kalipso/infrastructure
1
1
Fork 1
Code Issues 43 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Changed the rest of the scripts to sops encryption

Browse Source
This commit is contained in:
ahtlon
2025-02-22 12:48:32 +01:00
parent edc754ee7f
commit 556cc3d423
3 changed files with 11 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
scripts/add_new_host_keys.sh
View File

@@ -16,13 +16,14 @@ if [ ! -e flake.nix ]
done
fi
pwpath="machines/secrets/keys/itag"
read -p "Enter new host name: " host
if [ "$host" = "" ]; then exit 0
fi
mkdir -p machines/secrets/keys/itag/$host
cd machines/secrets/keys/itag/$host
mkdir -p $pwpath/$host
cd $pwpath/$host
# Generate SSH keys
ssh-keygen -f "$host" -t ed25519 -N ""
@@ -33,8 +34,8 @@ sops -e -i ./"$host"
sops -e -i ./"$host"-init
#generate encryption key
tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > encryption.txt
sops -e -i ./encryption.txt
tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > disk.key
sops -e -i ./disk.key
# Info
echo

10
scripts/remote-install-encrypt.sh
View File

@@ -25,9 +25,7 @@ fi
hostname=$1
ipaddress=$2
dbpath="./machines/secrets/keys/itag.kdbx"
read -sp "Enter password for keepassxc: " pw
pwpath="machines/secrets/keys/itag"
# Create a temporary directory
temp=$(mktemp -d)
@@ -42,13 +40,13 @@ trap cleanup EXIT
install -d -m755 "$temp/etc/ssh/"
install -d -m755 "$temp/root/"
diskKey=$(echo "$pw" | keepassxc-cli show -a Password $dbpath hosts/$hostname/encryption)
diskKey=$(sops -d $pwpath/$hostname/disk.key)
echo "$diskKey" > /tmp/secret.key
echo "$diskKey" > $temp/root/secret.key
echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey private "$temp/etc/ssh/$hostname"
sops -d "$pwpath/$hostname/$hostname" > "$temp/etc/ssh/$hostname"
echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey-init private "$temp/etc/ssh/initrd"
sopd -d "$pwpath/$hostname/$hostname"-init > "$temp/etc/ssh/initrd"
# # Set the correct permissions so sshd will accept the key
chmod 600 "$temp/etc/ssh/$hostname"

4
scripts/unlock-boot.sh
View File

@@ -19,15 +19,15 @@ if [ ! -e flake.nix ]
done
fi
diskkey=$(sops -d machines/secrets/keys/itag/$HOSTNAME/disk.key)
echo
if [ $# = 1 ]
then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
echo "$diskkey" | ssh $sshoptions root@$HOSTNAME-initrd "systemd-tty-ask-password-agent" #root
elif [ $# = 2 ]
then
diskkey=$(sops -d machines/$HOSTNAME/disk.key)
IP=$2
echo "$diskkey" | ssh $sshoptions root@$IP "systemd-tty-ask-password-agent" #root