diff --git a/.gitignore b/.gitignore index 8471894..43980b5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,8 @@ -**/key.txt -**/secrets/plaintext/* +**/secrets/key.txt +!**/secrets/key.txt.pub + +**/secrets/ssh_host_*_key +!**/secrets/ssh_host_*_key.pub + +**/secrets/ssh/id_*_*_* +!**/secrets/ssh/id_*_*_*.pub diff --git a/README.md b/README.md index 182e7fa..e50c1d3 100644 --- a/README.md +++ b/README.md @@ -6,30 +6,72 @@ NixOS dotfiles and configuration. The below installation example is for a fresh `eirene-vm` virtual machine. -### Mount NixOS Configuration +1. Mount NixOS Configuration -```sh -sudo -i -mkdir /host -mount -t virtiofs host /host -``` + ```sh + sudo -i + mkdir /host + mount -t virtiofs host /host + ``` -### Format Disks +2. Format Disks -```sh -nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko /host/hosts/eirene/format.nix --arg device '"/dev/vda"' -``` + ```sh + nix --experimental-features "nix-command flakes" run github:nix-community/disko -- --mode disko /host/hosts/eirene/format.nix --arg device '"/dev/vda"' + ``` -### Install NixOS +3. Generate Host SSH Key -```sh -mkdir -p /mnt/etc/nixos -cp -r /host/* /mnt/etc/nixos -nixos-install --root /mnt --flake /mnt/etc/nixos#eirene-vm -``` + ```sh + mkdir -p /mnt/persist/etc/ssh + ssh-keygen -t ed25519 -f /mnt/persist/etc/ssh/ssh_host_ed25519_key + cp /mnt/persist/etc/ssh/ssh_host_ed25519_key /host/hosts/eirene/vm/secrets/ssh_host_ed25519_key + ``` -### Reboot +4. Update `sops` Configuration -```sh -reboot -``` + ```sh + nix-shell -p ssh-to-age --run 'cat /mnt/persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' + + find . -type f -name 'sops.yaml' -exec nano {} \; + + export SOPS_AGE_KEY_FILE=/host/users/nick/secrets/key.txt + + find . -type f -name 'sops.yaml' | while read -r sops_file; do + dir=$(dirname "$sops_file") + find "$dir" -maxdepth 1 -type f -regextype posix-extended -regex '.+\.(yaml|yml|json|env|ini|bin)' | while read -r file; do + nix-shell -p sops --run 'sops --config $sops_file updatekeys $file' + done + done + ``` + +5. Update Nix Configuration Keys + + - Known Hosts + + ```sh + # Add to hosts/common/default.nix.programs.ssh.knownHosts + cp /mnt/persist/etc/ssh/ssh_host_ed25519_key.pub /host/hosts/eirene/vm/secrets/ssh_host_ed25519_key.pub + ``` + + - SSH Keys + + ```sh + # Generate a new SSH key pair for every user in the current system for every existing host that will connect to the new host + # Add to hosts/eirene/vm/default.nix.users.users.nick.openssh.authorizedKeys.keyFiles + ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_eirene-vm_nick + ``` + +6. Install NixOS + + ```sh + mkdir -p /mnt/persist/etc/nixos + cp -r /host/* /mnt/persist/etc/nixos + nixos-install --root /mnt --flake /mnt/persist/etc/nixos#eirene-vm + ``` + +7. Reboot + + ```sh + reboot + ``` diff --git a/flake.lock b/flake.lock index 09a76fc..4eff219 100644 --- a/flake.lock +++ b/flake.lock @@ -121,11 +121,11 @@ ] }, "locked": { - "lastModified": 1718008439, - "narHash": "sha256-nlh/2uD5p2SAdkn6Zuey20yaR5FFWvhL3poapDGNE4Y=", + "lastModified": 1718242063, + "narHash": "sha256-n3AWItJ4a94GT0cray/eUV7tt3mulQ52L+lWJN9d1E8=", "owner": "nix-community", "repo": "disko", - "rev": "c1cfbfad7cb45f0c177b35b59ba67d1b5fc7ca82", + "rev": "832a9f2c81ff3485404bd63952eadc17bf7ccef2", "type": "github" }, "original": { @@ -190,11 +190,11 @@ ] }, "locked": { - "lastModified": 1718141734, - "narHash": "sha256-cA+6l8ZCZ7MXGijVuY/1f55+wF/RT4PlTR9+g4bx86w=", + "lastModified": 1718243258, + "narHash": "sha256-abBpj2VU8p6qlRzTU8o22q68MmOaZ4v8zZ4UlYl5YRU=", "owner": "nix-community", "repo": "home-manager", - "rev": "892f76bd0aa09a0f7f73eb41834b8a904b6d0fad", + "rev": "8d5e27b4807d25308dfe369d5a923d87e7dbfda3", "type": "github" }, "original": { @@ -255,6 +255,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1717880976, + "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1714912032, @@ -277,9 +293,31 @@ "home-manager": "home-manager", "impermanence": "impermanence", "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix", "stylix": "stylix" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1718137936, + "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", @@ -295,11 +333,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1718122552, - "narHash": "sha256-A+dBkSwp8ssHKV/WyXb9uqIYrHBqHvtSedU24Lq9lqw=", + "lastModified": 1718292734, + "narHash": "sha256-XAwxzCDfExqIj0PIjEpjt3eOzsosxOCLx6sQWHPSrSg=", "owner": "danth", "repo": "stylix", - "rev": "e59d2c1725b237c362e4a62f5722f5b268d566c7", + "rev": "73c6955b4572346cc10f43a459949fe646efbde0", "type": "github" }, "original": { diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 2c88e6c..a93d00b 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -3,6 +3,7 @@ { imports = [ inputs.impermanence.nixosModules.impermanence + inputs.sops-nix.nixosModules.sops ./configs/zsh.nix ./configs/neovim.nix ./configs/tmux.nix @@ -37,7 +38,7 @@ "/var/lib/systemd/coredump" ]; files = [ - "/var/lib/sops-nix/key.txt" + "/etc/ssh/ssh_host_ed25519_key" "/etc/machine-id" "/root/.zsh_history" ]; @@ -55,20 +56,31 @@ networking.networkmanager.enable = true; i18n.defaultLocale = "en_US.UTF-8"; - users.defaultUserShell = pkgs.zsh; + + users = { + mutableUsers = false; + defaultUserShell = pkgs.zsh; + }; programs = { nix-ld = { enable = true; libraries = [ ]; }; + ssh.knownHosts = { + eirene-vm.publicKeyFile = ../eirene/vm/secrets/ssh_host_ed25519_key.pub; + }; }; security.sudo.extraConfig = '' Defaults lecture = never ''; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + sops.age = { + generateKey = true; + sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = "/var/lib/sops-nix/key.txt"; + }; system = { autoUpgrade = { @@ -84,4 +96,6 @@ stateVersion = "24.05"; }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; } diff --git a/hosts/eirene/vm/secrets/ssh_host_ed25519_key.pub b/hosts/eirene/vm/secrets/ssh_host_ed25519_key.pub new file mode 100644 index 0000000..2f8caec --- /dev/null +++ b/hosts/eirene/vm/secrets/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/ImO80n4+M8AIkS75leQiju6/zu09qV0keROjE6VC root@eirene-vm diff --git a/users/common/default.nix b/users/common/default.nix index dcd2aa7..857a4b4 100644 --- a/users/common/default.nix +++ b/users/common/default.nix @@ -75,6 +75,7 @@ in ]; files = [ ".zsh_history" + ".key.txt" ]; allowOther = true; }; diff --git a/users/nick/default.nix b/users/nick/default.nix index 2c4b225..2232f9c 100644 --- a/users/nick/default.nix +++ b/users/nick/default.nix @@ -3,13 +3,19 @@ { imports = [ ../common ]; + sops.secrets.nick-password = { + sopsFile = ./secrets/secrets.yaml; + key = "password"; + neededForUsers = true; + }; + users.users.nick = { isNormalUser = true; home = "/home/nick"; email = "nick@karaolidis.com"; fullName = "Nikolaos Karaolidis"; description = config.users.users.nick.fullName; - hashedPassword = "***REMOVED***"; + hashedPasswordFile = config.sops.secrets.nick-password.path; extraGroups = [ "wheel" ]; linger = true; uid = 1000;