47 lines
1.2 KiB
Bash
Executable File
47 lines
1.2 KiB
Bash
Executable File
set -o errexit
|
|
set -o nounset
|
|
set -o pipefail
|
|
|
|
if [ $# -lt 2 ]; then
|
|
echo
|
|
echo "Install NixOS to the host system with secrets and encryption"
|
|
echo "Usage: $0 <hostname> <ip> (user)"
|
|
exit 1
|
|
fi
|
|
|
|
hostname=$1
|
|
ipaddress=$2
|
|
|
|
# Create a temporary directory
|
|
temp=$(mktemp -d)
|
|
|
|
# Function to cleanup temporary directory on exit
|
|
cleanup() {
|
|
rm -rf "$temp"
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
# Create the directory where sshd expects to find the host keys
|
|
install -d -m755 "$temp/etc/ssh/"
|
|
|
|
diskKey=$(sops -d machines/$hostname/disk.key)
|
|
echo "$diskKey" > /tmp/secret.key
|
|
|
|
ssh-keygen -f $temp/etc/ssh/"$hostname" -t ed25519 -N ""
|
|
ssh-keygen -f $temp/etc/ssh/initrd -t ed25519 -N ""
|
|
|
|
# # Set the correct permissions so sshd will accept the key
|
|
chmod 600 "$temp/etc/ssh/$hostname"
|
|
chmod 600 "$temp/etc/ssh/initrd"
|
|
|
|
# Install NixOS to the host system with our secrets and encription
|
|
# optional --build-on-remote
|
|
if [ $# = 3 ]
|
|
then
|
|
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
|
|
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname $3@$ipaddress
|
|
|
|
else
|
|
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" \
|
|
--disk-encryption-keys /tmp/secret.key /tmp/secret.key --flake .#$hostname root@$ipaddress
|
|
fi |