Compare commits
5 Commits
849505807c
...
ff673f0070
| Author | SHA1 | Date | |
|---|---|---|---|
|
ff673f0070 | ||
|
|
57c8e65917 | ||
|
|
e4be136b64 | ||
|
|
aedf5ca0bf | ||
|
|
923cbf4621 |
@@ -12,7 +12,7 @@ keys:
|
|||||||
- &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se
|
- &machine_infradocs age1decc74l6tm5sjtnjyj8rkxysr9j49fxsc92r2dcfpmzdcjv5dews8f03se
|
||||||
- &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0
|
- &machine_overwatch age1psj6aeu03s2k4zdfcte89nj4fw95xgk4e7yr3e6k6u2evq84ng3s57p6f0
|
||||||
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
|
- &machine_vpn age1v6uxwej4nlrpfanr9js7x6059mtvyg4fw50pzt0a2kt3ahk7edlslafeuh
|
||||||
- &machine_fanny age136sz3lzhxf74ryruvq34d4tmmxnezkqkgu6zqa3dm582c22fgejqagrqxk
|
- &machine_fanny age1u6ljjefkyy242xxtpm65v8dl908efnpt4txjkh0c9emvagdv8etqt22wll
|
||||||
- &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k
|
- &machine_nextcloud age1z0cfz7l4vakjrte220h46fc05503506fjcz440na92pzgztlspmqc8vt6k
|
||||||
#this dummy key is used for testing.
|
#this dummy key is used for testing.
|
||||||
- &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
|
- &machine_dummy age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng
|
||||||
@@ -73,13 +73,6 @@ creation_rules:
|
|||||||
- *admin_kalipso_dsktp
|
- *admin_kalipso_dsktp
|
||||||
age:
|
age:
|
||||||
- *admin_atlan
|
- *admin_atlan
|
||||||
- path_regex: fanny/disk.key
|
|
||||||
key_groups:
|
|
||||||
- pgp:
|
|
||||||
- *admin_kalipso
|
|
||||||
- *admin_kalipso_dsktp
|
|
||||||
age:
|
|
||||||
- *admin_atlan
|
|
||||||
- path_regex: bakunin/disk.key
|
- path_regex: bakunin/disk.key
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp:
|
- pgp:
|
||||||
|
|||||||
@@ -1,31 +0,0 @@
|
|||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:1I8fN241VOaW4GaNUe/OVr+1HQKmtYL1GSuIfsE=,iv:aHdgEUj5QhusEavG9mVgtTQ4uqLJD2ozQ/kVVtFakYY=,tag:JJUbt4kgpa4hVD3HjLXGOg==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUGpORk5zWXU1OVpqc2hT\nVW5PYlNLT3lKQVpTdCtMT1M3YlZ3Uno5bVJjCkJXR3I2Y3lDT0dJNThCcDN1NXYr\nK3VucjRKU0dac3BtQmV5ZFdrZXkrS1EKLS0tIGRGMGxDM0ZGbzVPTnJQK01GS3VW\nRHpJQWZLU1lrRS9ScXM0L0dyTjhGTGsKJEYq5vKxxYBAgkqUEkBwESur0reNIDPb\nK3rtflNi3dUYYZdLFNFV5rQX5q8aDnM6fO/zYPkzfBn7Ewq3jbBIIg==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2025-01-05T19:35:48Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:z7elJ0+3r0bWc/H6h4rI36xC7Uj0NS04VssjPDNVZM17LeN4ansSOfcOKPaUMziV/z5Aq8RVLROR+FImzxBZGaZm37frCoN1OP3WjeDnP6AsoY9dY+S/aYmErVEsQEIi8T4RAdQP2c3BUt1oKZ9Nki2pu3IBRabBlFhaTI0bspc=,iv:8Nn8r9ancHwBJOaJSsv8Vj3s+d0UvRmKIeCDNzx1qRg=,tag:BSO2yu70H2wjen3BCGC4Gw==,type:str]",
|
|
||||||
"pgp": [
|
|
||||||
{
|
|
||||||
"created_at": "2025-01-05T19:32:11Z",
|
|
||||||
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv+JpNwP+BLJf4+0pSr17TToviCo0yWmcaP1dIUqClBSoDO\nI3ZzqHdImAj4QgExif2zsuzz1+WC+sjvFqEmX5pBKza/e30qCZirkelz9mzc0mhG\nLhTzfhqC6fLbV5f+pDp6N40ommu+LX1pIz6nViCUjqBdnAkCb+tqLU4eQJQqVmlz\n7BToLsvYomPK1nJ6f4rt1nTR9wkBI68AYM/K0SgCJXjwj1LpZ/+3yElkiCqZ9uZB\n1jrDKX+QPySlZ7OERL70UT7Eh8DTUNzFnozvliBnyxe00wwiiucCgrC94TmaKCmh\ni/FOdS6Izm3QwcWB0eMCX6GQBvlUWpjSz5xF4+YODJe9tGNz/sNxpk6B8xG5NuG2\n61nohMHoml6X3Z9dOwu/Svl+eS8SV/r278W/F9miE8YeayyLlPxHF3DXjd6WeDhZ\n20NExQUJYIRf6w/XQPQZ+E39NkIHxz8v+P29ncmSsRPWS6d2MK0Yj+UW0vT0u1vJ\n+lAs24xYofbu5tmBbnK10lgBrZMXDJM2nQbKMKSkVVjzbzmOe5jzMBxuWLX+ykeI\npaj32wQDWvfBqLPH1Kwvy5nqHvy375jPZ7RTzT7W0d4jKQf7xapbi4CEepHHfxCF\nD0HIEi8RUlXJ\n=KVUJ\n-----END PGP MESSAGE-----",
|
|
||||||
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"created_at": "2025-01-05T19:32:11Z",
|
|
||||||
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUARAAqowFMavIniFheNvt03EH1iEn64xNmExotYcDt2L0bR39\nXQdLvg7cJ/Jh7EuZ44mHTs21mpbYIlygMs6kimqQ8iO30vGTEcn5bt/eUEoGHciM\nYVHktWNR81ZgjvKCcmTUK3ld+DMKmg2BABr4auUOYLu4ToSnFb1fv+fvZG0D3iQs\nm6LJuafH+4utM16Vnkp9+ziY/ieMPYfbOFuSFq0UWxGK9P+koSYVGnYhH55Lksyf\nBb/esEGCY671/Jl/qHw8so4TELeRsW/v/xAcNqbE1Msdeas7WJy/B6WqXQgK/Y+J\nPsyZ2XHKhPRitN77/eDJXVBi0mKBTE/RCzDzMYxKA7IQm28v8+u+wpdCajewnyF4\ns2HACaYs/TWRpIUzqxRlznc0nMpk8xUaeVb0N7nrtSDEBF8ETOGOcPk1AmdKMR4M\nsy0vu+K2oJ9L7e/o1ntpejKHN7t2Lzq+CvszBYKmyw/KgxeqY0hx4cJTUDsdgLjI\nMTrs6bySVXDyRaw3rHo7OvA+5c8dLfnWJd1R78nZTx89CYCvjJeMo7PNvN6C9HxK\nJoCOCnZo6a3j4NqJvXD5GNqGSP6m1lqBRWYQUIhWaOfz8aTY1Z3EXX0/4tv5C+A/\nknhc694ujtmBXio4XgDIrSz3jr9G8+ZLvig88xV12HTJfsatypQdHVIZj08EeR/S\nWAG872Q/DVD/aDmhaOlq/o/QBoEyrnJdkRHT9NX8iBboQ81wezfJxWUWlWyHaXVq\n5YBLFQvQAZLz3h05EBkMOiS2dHUa8OnNImj8txnCePAlcUdv7LIVxHA=\n=9APA\n-----END PGP MESSAGE-----",
|
|
||||||
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.9.2"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
BIN
machines/secrets/keys/itag.kdbx
Normal file
BIN
machines/secrets/keys/itag.kdbx
Normal file
Binary file not shown.
@@ -39,6 +39,8 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
|
|||||||
pkgs.age
|
pkgs.age
|
||||||
pkgs.python310Packages.grip
|
pkgs.python310Packages.grip
|
||||||
pkgs.mdbook
|
pkgs.mdbook
|
||||||
|
pkgs.keepassxc
|
||||||
|
pkgs.ssh-to-age
|
||||||
microvmpkg.microvm
|
microvmpkg.microvm
|
||||||
];
|
];
|
||||||
|
|
||||||
@@ -49,6 +51,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
|
|||||||
legacyPackages = {
|
legacyPackages = {
|
||||||
scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
|
scripts.remote-install = pkgs.writeShellScriptBin "remote-install" (builtins.readFile ./scripts/remote-install-encrypt.sh);
|
||||||
scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
|
scripts.boot-unlock = pkgs.writeShellScriptBin "boot-unlock" (builtins.readFile ./scripts/unlock-boot.sh);
|
||||||
|
scripts.add-host-keys = pkgs.writeShellScriptBin "add-host-keys" (builtins.readFile ./scripts/add_new_host_keys.sh);
|
||||||
scripts.run-vm = self.packages.${system}.run-vm;
|
scripts.run-vm = self.packages.${system}.run-vm;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
78
scripts/add_new_host_keys.sh
Executable file
78
scripts/add_new_host_keys.sh
Executable file
@@ -0,0 +1,78 @@
|
|||||||
|
set -o errexit
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
dbpath="./machines/secrets/keys/itag.kdbx"
|
||||||
|
|
||||||
|
if [ ! -e flake.nix ]
|
||||||
|
then
|
||||||
|
echo "flake.nix not found. Searching down."
|
||||||
|
while [ ! -e flake.nix ]
|
||||||
|
do
|
||||||
|
if [ $PWD = "/" ]
|
||||||
|
then
|
||||||
|
echo "Found root. Aborting."
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
cd ..
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$1" = "list" ]; then
|
||||||
|
read -sp "Enter password for keepassxc: " pw
|
||||||
|
echo "$pw" | keepassxc-cli ls -R $dbpath hosts
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
elif [ "$1" = "add" ]; then
|
||||||
|
read -p "Enter new host name: " host
|
||||||
|
read -sp "Enter password for keepassxc: " pw
|
||||||
|
|
||||||
|
# Create a temporary directory
|
||||||
|
temp=$(mktemp -d)
|
||||||
|
|
||||||
|
# Function to cleanup temporary directory on exit
|
||||||
|
cleanup() {
|
||||||
|
rm -rf "$temp"
|
||||||
|
}
|
||||||
|
trap cleanup EXIT
|
||||||
|
|
||||||
|
# Generate SSH keys
|
||||||
|
ssh-keygen -f $temp/"$host" -t ed25519 -N ""
|
||||||
|
ssh-keygen -f $temp/"$host"-init -t ed25519 -N ""
|
||||||
|
|
||||||
|
ls $temp
|
||||||
|
|
||||||
|
# add folder
|
||||||
|
echo "$pw" | keepassxc-cli mkdir $dbpath hosts/$host
|
||||||
|
|
||||||
|
# add entries
|
||||||
|
echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey
|
||||||
|
echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey-init
|
||||||
|
echo "$pw" | keepassxc-cli add -glUn -L 20 $dbpath hosts/$host/encryption
|
||||||
|
|
||||||
|
# Import keys
|
||||||
|
echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey private "$temp/$host"
|
||||||
|
echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey public "$temp/$host.pub"
|
||||||
|
|
||||||
|
# Import init keys
|
||||||
|
echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init private "$temp/$host-init"
|
||||||
|
echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init public "$temp/$host-init.pub"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Info
|
||||||
|
echo
|
||||||
|
echo "Hier ist der age public key für sops etc:"
|
||||||
|
echo "$(ssh-to-age -i $temp/$host.pub)"
|
||||||
|
echo
|
||||||
|
echo "Hier ist eine reproduzierbare mac-addresse:"
|
||||||
|
echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
else
|
||||||
|
echo
|
||||||
|
echo "Add a new host to the DB and generate ssh keys and encryption key."
|
||||||
|
echo "Usage: $0 [list|add]"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
@@ -25,6 +25,9 @@ fi
|
|||||||
|
|
||||||
hostname=$1
|
hostname=$1
|
||||||
ipaddress=$2
|
ipaddress=$2
|
||||||
|
dbpath="./machines/secrets/keys/itag.kdbx"
|
||||||
|
read -sp "Enter password for keepassxc: " pw
|
||||||
|
|
||||||
|
|
||||||
# Create a temporary directory
|
# Create a temporary directory
|
||||||
temp=$(mktemp -d)
|
temp=$(mktemp -d)
|
||||||
@@ -39,12 +42,13 @@ trap cleanup EXIT
|
|||||||
install -d -m755 "$temp/etc/ssh/"
|
install -d -m755 "$temp/etc/ssh/"
|
||||||
install -d -m755 "$temp/root/"
|
install -d -m755 "$temp/root/"
|
||||||
|
|
||||||
diskKey=$(sops -d machines/$hostname/disk.key)
|
diskKey=$(echo "$pw" | keepassxc-cli show -a Password $dbpath hosts/$hostname/encryption)
|
||||||
echo "$diskKey" > /tmp/secret.key
|
echo "$diskKey" > /tmp/secret.key
|
||||||
echo "$diskKey" > $temp/root/secret.key
|
echo "$diskKey" > $temp/root/secret.key
|
||||||
|
|
||||||
ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
|
echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey private "$temp/etc/ssh/$hostname"
|
||||||
ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
|
|
||||||
|
echo "$pw" | keepassxc-cli attachment-export $dbpath hosts/$hostname/sshkey-init private "$temp/etc/ssh/initrd"
|
||||||
|
|
||||||
# # Set the correct permissions so sshd will accept the key
|
# # Set the correct permissions so sshd will accept the key
|
||||||
chmod 600 "$temp/etc/ssh/$hostname"
|
chmod 600 "$temp/etc/ssh/$hostname"
|
||||||
|
|||||||
Reference in New Issue
Block a user