Unfuck secrets

Don't worry why all the commit hashes suddenly changed, it's fine.

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

lib/scripts/add-host.sh

@@ -1,33 +1,198 @@
-#!/usr/bin/env -S nix shell nixpkgs#ssh-to-age -c bash
+#!/usr/bin/env -S nix shell nixpkgs#ssh-to-age nixpkgs#age nixpkgs#sops -c bash
 # shellcheck shell=bash
 
 set -o errexit
 set -o nounset
 set -o pipefail
 
-if [[ "$#" -ne 2 ]]; then
-  echo "Usage: $0 <host> <sops-master-key>"
+if [[ "$#" -ne 1 ]]; then
+  echo "Usage: $0 <host>"
   exit 1
 fi
 
 host="$1"
 
 mkdir -p "./hosts/$host/secrets"
-
-ssh-keygen -t ed25519 -f "./hosts/$host/secrets/ssh_host_ed25519_key" -N ""
-
+ssh-keygen -t ed25519 -f "./hosts/$host/secrets/ssh_host_ed25519_key" -C "root@$host" -N ""
 age_key=$(ssh-to-age < "./hosts/$host/secrets/ssh_host_ed25519_key.pub")
 
-find . -type f -name "sops.yaml" | while IFS= read -r sops_file; do
-  sed -i "/- hosts:/a\      - &$host $age_key" "$sops_file"
-  sed -i "/- age:/a\          - *$host" "$sops_file"
+cat <<EOF > "./hosts/$host/secrets/sops.yaml"
+keys:
+  - hosts:
+      - &$host $age_key
+  - namespaces:
+      - &personal $(age-keygen -y ./secrets/personal/key.txt | tr -d '\n')
+
+creation_rules:
+  - path_regex: .+\.(yaml|yml|json|env|ini|bin)
+    key_groups:
+      - age:
+          - *$host
+          - *personal
+EOF
+
+luks=""
+luks_confirm=""
+
+until [[ "$luks" == "$luks_confirm" && -n "$luks" ]]; do
+  read -r -s -p "Enter LUKS passphrase for $host: " luks
+  echo
+  read -r -s -p "Confirm LUKS passphrase for $host: " luks_confirm
+  echo
+
+  if [[ "$luks" != "$luks_confirm" ]]; then
+    echo "They didn't match. Let's try again."
+  fi
 done
 
-sed -i "/knownHosts = {/a\      $host.publicKeyFile = ../../../../$host/secrets/ssh_host_ed25519_key.pub;" ./hosts/common/configs/system/ssh/default.nix
-sed -i "/userKnownHostsFile = lib.strings.concatStringsSep \" \" \[/a\        ../../../../../$host/secrets/ssh_host_ed25519_key.pub" ./hosts/common/configs/user/console/ssh/default.nix
+machine_id=$(uuidgen -r | tr -d -)
 
-"$(dirname "$0")/update-keys.sh" "$2"
+cat <<EOF > "./hosts/$host/secrets/.decrypted~secrets.yaml"
+luks: '$luks'
+machineId: $machine_id
+EOF
+
+tmp_age_key="$(mktemp)"
+echo "$age_key" > "$tmp_age_key"
+export SOPS_AGE_KEY_FILE="$tmp_age_key"
+
+sops --config "./hosts/$host/secrets/sops.yaml" --encrypt "./hosts/$host/secrets/.decrypted~secrets.yaml" > "./hosts/$host/secrets/secrets.yaml"
+
+unset SOPS_AGE_KEY_FILE
+rm -f "$tmp_age_key"
+rm -f "./hosts/$host/secrets/.decrypted~secrets.yaml"
+
+mkdir -p "./hosts/$host/hardware"
+
+cat <<'EOF' > "./hosts/$host/hardware/default.nix"
+{ ... }:
+{
+
+}
+EOF
+
+cat <<'EOF' > "./hosts/$host/format.nix"
+{
+  disko.devices = {
+    disk.installer = {
+      device = ""; # Set this to the device you want to install to
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "esp";
+            size = "512M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [ "umask=0077" ];
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              name = "main";
+              type = "luks";
+              passwordFile = "/tmp/installer.key";
+              settings = {
+                allowDiscards = true;
+              };
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ];
+                subvolumes = {
+                  "@" = {
+                    mountpoint = "/";
+                  };
+                  "@persist" = {
+                    mountpoint = "/persist";
+                    mountOptions = [
+                      "compress=zstd"
+                      "noatime"
+                    ];
+                  };
+                  "@nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = [
+                      "compress=zstd"
+                      "noatime"
+                    ];
+                  };
+                  "@cache" = {
+                    mountpoint = "/cache";
+                    mountOptions = [
+                      "compress=zstd"
+                      "noatime"
+                    ];
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
+EOF
+
+cat <<EOF > "./hosts/$host/default.nix"
+{ inputs, ... }:
+{
+  imports = [
+    ../../lib
+
+    inputs.disko.nixosModules.disko
+    ./format.nix
+
+    ./hardware
+
+    ../common/configs/system/boot
+    ../common/configs/system/btrfs
+    ../common/configs/system/documentation
+    ../common/configs/system/impermanence
+    ../common/configs/system/nix
+    ../common/configs/system/nix-cleanup
+    ../common/configs/system/nixpkgs
+    ../common/configs/system/ntp
+    ../common/configs/system/sops
+    ../common/configs/system/system
+    ../common/configs/system/users
+    ../common/configs/system/zsh
+  ];
+
+  networking.hostName = "$host";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+}
+EOF
+
+cat <<EOF > "./hosts/$host/README.md"
+# $host
+
+## Post-Install Checklist
+EOF
+
+new_entry="| \`$host\` | [hosts/$host/README.md](./hosts/$host/README.md) |"
+last_table_line=$(grep -n "^| " README.md | tail -n 1 | cut -d: -f1)
+sed -i "${last_table_line}a$new_entry" README.md
+
+sed -i "/knownHosts = {/a\\      $host.publicKeyFile = ../../../../$host/secrets/ssh_host_ed25519_key.pub;" ./hosts/common/configs/system/ssh/default.nix
+
+nix fmt
 
 echo "Host $host has been successfully added."
-echo "You can generate SSH key pairs for any users that need to connect to user@host using the following command:"
-echo "ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_${host}_<user>"
+echo "Age Public Key: $age_key"
+echo
+echo "If you need user-level SSH keys, generate them like this:"
+echo "  ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_${host}_<user>"

lib/scripts/remove-host.sh

@@ -5,8 +5,8 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-if [[ "$#" -ne 2 ]]; then
-  echo "Usage: $0 <host> <sops-master-key>"
+if [[ "$#" -ne 1 ]]; then
+  echo "Usage: $0 <host>"
   exit 1
 fi
 
@@ -20,11 +20,11 @@ find . -type f -name "sops.yaml" | while IFS= read -r sops_file; do
 done
 
 sed -i "/$host/d" ./hosts/common/configs/system/ssh/default.nix
-sed -i "/$host/d" ./hosts/common/configs/user/console/ssh/default.nix
-
-"$(dirname "$0")/update-keys.sh" "$2"
+sed -i "/$host/d" ./README.md
 
 rm -rf "./hosts/$host"
 
+"$(dirname "$0")/update-keys.sh"
+
+echo "Please remove SSH key pairs for any users that used to connect to $host."
 echo "Host $host has been successfully removed."
-echo "Please remove SSH key pairs for any users that used to connect to this host."

lib/scripts/update-keys.sh

@@ -5,18 +5,18 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-if [[ -z "$SOPS_AGE_KEY_FILE" ]]; then
-  echo "Please set the SOPS_AGE_KEY_FILE environment variable"
-  exit 1
-fi
-
 find . -type f -name 'sops.yaml' | while IFS= read -r sops_file; do
   dir=$(dirname "$sops_file")
-  echo "$dir"
+
+  namespace=$(grep -A1 "namespaces:" "$sops_file" | tail -n1 | awk '{print $2}' | tr -d '&')
+  SOPS_AGE_KEY_FILE="./secrets/$namespace/key.txt"
+  export SOPS_AGE_KEY_FILE
+
   find "$dir" -maxdepth 1 -type f -regextype posix-extended \
     -regex '.+\.(yaml|yml|json|env|ini|bin)' \
     ! -name 'sops.yaml' | while IFS= read -r file; do
-      echo "$file"
       sops --config "$sops_file" updatekeys "$file" -y
     done
+
+  unset SOPS_AGE_KEY_FILE
 done