[sops] change reproducible secrets file structure

machines/.sops.yaml

@@ -95,10 +95,10 @@ creation_rules:
       - *admin_kalipso_dsktp
       age:
       - *admin_atlan
-  - path_regex: secrets/keys/itag/.*/.*
+  - path_regex: .*/secrets/.*
     key_groups:
     - pgp:
       - *admin_kalipso
       - *admin_kalipso_dsktp
       age:
-      - *admin_atlan
+      - *admin_atlan

scripts/add_new_host_keys.sh

@@ -16,22 +16,24 @@ if [ ! -e flake.nix ]
     done
 fi
 
-pwpath="machines/secrets/keys/itag"
+pwpath="machines"
+hostkey="ssh_host_ed25519_key"
+initrdkey="initrd_ed25519_key"
 read -p "Enter new host name: " host
 
 if [ "$host" = "" ]; then exit 0
 fi
 
-mkdir -p $pwpath/$host
+mkdir -p $pwpath/$host/secrets
-cd $pwpath/$host
+cd $pwpath/$host/secrets
 
 # Generate SSH keys
-ssh-keygen -f "$host" -t ed25519 -N ""
+ssh-keygen -f $hostkey -t ed25519 -N ""
-ssh-keygen -f "$host"-init -t ed25519 -N ""
+ssh-keygen -f $initrdkey -t ed25519 -N ""
 
 #encrypt the private keys
-sops -e -i ./"$host"
+sops -e -i ./$hostkey
-sops -e -i ./"$host"-init
+sops -e -i ./$initrdkey
 
 #generate encryption key
 tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
@@ -40,9 +42,9 @@ sops -e -i ./disk.key
 # Info
 echo
 echo "Hier ist der age public key für sops etc:"
-echo "$(ssh-to-age -i ./$host.pub)"
+echo "$(ssh-to-age -i ./"$hostkey".pub)"
 echo
 echo "Hier ist eine reproduzierbare mac-addresse:"
 echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
 
-exit 0
+exit 0

scripts/remote-install-encrypt.sh

@@ -25,7 +25,9 @@ fi
 
 hostname=$1
 ipaddress=$2
-pwpath="machines/secrets/keys/itag"
+pwpath="machines/$hostname/secrets"
+hostkey="ssh_host_ed25519_key"
+initrdkey="initrd_ed25519_key"
 
 # Create a temporary directory
 temp=$(mktemp -d)
@@ -40,13 +42,13 @@ trap cleanup EXIT
 install -d -m755 "$temp/etc/ssh/"
 install -d -m755 "$temp/root/"
 
-diskKey=$(sops -d $pwpath/$hostname/disk.key)
+diskKey=$(sops -d $pwpath/disk.key)
 echo "$diskKey" > /tmp/secret.key
 echo "$diskKey" > $temp/root/secret.key
 
-sops -d "$pwpath/$hostname/$hostname" > "$temp/etc/ssh/$hostname"
+sops -d "$pwpath/$hostkey" > "$temp/etc/ssh/$hostname"
 
-sopd -d "$pwpath/$hostname/$hostname"-init > "$temp/etc/ssh/initrd"
+sopd -d "$pwpath/$initrdkey" > "$temp/etc/ssh/initrd"
 
 # # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/$hostname"
@@ -62,4 +64,4 @@ if [ $# = 3 ]
 else
 nix run github:numtide/nixos-anywhere -- --extra-files "$temp"   \
  --disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
-fi
+fi

scripts/unlock-boot.sh

@@ -19,7 +19,7 @@ if [ ! -e flake.nix ]
     done
 fi
 
-diskkey=$(sops -d machines/secrets/keys/itag/$HOSTNAME/disk.key)
+diskkey=$(sops -d machines/$HOSTNAME/secrets/disk.key)
 
 echo
 if [ $# = 1 ]
@@ -37,4 +37,4 @@ else
     echo "Usage: $0 <hostname> [ip]"
     echo "If an IP is not provided, the hostname will be used as the IP address."
     exit 1
-fi
+fi