diff --git a/readme.md b/readme.md index 740c52c..97de26f 100644 --- a/readme.md +++ b/readme.md @@ -7,32 +7,21 @@ export HOSTNAME=desired_hostname_for_this_machine (___) export USERNAME=desired_username_for_admin_on_this_machine (josh) - Follow nixos installation guide: https://nixos.wiki/wiki/NixOS_Installation_Guide - Follow until the config is generated -- in hardware-configuration change to use by-labels -```sh -# TODO command to do this in one line -``` -- in configuration.nix - - set networking.hostname to HOSTNAME - - enable networkmanager - - uncomment systemPackages and add: `git` `curl` - - add `nix.settings.experimental-features = [ "nix-command" "flakes" ];` - - add `users.users.USERNAME = { ... todo, just enough to get to git clone the real nixos config into its home .config folder } -``` -users.users.josh = { - initialPassword = "password1"; - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" "video" "input" ]; -}; -``` - - TODO add whatever is needed for default pubkeys for onboarding later -- Install nixos: `cd /mnt` `sudo nixos-install` - - `passwd` to change root password (if not already prompted to do so) +- `curl -O https://share.joshuabell.link/nix/onboard.sh && chmod +x onboard.sh && ./onboard.sh` - `reboot` -- login to USERNAME and git clone nixos-config `git clone __ ~/.config/nixos-config` +- log into USERNAME with `password1`, use `passwd` to change the password + + +- Copy public keys into secrets.nix file + - `cat /etc/ssh/ssh_host_ed25519_key.pub ~/.ssh/id_ed25519.pub` +- git clone nixos-config `git clone https://github.com/RingOfStorms/dotfiles.git ~/.config/nixos-config` +- `sudo nixos-rebuild switch --flake ~/.config/nixos-config` - TODO ONBOARD NEW MACHINE CONFIGS, secrets, etc - use hostname to make new folders in the repo, copy hardware config, and create config from template. Update flake.nix with top level info needed for this system with ARCH detected. - Copy public keys into secrets.nix file - - push changes + - `cat /etc/ssh/ssh_host_ed25519_key.pub ~/.ssh/id_ed25519.pub` + - `git commit -a --author="Bot " --email="bot@joshuabell.dev" -m "secrets update"` + - rekey system with another onboarded device... (make this offlinable?), push there, pull here - `sudo nixos-rebuild switch --flake ~/.config/nixos-config` - reboot? done @@ -44,6 +33,9 @@ users.users.josh = { ### ### +### +### +### # First Install on new Machine diff --git a/secrets/nix2bitbucket.age b/secrets/nix2bitbucket.age index 19aa91f..45b16ca 100644 --- a/secrets/nix2bitbucket.age +++ b/secrets/nix2bitbucket.age @@ -1,27 +1,26 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBvdm8z -MGkweENnTjlxK3lubmtXUlRHUDJLOTM0MGRJQmtOUXZpSG1IUlJZClY1amJtdkZw -T3dWRnBqdFVlRGpxQWFydUJUcm9hRTI0WHYrVjh3ZVE5bUEKLT4gc3NoLWVkMjU1 -MTkgSjkxOXNRIGZQWG85d0lzZWVtWG4weXRBY0ZoQVN6WmdEemtxa2FpYm1FRHND -SXZSd2cKbWRLbUdrTm1oMFZtNnR6eDU4ckJOK2RyTENnV1NaWjlSVTZ5eEhOQ0N0 -dwotPiBzc2gtZWQyNTUxOSBlNmUwbFEgNzJ1TG5rbllNaThwTDNtZmdVSHZuK2hp -MWw5TFJZbEtOdHdmY2g5VittWQpHRjdMelI3TURuYUYwVXFRSWVHeU1UUzRUaDFh -SDVWR3pmV1gvMkV2c1NBCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBXUWFJc2ljM0Nr -cUJxVWJrSjVvWkE5MnV6SmpWYit4dnZraWxJQTYwelYwClNzSGhOWGFXcXVyc3pq -bVBzeW1UNE1RdUU4SWZEd1FwUmhkb1lmKzRKalkKLT4gc3NoLWVkMjU1MTkgWHpm -bWFRIFk2SkxTRjBUNUhLdDZIbituV3BGckVoaEZsSnkrQVpRQ1I1QkZmaURWR1UK -aUpmbm1TUDlFYTBXZ2EvSWxPWmh5S0prTE5CcTFPanlZSDFpOFhtbEVEZwotPiAi -MXYrOyVZby1ncmVhc2Ugdk1fOlIoIG9WIHFmOiBeImc1Cis0bnA0a3UvU2tlZUJl -REFJa2owa056UEhGbTh6ZWdtM1VpY1pJZDdpL3Q3L0gvRTJMRnQzcjNsUFY5VHZh -dVUKREE1MzF4eEtIQmh0MU1uK2NMSWtFVk0zTGxxd0sxcDhtUmhpencKLS0tIElt -c2taOFBaWndsV0FhdXhtdy9JeFJTbFNJQ21iclI4UXVnZmZzZnlXWG8KU47pTls2 -3ZARHmIb7/3fPTn3a5wwOmV8x4jqz+IfKcmSapkLn2y0PIptecAHSIm+a6CgkH8i -ZA/qvrB/m5AYfAIUVcbhpb6zT1jj4K1ZqY1yUP8BeCOa+wrZeiOkcGkAxtzvKIF7 -4GCz92dpEayxsdFLgQKJpG+37hyWP1dlASTnk114/Nv99wGR8HG+Bg85eY2PWluz -hLI8dVKPURDmwQcXRionE8IjnEmSHI6XdggMAQwB0mh6AZRZFzK76Flb1Fr7C/fQ -8ecNbhvxPUDxPNYVLpN7EGyaPiMbpxOVd8HYWfCcJWQoqGBFNUXaQI3pSy68zVQh -cw+DJX6dCO7e4K+BDugS6CY2skvf58TVX0dq3SZ6dMJhtz/hCNdsnb0qVnjnSdUF -PK06nlRRxwNwJt8m1ar+3a85gkt3/U1t2hIT5dUVtRxD4OEr5fZbtZQfVvaYclVk -YbGgCWIoq4DYhNc10lwvMfq22uj1LaewEpgJKMGNQezfXf4LkDK5knnlCoaxFCpL -E4DWpCI9HfZAaqElLApqdfoslkK/14Cs3BLGC0PM9/3pNP9bAyaMwMA= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBKcjFv +ZU9GWjZUbUUvS3NqTWM3c3BVM0NiTzJHV3c1WlEzTVR3NC9xMVVFClI4Y0V2RGo0 +bHBOTFNxSkRybXI5R3RqWmdhUER2VTlPU2VMSkk0NFZQWVUKLT4gc3NoLWVkMjU1 +MTkgSmh2TCtRIGJXU3oyM3cxejlwbkxZMzJ0K3ZVcGVKOVNoUHNWaXQvVkNQcHo3 +ajZxZ3cKSGhkeVlvRXdLeDVsSEtvbjk3b1Y0amkra2V4Q0tpejhOOG5DMWVtRk5h +YwotPiBzc2gtZWQyNTUxOSBTcENqQlEgak1pN0NFdzRSTHZWSmVQUTliN2N2dUNF +TlZZMDZIR0Jibzd2bWR0QmlFcwpES3c4RFVPQmJPMUIyRUN2RXp3T29LOVh6Zndx +dEVtTU83VHVONWdGQy84Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyBKOU00NFp3eUNF +eisreEdWWit0NnVUWEFXSlljWWw0ZWVLdzQxY0RQMG1BCnlHaTFyT0tDelRPRTR2 +V1pJQ2pYY1NocDIxYnVjcnlER3ZLemFQLzRDS0UKLT4gc3NoLWVkMjU1MTkgWHpm +bWFRIEgvTXMvaFVtakZ3TWpJL21UdUV5dUxzRHkvWkc2NUhTMnQyNDhQZVByam8K +ZElhLzk3RUJaUHpTbzJYY1ZobmZhOHBvbkpOSjVYalc3WEJPSk1HMzBNWQotPiA3 +U1EzRC1ncmVhc2UgSCB9RmJbWypMIFBEZk1lWyBQYiM4PwpTb0VVa1AxNzUybmJC +eHJVRG5YZDNacWtMY0FNL3JoQ1EzRVl5TGhsCi0tLSBEc2xpOW5abXJKcDN5V3Y2 +QnRYZEFtQVpxUzJlc3BjZHgrSXlVK21vOXdBCuechgwjNXeTperxwDba+R23mtp7 +YfhBuIGYQoUMRVjhYNQ96V8iDojg7fgd/MLd8j2WVgIyWSG11wvYzNZanvXtpSLA +rMzyy3DTGVQow/RxLcmCNOo/f81pLqdX89wlUhXVg8SRs/w/2kITY9eOWm7K8c8f +PpzGvEzFVXq64PxjA7h113kjB5iknJb7UGXP8tDzFUJeAOA0yEHoLLfOSGSqscrO +xkCwtgm7R06cp0WG1qD6AfEhUPrNLdlSxOnxwJLq9DA9WCtVjuVvg+TJd4hIZAZZ +DC0D9kpFgjf+FD0cSMdGtlroVBeRbZNbdj+Tdhf7FFjj5tfSCMSjitqCkT2JXAWG +3KXAGGi4OJ9tumT7WHqDtVTZ0ZnxgfRXRKuJ0aIiV4mtVXoF7UypGT1sGL1L7gVl +A3t8xVo/pQa78RyuqlnNfewHpTKeGzedRWeQLl2pGYehXZlxZ+dWFQiwWzqo0rUW +ghGNXPnmrYfKQiFOQs8GXOWk5AMo2+kLfWpSpyQb4ZBV43vWRoD4OvYzkAKobQZW +fyACTksnZ1+GcsEJkz/j+otnQawPODQswyAz -----END AGE ENCRYPTED FILE----- diff --git a/secrets/nix2github.age b/secrets/nix2github.age index ee0bcad..4df931a 100644 --- a/secrets/nix2github.age +++ b/secrets/nix2github.age @@ -1,26 +1,25 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBDVnVp -ck9SRFpLSkY1MFo0cXNERWlPRi9zcHhNbHdlYVJzcWE1YmZScjFrCjEyTmtLOUkr -VW5HZzdrOHFvWWs1bGFjS0FBd1kwTzA4ZEZSUVVMWWtWaDgKLT4gc3NoLWVkMjU1 -MTkgSjkxOXNRIDY1T00vYVN0Nm5sbEMrcEw4VzIzV241Um1QZHpnS1dSaWJYN3FF -S2pNRjQKQmxzaE9pTlI5L2E0NTZvNlp4QWJ0MXJHdmlwNS9HU3MzQ0NrRnJ5cjJC -awotPiBzc2gtZWQyNTUxOSBlNmUwbFEgcmQyVld2b0JKbUcrWDBxZHdJNDVESU9y -Qk13Y3hicGNFV0tjMHhYQjF6dwpLSDc4VW14NVVEV21oQldHWEVxWXcwRFViTGFv -LzhhcjRPdlZKTWZQS3U0Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyBsL3lwTURwT1Z0 -Vmt0czdNMk9scDZPdzJtbUNyalNhR242c0k3WTJEcmlZCmxnRDBSREFQdFB0dHFI -aU13NjlYeDIrUlB5WmUvZ21takkybHE3M1VlSXcKLT4gc3NoLWVkMjU1MTkgWHpm -bWFRIFhhaVA1aTUzNnFQeDZIaWV4VFZpa2pyVFIzTDJCSGhxMHpUaDNzRnlOVG8K -ZkNPbTd5ZEUweld3bUdRNFdkZkVuK3Jtamx5Y3lSbkxFMWs5VjhKenVkawotPiBK -W1ZLNC1ncmVhc2UgZF9aNUhAdgowTHowdTVwbnM1YmJzL1VoSUlvOXpxT2lDQ21o -bmlzWkJrc21WOTlIM0xhcG50YWs0U2lqSXNtN1pWdwotLS0gQ0lTQ2tMbkgxVW9D -ZHlRdjRkTmd0STBRR25UQTgrSXNrTnAzTjRrZUdFRQqsIz6SbS8zaf/NjwqqxgKg -W++hUEr40EzqYp5ubyIhSpUCuf52kBWRiDtS1aABEZbMDWNKcqYxxK7L7Bz/sDQN -SjR/H6HZmcxTuJWVL32c16d9rPAGcKzxfPWF7nrB5vx6KMVp/iZvuQOqtRgQuF8s -1fUHnUrLkSwQNwpqNzuHuU0kXEbrb7unPVv8ES/iKec+QR353KIM1xe62AYMRSfM -baHlLNx1NHs2e3KiHNH8rXH58nRm+26xXpNyIksUyYGhAMNV4/0+dx/saUlmUtDg -nm3iph8EUqCpjVuwhgRdylABgZglruSuAKYyVQceQkyd2XOePXsfn05hF9V1IyrX -6I2OT49WFizz67Y4tPaOe/oYOVIqLDOz7V/StJEn99LwHIZnQ4khm7+nmhQUtICH -KrOIAZmikWmou4KY2dnqGv0gWR1Gg4GYNDOXEUt9twbdUAUwU8qDzgX5MtIc+DMK -JnfKQ1zNM1KJ6arg3v1ECttmfpc5nJzr1voF4oEkK2wTsKpKBlG1h8tVKkF1byIP -PPkCLKTJKJgmF80/HOLB6a9vKEMpssGRsAPY1Vq08g== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USA5K2pi +Uklvd2ZvQTl4c3MvR1UxSW1hbDd2Vm52WThnek5BZWJ6MW51VEZVCjJmOU1KQVRH +Ymt2Mjc2Si9lYnlCVkkyOGVqYi9YWGdiNXNGTlRIbHhkOXcKLT4gc3NoLWVkMjU1 +MTkgSmh2TCtRIDVxRDdtTnRlRDdZblp1ZWpCY3d0K004ZXBlZlBrNk1YbzR6VW42 +RkUveWMKVFErQ2ZFa21jMnRZN01pQ3lFcGh0aE41Q2N1K1RBVzdUcDhWb2ZDUmky +UQotPiBzc2gtZWQyNTUxOSBTcENqQlEgc0VHY2loWUE1bE1SWGFnK3NNd05MRWZn +aVF5YkZDSmdYS1hyUitOcnNVOApoc3ZYVEkwK0s2RGFSKzJFYVF2RTZnMTZKNGow +NHI5MUZqL0JTY3ZNaE9ZCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBQT1g3UE5FMzhD +RGYyY1Z5ak50WWZIMXJ2blZJbHF6YXIzaE1yR010RlMwCjl5SGdWZXQzN3pxQVlV +dThjdVZoa0JjMEZkU1Z6M1EzaFBHRnc2WjIrT2sKLT4gc3NoLWVkMjU1MTkgWHpm +bWFRIEJiekNLbnJJTnBhbXJRTG5PbEV2aXduUlpWeGVUbU1pU0FsV1lIdDVqeGsK +eWRib0M5OVpZLy9vVWlPZGlZSmpYbTdKT0laTXVPUDVETERWL3JaSkUvYwotPiBz +cy1ncmVhc2UgOjtIXSUlIEQjaSA8KztFCkF2cFlySW9XcEEKLS0tIEJ3Nkt2eUpx +QjRDNWlIb0VsQmhsUVFpQkQ4M1ZPL25kbWdyUm9VakYwR0UKBHyggpWP1+Q4dzNQ +ECj83/w+OEw5S++7DsW+6ZCMc3of0+WJs6H6IVyTKl9QYaMjGDlvi3bM9cwsk1LW +YRWoXS+TVx715ZV3Su5WAR2hjctX7QiogbiYqmjZ2B7t4WP7lJ2pLa5puq0uXN4r +Ek0wInGrCIMGhFIOxytBBJYEoNhn6KUIKzn85501ZAPHPcZSySz3DMsrlDKnvrpE +/GymcBJyKk8X4B39hMjwuhW1xxJkQ43r6pSjpBu/QGbgqdxQ29VoabAKl2xo1kIg +uky8M9neBg66hemZziUaMvGgCspXITln3zCuvOmZVF9Q/Ry1RIhW42SgaqnIqcC0 +LIW52N3BnRv1p7vtrtPY8Khuion99ppJIIChHtbnv9rugoUB+FJsdYx9E+kYHF6R +acoJgMFT2eDae4/v8CpEfG/e0y0zPvTry1crAyaHMWpqQI7qIhfNqJ+v1aMbce1f +i6DPAxU6+Hsb8dUhkOvsEOGxbbPLDu1/IlpviCqNARpwZ0tEQ0NELCnvXErLXPLB +vgPX0sw0qUeCPBztrdqWznWqlPr9TDAR2y+OysPS8wBALYY= -----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fa3a51f..f766a8f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -4,15 +4,13 @@ # System key: `cat /etc/ssh/ssh_host_ed25519_key.pub` # # from authority -# `nix run github:yaxitech/ragenix/ -- -i ~/.ssh/ragenix_authority --rules /etc/nixos/secrets/secrets.nix` <-r(eykey)|-e(edit) > +# `nix run github:yaxitech/ragenix -- -i ~/.ssh/ragenix_authority --rules ~/.config/nixos-config/secrets/secrets.nix` <-r(eykey)|-e(edit) > let publicKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF ragenix authority key" - # gpdPocket3 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhgYzACsd0GPuF8bl9SFB5y9KDwv+pU9UihoInzhRok josh@gpdPocket3" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnV4aVyKStFH1KySfnuqBq+DLvyvJhRfKtMs7PCKlIq root@nixos" - # joe + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzAQ2Dzl8EvQtYLjEZS5K0bQeNop8QRkwrfxMkBagW2 root@gpdPocket3" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIr/aS0qyn5hCLR6wH1P2GhH3hGOqniewMkIseGZ23HB josh@gpdPocket3" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4PwrrOuZJWRjlc2dKBUKKE4ybqifJeVOn7x9J5IxIS josh@joe" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+GYfPPKxR/18RdD736G7IQhImX/CYU3A+Gifud3CHg root@joe" ]; diff --git a/users/_common/nix_modules/ssh-key.nix b/users/_common/nix_modules/ssh-key.nix index 1ee5790..311084a 100644 --- a/users/_common/nix_modules/ssh-key.nix +++ b/users/_common/nix_modules/ssh-key.nix @@ -1,21 +1,4 @@ { settings, pkgs, ... }: -let - sshScript = pkgs.writeScript "ssh-key-generation" '' - #!${pkgs.stdenv.shell} - if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519]; then - if [ -v DRY_RUN ]; then - echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}." - else - echo "Generating SSH key for ${settings.user.username}." - mkdir -p /home/${settings.user.username}/.ssh - chmod 700 /home/${settings.user.username}/.ssh - /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519-N "" - fi - else - echo "SSH key already exists for ${settings.user.username}." - fi - ''; -in { # Ensure SSH key pair generation for non-root users systemd.services.generate_ssh_key = { @@ -24,7 +7,21 @@ in serviceConfig = { User = "${settings.user.username}"; Type = "oneshot"; - ExecStart = sshScript; }; + script = '' + #!/run/current-system/sw/bin/bash + if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519bbb ]; then + if [ -v DRY_RUN ]; then + echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}." + else + echo "Generating SSH key for ${settings.user.username}." + mkdir -p /home/${settings.user.username}/.ssh + chmod 700 /home/${settings.user.username}/.ssh + /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519bbb -N "" + fi + else + echo "SSH key already exists for ${settings.user.username}." + fi + ''; }; }