From 21cb9ece114f26b2df4bf6cfde1c07a817a21fca Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 22 Feb 2025 19:10:44 +0100 Subject: [PATCH] [sops] change reproducible secrets file structure --- machines/.sops.yaml | 4 ++-- scripts/add_new_host_keys.sh | 20 +++++++++++--------- scripts/remote-install-encrypt.sh | 12 +++++++----- scripts/unlock-boot.sh | 4 ++-- 4 files changed, 22 insertions(+), 18 deletions(-) diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 1861772..43869fb 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -95,10 +95,10 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan - - path_regex: secrets/keys/itag/.*/.* + - path_regex: .*/secrets/.* key_groups: - pgp: - *admin_kalipso - *admin_kalipso_dsktp age: - - *admin_atlan \ No newline at end of file + - *admin_atlan diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh index fb18e87..b8db477 100755 --- a/scripts/add_new_host_keys.sh +++ b/scripts/add_new_host_keys.sh @@ -16,22 +16,24 @@ if [ ! -e flake.nix ] done fi -pwpath="machines/secrets/keys/itag" +pwpath="machines" +hostkey="ssh_host_ed25519_key" +initrdkey="initrd_ed25519_key" read -p "Enter new host name: " host if [ "$host" = "" ]; then exit 0 fi -mkdir -p $pwpath/$host -cd $pwpath/$host +mkdir -p $pwpath/$host/secrets +cd $pwpath/$host/secrets # Generate SSH keys -ssh-keygen -f "$host" -t ed25519 -N "" -ssh-keygen -f "$host"-init -t ed25519 -N "" +ssh-keygen -f $hostkey -t ed25519 -N "" +ssh-keygen -f $initrdkey -t ed25519 -N "" #encrypt the private keys -sops -e -i ./"$host" -sops -e -i ./"$host"-init +sops -e -i ./$hostkey +sops -e -i ./$initrdkey #generate encryption key tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key @@ -40,9 +42,9 @@ sops -e -i ./disk.key # Info echo echo "Hier ist der age public key für sops etc:" -echo "$(ssh-to-age -i ./$host.pub)" +echo "$(ssh-to-age -i ./"$hostkey".pub)" echo echo "Hier ist eine reproduzierbare mac-addresse:" echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' -exit 0 \ No newline at end of file +exit 0 diff --git a/scripts/remote-install-encrypt.sh b/scripts/remote-install-encrypt.sh index 6ec19c1..4d24adc 100755 --- a/scripts/remote-install-encrypt.sh +++ b/scripts/remote-install-encrypt.sh @@ -25,7 +25,9 @@ fi hostname=$1 ipaddress=$2 -pwpath="machines/secrets/keys/itag" +pwpath="machines/$hostname/secrets" +hostkey="ssh_host_ed25519_key" +initrdkey="initrd_ed25519_key" # Create a temporary directory temp=$(mktemp -d) @@ -40,13 +42,13 @@ trap cleanup EXIT install -d -m755 "$temp/etc/ssh/" install -d -m755 "$temp/root/" -diskKey=$(sops -d $pwpath/$hostname/disk.key) +diskKey=$(sops -d $pwpath/disk.key) echo "$diskKey" > /tmp/secret.key echo "$diskKey" > $temp/root/secret.key -sops -d "$pwpath/$hostname/$hostname" > "$temp/etc/ssh/$hostname" +sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname" -sopd -d "$pwpath/$hostname/$hostname"-init > "$temp/etc/ssh/initrd" +sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd" # # Set the correct permissions so sshd will accept the key chmod 600 "$temp/etc/ssh/$hostname" @@ -62,4 +64,4 @@ if [ $# = 3 ] else nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \ --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress -fi \ No newline at end of file +fi diff --git a/scripts/unlock-boot.sh b/scripts/unlock-boot.sh index 5d7c180..e00afc8 100644 --- a/scripts/unlock-boot.sh +++ b/scripts/unlock-boot.sh @@ -19,7 +19,7 @@ if [ ! -e flake.nix ] done fi -diskkey=$(sops -d machines/secrets/keys/itag/$HOSTNAME/disk.key) +diskkey=$(sops -d machines/$HOSTNAME/secrets/disk.key) echo if [ $# = 1 ] @@ -37,4 +37,4 @@ else echo "Usage: $0 [ip]" echo "If an IP is not provided, the hostname will be used as the IP address." exit 1 -fi \ No newline at end of file +fi