65 lines
1.6 KiB
Bash
Executable File
65 lines
1.6 KiB
Bash
Executable File
set -o errexit
|
|
set -o pipefail
|
|
|
|
if [ $# -lt 2 ]; then
|
|
echo
|
|
echo "Install NixOS to the host system with secrets and encryption"
|
|
echo "Usage: $0 <hostname> <ip> (user)"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -e flake.nix ]
|
|
then
|
|
echo "flake.nix not found. Searching down."
|
|
while [ ! -e flake.nix ]
|
|
do
|
|
if [ $PWD = "/" ]
|
|
then
|
|
echo "Found root. Aborting."
|
|
exit 1
|
|
else
|
|
cd ..
|
|
fi
|
|
done
|
|
fi
|
|
|
|
hostname=$1
|
|
ipaddress=$2
|
|
pwpath="machines/secrets/keys/itag"
|
|
|
|
# Create a temporary directory
|
|
temp=$(mktemp -d)
|
|
|
|
# Function to cleanup temporary directory on exit
|
|
cleanup() {
|
|
rm -rf "$temp"
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
# Create the directory where sshd expects to find the host keys
|
|
install -d -m755 "$temp/etc/ssh/"
|
|
install -d -m755 "$temp/root/"
|
|
|
|
diskKey=$(sops -d $pwpath/$hostname/disk.key)
|
|
echo "$diskKey" > /tmp/secret.key
|
|
echo "$diskKey" > $temp/root/secret.key
|
|
|
|
sops -d "$pwpath/$hostname/$hostname" > "$temp/etc/ssh/$hostname"
|
|
|
|
sopd -d "$pwpath/$hostname/$hostname"-init > "$temp/etc/ssh/initrd"
|
|
|
|
# # Set the correct permissions so sshd will accept the key
|
|
chmod 600 "$temp/etc/ssh/$hostname"
|
|
chmod 600 "$temp/etc/ssh/initrd"
|
|
|
|
# Install NixOS to the host system with our secrets and encription
|
|
# optional --build-on-remote
|
|
if [ $# = 3 ]
|
|
then
|
|
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
|
|
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress
|
|
|
|
else
|
|
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
|
|
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
|
|
fi |