kKLS0tIHl0aFpUYy9hWmpsNUFoY2JpWUhL\nalluN1RRSTBNUlprZWFISlFoUExXUXMKaULQKgVLNfHX8m0Ac1YhcbM/yhioyNCu\na1AUDjBmruKL9ngqz9Dwzxx0sJJOIFKMdYMVn9uQfui/XCHewO6uRw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-12-31T02:35:20Z", + "mac": "ENC[AES256_GCM,data:7K8G7ZFaA7wT0lwujkuJP0HL8WW0m/IkMjgFU9ikWe/GVZMlFDWTafaRNLxdBHNhHwilM8suH2z0P36Xae6pReh47PpID5JS8NC1V38fzww5qW74eFkHq3Pu8HRWb66u7zA/LiyOcEQgtrdP1zbnfmHUgakyNluSn7W1gOtsfxw=,iv:l65AiYn7ETRySF1Wr9nOUk9Fd1I4VGqd/zZbqkCyxYA=,tag:TeVyRa8aN6hIn3iIKPPvbQ==,type:str]", + "pgp": [ + { + "created_at": "2024-12-31T02:35:05Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/ZITVtnQl5xO2XLTTaNAZ50WhHkVV1G9H2TyxO0NbaUPj\nbo7LdbuB/+cv3wpg5oy5VpWW/JLElqizxbrE5gzQCzorwGE7lpKW0XQubofW8t9l\n+6k9UFXxyfVQJHwcIbexYfL2UhN62eSzzxPiKYVyNw4oM9ySeU+MCeCiv0omLUPg\nWSdOH4q1QYkRGJO8db7KlJSdvCoVjyEiCaLwKdWnPk5pbC+U7wp75fPdFwmzBchc\np9TXKeFF8dVGI7DKuGXA7lBm4ZzgSt4wNdZmc7mvTrTInaDVFA/ptbAfhh2/hNEx\npOijlXbc8ARKAhuLASPy6j37Nm2QdNm/8dl5x6eA7Sx7FcO8qV38Q//V4/DZZddJ\nT3NLC4tWLglpdyFX7H0zmZ+jQOLGJHorwzO+NgSOEj3N4venHYvJyI+vwVGjVCjQ\n1tZUIxGMx5iu959PinvlvBYI7oeKITPLyo8pRRx2EaA+UEBR2f3y+R0bTiBhChKM\nieUIVIK/fbvhdXhwwfRe0lgBm05hL/Vmdbal9QU8o/HIPeGTNitaqLQ59Ets7qm4\nf2FhHaOMO0YaDPtCNBGbRh/mEWH8tjhnI1sLJg/0rR9sOQ/oCzzIYILogIkm3ueE\notFqp95QQPVA\n=P16c\n-----END PGP MESSAGE-----", + "fp": "c4639370c41133a738f643a591ddbc4c3387f1fb" + }, + { + "created_at": "2024-12-31T02:35:05Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//fAGV0oLuiwL4TmQnrHF88ixvZ/HghKI9k/5zlORIdoaR\na1w6U32coX8HpEfcqON45ZQWSCFtlizlmL55jb1ugXFY/bS+KECO8XaMDhHXNkB/\ndfeCmASvqIlFkl/X3YeD2FhHa3ZlcS93x0duJ+oo18WIErkNuECOL7hwkh+m5YfS\nWtW9Z3J51qfS5S6ctdm9vKcYSrgTkADsyVQp9GqxO3xZGpWudGWDaK0gVBX5wk5t\n1uKhDpnIZdFZ42N5Oy/UqXF5pfEQ0OwxlOS8VMleq1wEPc/DPVku23HRSReS0k7x\nuVeFZpaOfe22ncgI4TVQln8JT0+ZPeAwqBn6LWp0XnPnQdkyE79ARMPqBTPN/6Pn\nFkVpInBVukVJ1AiGpHHxESPtiKoMUZpE+k3WG2dRFWmaON+n0kR4VFpOju3apxTH\n8RGN+Uyn6MswNOZDKoDjlVtkcwgJgar/KwxXNlF7BU3/KMDEBf1UHuQE58Y2eBsC\nI85AEpbskEeOu+MF1SNJkdx/BR+lUaR6ax+dVzOIwxLyyDoCGg4SEoL1Hh1nNRth\nxRZnYfN3FBGv3FnvpaCbfbBDLLkWxzst5HRjp+v2lyPM4eVtyvYPGdfYM5FK1den\nXVawulE3cjM786/Z7X2IK5IDzrvo8nIs/Keg2YqnZe0UgM3XFCoYnwxi2Rev1J3S\nWAHTBs22q/cEk3SLlfzLyqWochY33gI6fC2amOvC5HNhcs7vr6CF1W44d3Yx6WCO\npqxY9jmc4gVWeBLZV/d9T95qLwOQK7L1/tokdbggQcEXFOqpvPzm5pc=\n=qp/h\n-----END PGP MESSAGE-----", + "fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.9.2" + } +} \ No newline at end of file diff --git a/outputs.nix b/outputs.nix index 10085926..9130a8eb 100644 --- a/outputs.nix +++ b/outputs.nix @@ -40,6 +40,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems }; packages = { + remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh); docs = pkgs.stdenv.mkDerivation { name = "malobeo-docs"; phases = [ "buildPhase" ]; diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh new file mode 100755 index 00000000..72005ef9 --- /dev/null +++ b/scripts/remote-install-encrypt.sh @@ -0,0 +1,44 @@ +set -o errexit +set -o nounset +set -o pipefail + +if [ $# -lt 2 ]; then + echo + echo "Install NixOS to the host system with secrets and encryption" + echo "Usage: $0 (user)" + exit 1 +fi + +hostname=$1 +ipaddress=$2 + +# Create a temporary directory +temp=$(mktemp -d) + +# Function to cleanup temporary directory on exit +cleanup() { + rm -rf "$temp" +} +trap cleanup EXIT + +# Create the directory where sshd expects to find the host keys +install -d -m755 "$temp/etc/ssh/" + +ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N "" +ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N "" + +# # Set the correct permissions so sshd will accept the key +chmod 600 "$temp/etc/ssh/$hostname" +chmod 600 "$temp/etc/ssh/initrd" + +# Install NixOS to the host system with our secrets and encription +# optional --build-on-remote +if [ $# = 3 ] + then + nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ + --disk-encryption-keys /tmp/secret.key <(sops -d machines/$hostname/disk.key) --flake .#$hostname $3@$ipaddress + +else +nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ + --disk-encryption-keys /tmp/secret.key <(sops -d machines/$hostname/disk.key) --flake .#$hostname root@$ipaddress +fi \ No newline at end of file