Unfuck secrets

Don't worry why all the commit hashes suddenly changed, it's fine.

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "sops.defaults.ageKeyFile": "./secrets/personal/key.txt"
+}

hosts/common/configs/system/nix-install/install.sh

@@ -64,7 +64,7 @@ prepare_disk() {
 
 copy_keys() {
   mkdir -p "$root/persist/etc/ssh"
-  cp "$flake/hosts/$host/secrets/ssh_host_ed25519_key" "$root/persist/etc/ssh/ssh_host_ed25519_key"
+  cp -f "$flake/hosts/$host/secrets/ssh_host_ed25519_key" "$root/persist/etc/ssh/ssh_host_ed25519_key"
 
   for path in "$flake/hosts/$host/users"/*; do
     if [[ -z "$key" ]]; then
@@ -74,11 +74,14 @@ copy_keys() {
     local user
     user=$(basename "$path")
     mkdir -p "$root/persist/home/$user/.config/sops-nix"
-    cp "$flake/secrets/$key/key.txt" "$root/persist/home/$user/.config/sops-nix/key.txt"
+    cp -f "$flake/secrets/$key/key.txt" "$root/persist/home/$user/.config/sops-nix/key.txt"
-    chown -R "$(cat "$flake/hosts/$host/users/$user/uid"):100" "$root/persist/home/$user"
   done
 }
 
+set_permissions() {
+  chown -R "$(cat "$flake/hosts/$host/users/$user/uid"):100" "$root/persist/home/$user"
+}
+
 install() {
   nixos-install --root "$root" --flake "$flake#$host" --no-root-passwd
 }
@@ -139,12 +142,14 @@ main() {
     install)
       prepare_disk "destroy,format,mount"
       copy_keys
+      set_permissions
       install
       if [[ "$copy_config_flag" == "true" ]]; then copy_config; fi
       if [[ "$reboot_flag" == "true" ]]; then finish; fi
       ;;
     repair)
       prepare_disk "mount"
+      copy_keys
       install
       if [[ "$reboot_flag" == "true" ]]; then finish; fi
       ;;

hosts/elara/secrets/ssh_host_ed25519_key.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2sVagJ2CqpitBK4izlfKWIe2n2xkfV95F0VNkAc3FD nick@eirene
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2sVagJ2CqpitBK4izlfKWIe2n2xkfV95F0VNkAc3FD root@elara

hosts/installer/secrets/ssh_host_ed25519_key.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEIK+JkxkC0E8w0IF59gtpG55JBS/osqs1B7VhsI0eI nick@eirene
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEIK+JkxkC0E8w0IF59gtpG55JBS/osqs1B7VhsI0eI root@installer

lib/scripts/add-host.sh

@@ -1,33 +1,198 @@
-#!/usr/bin/env -S nix shell nixpkgs#ssh-to-age -c bash
+#!/usr/bin/env -S nix shell nixpkgs#ssh-to-age nixpkgs#age nixpkgs#sops -c bash
 # shellcheck shell=bash
 
 set -o errexit
 set -o nounset
 set -o pipefail
 
-if [[ "$#" -ne 2 ]]; then
+if [[ "$#" -ne 1 ]]; then
-  echo "Usage: $0 <host> <sops-master-key>"
+  echo "Usage: $0 <host>"
   exit 1
 fi
 
 host="$1"
 
 mkdir -p "./hosts/$host/secrets"
-
+ssh-keygen -t ed25519 -f "./hosts/$host/secrets/ssh_host_ed25519_key" -C "root@$host" -N ""
-ssh-keygen -t ed25519 -f "./hosts/$host/secrets/ssh_host_ed25519_key" -N ""
-
 age_key=$(ssh-to-age < "./hosts/$host/secrets/ssh_host_ed25519_key.pub")
 
-find . -type f -name "sops.yaml" | while IFS= read -r sops_file; do
+cat <<EOF > "./hosts/$host/secrets/sops.yaml"
-  sed -i "/- hosts:/a\      - &$host $age_key" "$sops_file"
+keys:
-  sed -i "/- age:/a\          - *$host" "$sops_file"
+  - hosts:
+      - &$host $age_key
+  - namespaces:
+      - &personal $(age-keygen -y ./secrets/personal/key.txt | tr -d '\n')
+
+creation_rules:
+  - path_regex: .+\.(yaml|yml|json|env|ini|bin)
+    key_groups:
+      - age:
+          - *$host
+          - *personal
+EOF
+
+luks=""
+luks_confirm=""
+
+until [[ "$luks" == "$luks_confirm" && -n "$luks" ]]; do
+  read -r -s -p "Enter LUKS passphrase for $host: " luks
+  echo
+  read -r -s -p "Confirm LUKS passphrase for $host: " luks_confirm
+  echo
+
+  if [[ "$luks" != "$luks_confirm" ]]; then
+    echo "They didn't match. Let's try again."
+  fi
 done
 
-sed -i "/knownHosts = {/a\      $host.publicKeyFile = ../../../../$host/secrets/ssh_host_ed25519_key.pub;" ./hosts/common/configs/system/ssh/default.nix
+machine_id=$(uuidgen -r | tr -d -)
-sed -i "/userKnownHostsFile = lib.strings.concatStringsSep \" \" \[/a\        ../../../../../$host/secrets/ssh_host_ed25519_key.pub" ./hosts/common/configs/user/console/ssh/default.nix
 
-"$(dirname "$0")/update-keys.sh" "$2"
+cat <<EOF > "./hosts/$host/secrets/.decrypted~secrets.yaml"
+luks: '$luks'
+machineId: $machine_id
+EOF
+
+tmp_age_key="$(mktemp)"
+echo "$age_key" > "$tmp_age_key"
+export SOPS_AGE_KEY_FILE="$tmp_age_key"
+
+sops --config "./hosts/$host/secrets/sops.yaml" --encrypt "./hosts/$host/secrets/.decrypted~secrets.yaml" > "./hosts/$host/secrets/secrets.yaml"
+
+unset SOPS_AGE_KEY_FILE
+rm -f "$tmp_age_key"
+rm -f "./hosts/$host/secrets/.decrypted~secrets.yaml"
+
+mkdir -p "./hosts/$host/hardware"
+
+cat <<'EOF' > "./hosts/$host/hardware/default.nix"
+{ ... }:
+{
+
+}
+EOF
+
+cat <<'EOF' > "./hosts/$host/format.nix"
+{
+  disko.devices = {
+    disk.installer = {
+      device = ""; # Set this to the device you want to install to
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "boot";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "esp";
+            size = "512M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+              mountOptions = [ "umask=0077" ];
+            };
+          };
+          root = {
+            name = "root";
+            size = "100%";
+            content = {
+              name = "main";
+              type = "luks";
+              passwordFile = "/tmp/installer.key";
+              settings = {
+                allowDiscards = true;
+              };
+              content = {
+                type = "btrfs";
+                extraArgs = [ "-f" ];
+                subvolumes = {
+                  "@" = {
+                    mountpoint = "/";
+                  };
+                  "@persist" = {
+                    mountpoint = "/persist";
+                    mountOptions = [
+                      "compress=zstd"
+                      "noatime"
+                    ];
+                  };
+                  "@nix" = {
+                    mountpoint = "/nix";
+                    mountOptions = [
+                      "compress=zstd"
+                      "noatime"
+                    ];
+                  };
+                  "@cache" = {
+                    mountpoint = "/cache";
+                    mountOptions = [
+                      "compress=zstd"
+                      "noatime"
+                    ];
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
+EOF
+
+cat <<EOF > "./hosts/$host/default.nix"
+{ inputs, ... }:
+{
+  imports = [
+    ../../lib
+
+    inputs.disko.nixosModules.disko
+    ./format.nix
+
+    ./hardware
+
+    ../common/configs/system/boot
+    ../common/configs/system/btrfs
+    ../common/configs/system/documentation
+    ../common/configs/system/impermanence
+    ../common/configs/system/nix
+    ../common/configs/system/nix-cleanup
+    ../common/configs/system/nixpkgs
+    ../common/configs/system/ntp
+    ../common/configs/system/sops
+    ../common/configs/system/system
+    ../common/configs/system/users
+    ../common/configs/system/zsh
+  ];
+
+  networking.hostName = "$host";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  sops.defaultSopsFile = ./secrets/secrets.yaml;
+}
+EOF
+
+cat <<EOF > "./hosts/$host/README.md"
+# $host
+
+## Post-Install Checklist
+EOF
+
+new_entry="| \`$host\` | [hosts/$host/README.md](./hosts/$host/README.md) |"
+last_table_line=$(grep -n "^| " README.md | tail -n 1 | cut -d: -f1)
+sed -i "${last_table_line}a$new_entry" README.md
+
+sed -i "/knownHosts = {/a\\      $host.publicKeyFile = ../../../../$host/secrets/ssh_host_ed25519_key.pub;" ./hosts/common/configs/system/ssh/default.nix
+
+nix fmt
 
 echo "Host $host has been successfully added."
-echo "You can generate SSH key pairs for any users that need to connect to user@host using the following command:"
+echo "Age Public Key: $age_key"
-echo "ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_${host}_<user>"
+echo
+echo "If you need user-level SSH keys, generate them like this:"
+echo "  ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_${host}_<user>"

lib/scripts/remove-host.sh

@@ -5,8 +5,8 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-if [[ "$#" -ne 2 ]]; then
+if [[ "$#" -ne 1 ]]; then
-  echo "Usage: $0 <host> <sops-master-key>"
+  echo "Usage: $0 <host>"
   exit 1
 fi
 
@@ -20,11 +20,11 @@ find . -type f -name "sops.yaml" | while IFS= read -r sops_file; do
 done
 
 sed -i "/$host/d" ./hosts/common/configs/system/ssh/default.nix
-sed -i "/$host/d" ./hosts/common/configs/user/console/ssh/default.nix
+sed -i "/$host/d" ./README.md
-
-"$(dirname "$0")/update-keys.sh" "$2"
 
 rm -rf "./hosts/$host"
 
+"$(dirname "$0")/update-keys.sh"
+
+echo "Please remove SSH key pairs for any users that used to connect to $host."
 echo "Host $host has been successfully removed."
-echo "Please remove SSH key pairs for any users that used to connect to this host."

lib/scripts/update-keys.sh

@@ -5,18 +5,18 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-if [[ -z "$SOPS_AGE_KEY_FILE" ]]; then
-  echo "Please set the SOPS_AGE_KEY_FILE environment variable"
-  exit 1
-fi
-
 find . -type f -name 'sops.yaml' | while IFS= read -r sops_file; do
   dir=$(dirname "$sops_file")
-  echo "$dir"
+
+  namespace=$(grep -A1 "namespaces:" "$sops_file" | tail -n1 | awk '{print $2}' | tr -d '&')
+  SOPS_AGE_KEY_FILE="./secrets/$namespace/key.txt"
+  export SOPS_AGE_KEY_FILE
+
   find "$dir" -maxdepth 1 -type f -regextype posix-extended \
     -regex '.+\.(yaml|yml|json|env|ini|bin)' \
     ! -name 'sops.yaml' | while IFS= read -r file; do
-      echo "$file"
       sops --config "$sops_file" updatekeys "$file" -y
     done
+
+  unset SOPS_AGE_KEY_FILE
 done