diff --git a/hosts/common/configs/system/nix-install/default.nix b/hosts/common/configs/system/nix-install/default.nix index 0ca2ed4..cee7f47 100644 --- a/hosts/common/configs/system/nix-install/default.nix +++ b/hosts/common/configs/system/nix-install/default.nix @@ -8,6 +8,7 @@ iputils jq nix + sops inputs.disko.packages.${system}.disko ]; text = builtins.readFile ./install.sh; diff --git a/hosts/common/configs/system/nix-install/install.completion.zsh b/hosts/common/configs/system/nix-install/install.completion.zsh index c95b40d..fc20121 100644 --- a/hosts/common/configs/system/nix-install/install.completion.zsh +++ b/hosts/common/configs/system/nix-install/install.completion.zsh @@ -4,7 +4,6 @@ _nix-install_completion() { '-m[Mode: 'install' or 'repair']:mode:(install repair)' '-h[Host to configure]:host:($(_list_hosts))' '-k[Key file to copy to user config]:key:($(_list_keys))' - '-p[LUKS password file to use for encryption]:password_file:_files' '-c[Copy configuration to target]' '-r[Reboot after completion]' ) diff --git a/hosts/common/configs/system/nix-install/install.sh b/hosts/common/configs/system/nix-install/install.sh index 02daa58..4d8a98b 100644 --- a/hosts/common/configs/system/nix-install/install.sh +++ b/hosts/common/configs/system/nix-install/install.sh @@ -8,7 +8,6 @@ usage() { echo " -m mode Mode: 'install' or 'repair'." echo " -h host Host to configure." echo " -k key Key file to copy to user config." - echo " -p password_file LUKS password file to use for encryption." echo " -c Copy configuration to target." echo " -r Reboot after completion." exit 1 @@ -50,22 +49,10 @@ check_key() { } set_password_file() { - if [[ -n "$password_file" ]]; then - if [[ ! -f "$password_file" ]]; then - echo "LUKS key file '$password_file' not found." - exit 1 - fi - - ln -sf "$(realpath "$password_file")" /tmp/installer.key - else - echo "Enter password for LUKS encryption:" - IFS= read -r -s password - echo "Enter password again to confirm: " - IFS= read -r -s password_check - [ "$password" != "$password_check" ] - echo -n "$password" > /tmp/installer.key - unset password password_check - fi + SOPS_AGE_KEY_FILE="$(realpath "$flake/secrets/$key/key.txt")" + export SOPS_AGE_KEY_FILE + sops --decrypt --extract "['luks']" "$flake/hosts/$host/secrets/secrets.yaml" > /tmp/installer.key + unset SOPS_AGE_KEY_FILE } prepare_disk() { @@ -115,59 +102,57 @@ cleanup() { if [[ -d "$root" ]]; then rmdir "$root"; fi } -check_root -check_network +main() { + check_root + check_network -if [[ "$#" -lt 1 ]]; then - usage -fi + if [[ "$#" -lt 1 ]]; then usage; fi -flake="$(realpath "$1")" -check_flake -shift + flake="$(realpath "$1")" + check_flake + shift -mode="" -host="" -key="" -password_file="" -copy_config_flag="false" -reboot_flag="false" + mode="" + host="" + key="" + copy_config_flag="false" + reboot_flag="false" -while getopts "m:h:k:p:cr" opt; do - case "$opt" in - m) mode="$OPTARG" ;; - h) host="$OPTARG" ;; - k) key="$OPTARG" ;; - p) password_file="$OPTARG" ;; - c) copy_config_flag="true" ;; - r) reboot_flag="true" ;; - *) usage ;; + while getopts "m:h:k:cr" opt; do + case "$opt" in + m) mode="$OPTARG" ;; + h) host="$OPTARG" ;; + k) key="$OPTARG" ;; + c) copy_config_flag="true" ;; + r) reboot_flag="true" ;; + *) usage ;; + esac + done + + if [[ -z "$mode" || -z "$host" ]]; then usage; fi + + check_host + check_key + set_password_file + + case "$mode" in + install) + prepare_disk "destroy,format,mount" + copy_keys + install + if [[ "$copy_config_flag" == "true" ]]; then copy_config; fi + if [[ "$reboot_flag" == "true" ]]; then finish; fi + ;; + repair) + prepare_disk "mount" + install + if [[ "$reboot_flag" == "true" ]]; then finish; fi + ;; + *) + echo "Invalid mode: $mode" + usage + ;; esac -done +} -if [[ -z "$mode" || -z "$host" ]]; then - usage -fi - -check_host -check_key -until set_password_file; do echo "Passwords did not match, please try again."; done - -case "$mode" in - install) - prepare_disk "destroy,format,mount" - copy_keys - install - if [[ "$copy_config_flag" == "true" ]]; then copy_config; fi - if [[ "$reboot_flag" == "true" ]]; then finish; fi - ;; - repair) - prepare_disk "mount" - install - if [[ "$reboot_flag" == "true" ]]; then finish; fi - ;; - *) - echo "Invalid mode: $mode" - usage - ;; -esac +main "$@"