karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update install script

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-08-18 13:32:46 -04:00
parent fd78a2b3a2
commit 9b9c38c265
1 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
hosts/common/configs/system/nix-install/install.sh
View File

@@ -43,17 +43,17 @@ check_host() {
}
check_key() {
if [[ -n "$key" ]] && [[ ! -f "$flake/secrets/$key/key.txt" ]]; then
if [[ -n "$key" ]] && [[ ! -f "$flake/submodules/secrets/domains/$key/key.txt" ]]; then
echo "Key '$key' not found."
exit 1
fi
}
set_password_file() {
SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
SOPS_AGE_KEY_FILE="$flake/submodules/secrets/domains/$key/key.txt"
export SOPS_AGE_KEY_FILE
install -m 600 /dev/null /tmp/keyfile
sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
sops --decrypt --extract "['luks']" "$flake/submodules/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
unset SOPS_AGE_KEY_FILE
}
@@ -66,7 +66,7 @@ prepare_disk() {
copy_sops_keys() {
mkdir -p "$root/persist/state/etc/ssh"
cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
cp -f "$flake/submodules/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
for path in "$flake/hosts/$host/users"/*; do
if [[ -z "$key" ]]; then
@@ -77,7 +77,7 @@ copy_sops_keys() {
user=$(basename "$path")
mkdir -p "$root/persist/state/home/$user/.config/sops-nix"
cp -f "$flake/secrets/$key/key.txt" "$root/persist/state/home/$user/.config/sops-nix/key.txt"
cp -f "$flake/submodules/secrets/domains/$key/key.txt" "$root/persist/state/home/$user/.config/sops-nix/key.txt"
owner=$(cat "$flake/hosts/$host/users/$user/uid")
group=100
@@ -92,16 +92,16 @@ copy_sops_keys() {
copy_secure_boot_keys() {
mkdir -p "$root/persist/state/var/lib/sbctl/keys"/{db,KEK,PK}
SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
SOPS_AGE_KEY_FILE="$flake/submodules/secrets/domains/$key/key.txt"
export SOPS_AGE_KEY_FILE
sops --decrypt --extract "['guid']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
sops --decrypt --extract "['keys']['kek']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
sops --decrypt --extract "['keys']['kek']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
sops --decrypt --extract "['keys']['pk']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
sops --decrypt --extract "['keys']['pk']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
sops --decrypt --extract "['keys']['db']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
sops --decrypt --extract "['keys']['db']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
sops --decrypt --extract "['guid']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
sops --decrypt --extract "['keys']['kek']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
sops --decrypt --extract "['keys']['kek']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
sops --decrypt --extract "['keys']['pk']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
sops --decrypt --extract "['keys']['pk']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
sops --decrypt --extract "['keys']['db']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
sops --decrypt --extract "['keys']['db']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/*