Created
December 16, 2023 15:53
-
-
Save mrVanDalo/d841ac28bce1f3817f57b1e5fd043387 to your computer and use it in GitHub Desktop.
A small script to prepare input for a pet machine, set up by nixos-anywhere (with sops-nix)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env nix-shell | |
| #! nix-shell -i bash -p ssh-to-age boxes | |
| EXTRA_FILES=$( mktemp -d ) | |
| LUKS_KEY=$( mktemp ) | |
| SSH_HOST_KEY="$EXTRA_FILES/etc/ssh/ssh_host_ed25519_key" | |
| cat <<EOF | boxes -d ian_jones | |
| - create ssh host keys | |
| - create age key from ssh host key (for sops) | |
| - create luks encryption key | |
| EOF | |
| # make sure you set | |
| # services.openssh.hostKeys = [ { bits = 4096; path = /etc/ssh/ssh_host_ed25519_key; rounds = 100; type = "ed25519"; } ] | |
| mkdir -p "$( dirname "$SSH_HOST_KEY")" | |
| ssh-keygen -a 100 -q -N "" -t ed25519 -f "$SSH_HOST_KEY" | |
| AGE_KEY=$( ssh-to-age < "$SSH_HOST_KEY.pub") | |
| echo | |
| echo | |
| IFS= read -s -p 'LUKS Encryption Password please: ' password | |
| echo -n "$password" > "$LUKS_KEY" | |
| echo | |
| echo | |
| echo | |
| cat <<EOF | boxes -d shell | |
| put this in you .sops.yaml | |
| and run sops updatekeys secrets/<machine>.yaml | |
| EOF | |
| cat <<EOF | |
| keys: | |
| - &palo 42AC51C9482D0834CF488AF1389EC2D64AC71EAC | |
| creation_rules: | |
| - path_regex: secrets/<machine>.yaml | |
| key_groups: | |
| - pgp: | |
| - *palo | |
| - age: | |
| - $AGE_KEY | |
| EOF | |
| echo | |
| echo add this to your nixos-anywhere options | boxes -d shell | |
| cat <<EOF | |
| nixos-anywhere \\ | |
| --extra-files $EXTRA_FILES \\ | |
| --disk-encryption-keys <remote_path> $LUKS_KEY | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment