gpdPocket3 updates

2024-04-25 19:22:42 -05:00 · 2024-04-25 19:22:42 -05:00 · 160b567583
commit 160b567583
parent 57090ccde1
5 changed files with 79 additions and 94 deletions
--- a/readme.md
+++ b/readme.md
@ -7,32 +7,21 @@ export HOSTNAME=desired_hostname_for_this_machine (___)
 export USERNAME=desired_username_for_admin_on_this_machine (josh)
 - Follow nixos installation guide: https://nixos.wiki/wiki/NixOS_Installation_Guide
    - Follow until the config is generated
- in hardware-configuration change to use by-labels
-```sh
-# TODO command to do this in one line
-```
- in configuration.nix
-    - set networking.hostname to HOSTNAME
-    - enable networkmanager
-    - uncomment systemPackages and add: `git` `curl`
-    - add `nix.settings.experimental-features = [ "nix-command" "flakes" ];`
-    - add `users.users.USERNAME = { ... todo, just enough to get to git clone the real nixos config into its home .config folder }
-```
-users.users.josh = {
-    initialPassword = "password1";
-    isNormalUser = true;
-    extraGroups = [ "wheel" "networkmanager" "video" "input" ];
-};
-```
-    - TODO add whatever is needed for default pubkeys for onboarding later
- Install nixos: `cd /mnt` `sudo nixos-install`
-    - `passwd` to change root password (if not already prompted to do so)
+- `curl -O https://share.joshuabell.link/nix/onboard.sh && chmod +x onboard.sh && ./onboard.sh`
 - `reboot`
- login to USERNAME and git clone nixos-config `git clone __ ~/.config/nixos-config`
+- log into USERNAME with `password1`, use `passwd` to change the password
+
+
+- Copy public keys into secrets.nix file
+    - `cat /etc/ssh/ssh_host_ed25519_key.pub ~/.ssh/id_ed25519.pub`
+- git clone nixos-config `git clone https://github.com/RingOfStorms/dotfiles.git ~/.config/nixos-config`
+- `sudo nixos-rebuild switch --flake ~/.config/nixos-config`
 - TODO ONBOARD NEW MACHINE CONFIGS, secrets, etc
    - use hostname to make new folders in the repo, copy hardware config, and create config from template. Update flake.nix with top level info needed for this system with ARCH detected.
    - Copy public keys into secrets.nix file
-    - push changes
+        - `cat /etc/ssh/ssh_host_ed25519_key.pub ~/.ssh/id_ed25519.pub`
+    - `git commit -a  --author="Bot <bot@joshuabell.dev>" --email="bot@joshuabell.dev" -m "secrets update"`
+        
    - rekey system with another onboarded device... (make this offlinable?), push there, pull here
 - `sudo nixos-rebuild switch --flake ~/.config/nixos-config`
 - reboot? done
@ -44,6 +33,9 @@ users.users.josh = {

 ###
 ###
+###
+###
+###


 # First Install on new Machine
--- a/secrets/nix2bitbucket.age
+++ b/secrets/nix2bitbucket.age
@ -1,27 +1,26 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBvdm8z
-MGkweENnTjlxK3lubmtXUlRHUDJLOTM0MGRJQmtOUXZpSG1IUlJZClY1amJtdkZw
-T3dWRnBqdFVlRGpxQWFydUJUcm9hRTI0WHYrVjh3ZVE5bUEKLT4gc3NoLWVkMjU1
-MTkgSjkxOXNRIGZQWG85d0lzZWVtWG4weXRBY0ZoQVN6WmdEemtxa2FpYm1FRHND
-SXZSd2cKbWRLbUdrTm1oMFZtNnR6eDU4ckJOK2RyTENnV1NaWjlSVTZ5eEhOQ0N0
-dwotPiBzc2gtZWQyNTUxOSBlNmUwbFEgNzJ1TG5rbllNaThwTDNtZmdVSHZuK2hp
-MWw5TFJZbEtOdHdmY2g5VittWQpHRjdMelI3TURuYUYwVXFRSWVHeU1UUzRUaDFh
-SDVWR3pmV1gvMkV2c1NBCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBXUWFJc2ljM0Nr
-cUJxVWJrSjVvWkE5MnV6SmpWYit4dnZraWxJQTYwelYwClNzSGhOWGFXcXVyc3pq
-bVBzeW1UNE1RdUU4SWZEd1FwUmhkb1lmKzRKalkKLT4gc3NoLWVkMjU1MTkgWHpm
-bWFRIFk2SkxTRjBUNUhLdDZIbituV3BGckVoaEZsSnkrQVpRQ1I1QkZmaURWR1UK
-aUpmbm1TUDlFYTBXZ2EvSWxPWmh5S0prTE5CcTFPanlZSDFpOFhtbEVEZwotPiAi
-MXYrOyVZby1ncmVhc2Ugdk1fOlIoIG9WIHFmOiBeImc1Cis0bnA0a3UvU2tlZUJl
-REFJa2owa056UEhGbTh6ZWdtM1VpY1pJZDdpL3Q3L0gvRTJMRnQzcjNsUFY5VHZh
-dVUKREE1MzF4eEtIQmh0MU1uK2NMSWtFVk0zTGxxd0sxcDhtUmhpencKLS0tIElt
-c2taOFBaWndsV0FhdXhtdy9JeFJTbFNJQ21iclI4UXVnZmZzZnlXWG8KU47pTls2
-3ZARHmIb7/3fPTn3a5wwOmV8x4jqz+IfKcmSapkLn2y0PIptecAHSIm+a6CgkH8i
-ZA/qvrB/m5AYfAIUVcbhpb6zT1jj4K1ZqY1yUP8BeCOa+wrZeiOkcGkAxtzvKIF7
-4GCz92dpEayxsdFLgQKJpG+37hyWP1dlASTnk114/Nv99wGR8HG+Bg85eY2PWluz
-hLI8dVKPURDmwQcXRionE8IjnEmSHI6XdggMAQwB0mh6AZRZFzK76Flb1Fr7C/fQ
-8ecNbhvxPUDxPNYVLpN7EGyaPiMbpxOVd8HYWfCcJWQoqGBFNUXaQI3pSy68zVQh
-cw+DJX6dCO7e4K+BDugS6CY2skvf58TVX0dq3SZ6dMJhtz/hCNdsnb0qVnjnSdUF
-PK06nlRRxwNwJt8m1ar+3a85gkt3/U1t2hIT5dUVtRxD4OEr5fZbtZQfVvaYclVk
-YbGgCWIoq4DYhNc10lwvMfq22uj1LaewEpgJKMGNQezfXf4LkDK5knnlCoaxFCpL
-E4DWpCI9HfZAaqElLApqdfoslkK/14Cs3BLGC0PM9/3pNP9bAyaMwMA=
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBKcjFv
+ZU9GWjZUbUUvS3NqTWM3c3BVM0NiTzJHV3c1WlEzTVR3NC9xMVVFClI4Y0V2RGo0
+bHBOTFNxSkRybXI5R3RqWmdhUER2VTlPU2VMSkk0NFZQWVUKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIGJXU3oyM3cxejlwbkxZMzJ0K3ZVcGVKOVNoUHNWaXQvVkNQcHo3
+ajZxZ3cKSGhkeVlvRXdLeDVsSEtvbjk3b1Y0amkra2V4Q0tpejhOOG5DMWVtRk5h
+YwotPiBzc2gtZWQyNTUxOSBTcENqQlEgak1pN0NFdzRSTHZWSmVQUTliN2N2dUNF
+TlZZMDZIR0Jibzd2bWR0QmlFcwpES3c4RFVPQmJPMUIyRUN2RXp3T29LOVh6Zndx
+dEVtTU83VHVONWdGQy84Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyBKOU00NFp3eUNF
+eisreEdWWit0NnVUWEFXSlljWWw0ZWVLdzQxY0RQMG1BCnlHaTFyT0tDelRPRTR2
+V1pJQ2pYY1NocDIxYnVjcnlER3ZLemFQLzRDS0UKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIEgvTXMvaFVtakZ3TWpJL21UdUV5dUxzRHkvWkc2NUhTMnQyNDhQZVByam8K
+ZElhLzk3RUJaUHpTbzJYY1ZobmZhOHBvbkpOSjVYalc3WEJPSk1HMzBNWQotPiA3
+U1EzRC1ncmVhc2UgSCB9RmJbWypMIFBEZk1lWyBQYiM4PwpTb0VVa1AxNzUybmJC
+eHJVRG5YZDNacWtMY0FNL3JoQ1EzRVl5TGhsCi0tLSBEc2xpOW5abXJKcDN5V3Y2
+QnRYZEFtQVpxUzJlc3BjZHgrSXlVK21vOXdBCuechgwjNXeTperxwDba+R23mtp7
+YfhBuIGYQoUMRVjhYNQ96V8iDojg7fgd/MLd8j2WVgIyWSG11wvYzNZanvXtpSLA
+rMzyy3DTGVQow/RxLcmCNOo/f81pLqdX89wlUhXVg8SRs/w/2kITY9eOWm7K8c8f
+PpzGvEzFVXq64PxjA7h113kjB5iknJb7UGXP8tDzFUJeAOA0yEHoLLfOSGSqscrO
+xkCwtgm7R06cp0WG1qD6AfEhUPrNLdlSxOnxwJLq9DA9WCtVjuVvg+TJd4hIZAZZ
+DC0D9kpFgjf+FD0cSMdGtlroVBeRbZNbdj+Tdhf7FFjj5tfSCMSjitqCkT2JXAWG
+3KXAGGi4OJ9tumT7WHqDtVTZ0ZnxgfRXRKuJ0aIiV4mtVXoF7UypGT1sGL1L7gVl
+A3t8xVo/pQa78RyuqlnNfewHpTKeGzedRWeQLl2pGYehXZlxZ+dWFQiwWzqo0rUW
+ghGNXPnmrYfKQiFOQs8GXOWk5AMo2+kLfWpSpyQb4ZBV43vWRoD4OvYzkAKobQZW
+fyACTksnZ1+GcsEJkz/j+otnQawPODQswyAz
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/nix2github.age
+++ b/secrets/nix2github.age
@ -1,26 +1,25 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBDVnVp
-ck9SRFpLSkY1MFo0cXNERWlPRi9zcHhNbHdlYVJzcWE1YmZScjFrCjEyTmtLOUkr
-VW5HZzdrOHFvWWs1bGFjS0FBd1kwTzA4ZEZSUVVMWWtWaDgKLT4gc3NoLWVkMjU1
-MTkgSjkxOXNRIDY1T00vYVN0Nm5sbEMrcEw4VzIzV241Um1QZHpnS1dSaWJYN3FF
-S2pNRjQKQmxzaE9pTlI5L2E0NTZvNlp4QWJ0MXJHdmlwNS9HU3MzQ0NrRnJ5cjJC
-awotPiBzc2gtZWQyNTUxOSBlNmUwbFEgcmQyVld2b0JKbUcrWDBxZHdJNDVESU9y
-Qk13Y3hicGNFV0tjMHhYQjF6dwpLSDc4VW14NVVEV21oQldHWEVxWXcwRFViTGFv
-LzhhcjRPdlZKTWZQS3U0Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyBsL3lwTURwT1Z0
-Vmt0czdNMk9scDZPdzJtbUNyalNhR242c0k3WTJEcmlZCmxnRDBSREFQdFB0dHFI
-aU13NjlYeDIrUlB5WmUvZ21takkybHE3M1VlSXcKLT4gc3NoLWVkMjU1MTkgWHpm
-bWFRIFhhaVA1aTUzNnFQeDZIaWV4VFZpa2pyVFIzTDJCSGhxMHpUaDNzRnlOVG8K
-ZkNPbTd5ZEUweld3bUdRNFdkZkVuK3Jtamx5Y3lSbkxFMWs5VjhKenVkawotPiBK
-W1ZLNC1ncmVhc2UgZF9aNUhAdgowTHowdTVwbnM1YmJzL1VoSUlvOXpxT2lDQ21o
-bmlzWkJrc21WOTlIM0xhcG50YWs0U2lqSXNtN1pWdwotLS0gQ0lTQ2tMbkgxVW9D
-ZHlRdjRkTmd0STBRR25UQTgrSXNrTnAzTjRrZUdFRQqsIz6SbS8zaf/NjwqqxgKg
-W++hUEr40EzqYp5ubyIhSpUCuf52kBWRiDtS1aABEZbMDWNKcqYxxK7L7Bz/sDQN
-SjR/H6HZmcxTuJWVL32c16d9rPAGcKzxfPWF7nrB5vx6KMVp/iZvuQOqtRgQuF8s
-1fUHnUrLkSwQNwpqNzuHuU0kXEbrb7unPVv8ES/iKec+QR353KIM1xe62AYMRSfM
-baHlLNx1NHs2e3KiHNH8rXH58nRm+26xXpNyIksUyYGhAMNV4/0+dx/saUlmUtDg
-nm3iph8EUqCpjVuwhgRdylABgZglruSuAKYyVQceQkyd2XOePXsfn05hF9V1IyrX
-6I2OT49WFizz67Y4tPaOe/oYOVIqLDOz7V/StJEn99LwHIZnQ4khm7+nmhQUtICH
-KrOIAZmikWmou4KY2dnqGv0gWR1Gg4GYNDOXEUt9twbdUAUwU8qDzgX5MtIc+DMK
-JnfKQ1zNM1KJ6arg3v1ECttmfpc5nJzr1voF4oEkK2wTsKpKBlG1h8tVKkF1byIP
-PPkCLKTJKJgmF80/HOLB6a9vKEMpssGRsAPY1Vq08g==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USA5K2pi
+Uklvd2ZvQTl4c3MvR1UxSW1hbDd2Vm52WThnek5BZWJ6MW51VEZVCjJmOU1KQVRH
+Ymt2Mjc2Si9lYnlCVkkyOGVqYi9YWGdiNXNGTlRIbHhkOXcKLT4gc3NoLWVkMjU1
+MTkgSmh2TCtRIDVxRDdtTnRlRDdZblp1ZWpCY3d0K004ZXBlZlBrNk1YbzR6VW42
+RkUveWMKVFErQ2ZFa21jMnRZN01pQ3lFcGh0aE41Q2N1K1RBVzdUcDhWb2ZDUmky
+UQotPiBzc2gtZWQyNTUxOSBTcENqQlEgc0VHY2loWUE1bE1SWGFnK3NNd05MRWZn
+aVF5YkZDSmdYS1hyUitOcnNVOApoc3ZYVEkwK0s2RGFSKzJFYVF2RTZnMTZKNGow
+NHI5MUZqL0JTY3ZNaE9ZCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBQT1g3UE5FMzhD
+RGYyY1Z5ak50WWZIMXJ2blZJbHF6YXIzaE1yR010RlMwCjl5SGdWZXQzN3pxQVlV
+dThjdVZoa0JjMEZkU1Z6M1EzaFBHRnc2WjIrT2sKLT4gc3NoLWVkMjU1MTkgWHpm
+bWFRIEJiekNLbnJJTnBhbXJRTG5PbEV2aXduUlpWeGVUbU1pU0FsV1lIdDVqeGsK
+eWRib0M5OVpZLy9vVWlPZGlZSmpYbTdKT0laTXVPUDVETERWL3JaSkUvYwotPiBz
+cy1ncmVhc2UgOjtIXSUlIEQjaSA8KztFCkF2cFlySW9XcEEKLS0tIEJ3Nkt2eUpx
+QjRDNWlIb0VsQmhsUVFpQkQ4M1ZPL25kbWdyUm9VakYwR0UKBHyggpWP1+Q4dzNQ
+ECj83/w+OEw5S++7DsW+6ZCMc3of0+WJs6H6IVyTKl9QYaMjGDlvi3bM9cwsk1LW
+YRWoXS+TVx715ZV3Su5WAR2hjctX7QiogbiYqmjZ2B7t4WP7lJ2pLa5puq0uXN4r
+Ek0wInGrCIMGhFIOxytBBJYEoNhn6KUIKzn85501ZAPHPcZSySz3DMsrlDKnvrpE
+/GymcBJyKk8X4B39hMjwuhW1xxJkQ43r6pSjpBu/QGbgqdxQ29VoabAKl2xo1kIg
+uky8M9neBg66hemZziUaMvGgCspXITln3zCuvOmZVF9Q/Ry1RIhW42SgaqnIqcC0
+LIW52N3BnRv1p7vtrtPY8Khuion99ppJIIChHtbnv9rugoUB+FJsdYx9E+kYHF6R
+acoJgMFT2eDae4/v8CpEfG/e0y0zPvTry1crAyaHMWpqQI7qIhfNqJ+v1aMbce1f
+i6DPAxU6+Hsb8dUhkOvsEOGxbbPLDu1/IlpviCqNARpwZ0tEQ0NELCnvXErLXPLB
+vgPX0sw0qUeCPBztrdqWznWqlPr9TDAR2y+OysPS8wBALYY=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -4,15 +4,13 @@
 # System key: `cat /etc/ssh/ssh_host_ed25519_key.pub`
 #
 # from authority
-# `nix run github:yaxitech/ragenix/ -- -i ~/.ssh/ragenix_authority --rules /etc/nixos/secrets/secrets.nix` <-r(eykey)|-e(edit) <File>>
+# `nix run github:yaxitech/ragenix -- -i ~/.ssh/ragenix_authority --rules ~/.config/nixos-config/secrets/secrets.nix` <-r(eykey)|-e(edit) <File>>

 let
  publicKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdG4tG18VeuEr/g4GM7HWUzHuUVcR9k6oS3TPBs4JRF ragenix authority key"
-    # gpdPocket3
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhgYzACsd0GPuF8bl9SFB5y9KDwv+pU9UihoInzhRok josh@gpdPocket3"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnV4aVyKStFH1KySfnuqBq+DLvyvJhRfKtMs7PCKlIq root@nixos"
-    # joe
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzAQ2Dzl8EvQtYLjEZS5K0bQeNop8QRkwrfxMkBagW2 root@gpdPocket3"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIr/aS0qyn5hCLR6wH1P2GhH3hGOqniewMkIseGZ23HB josh@gpdPocket3"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4PwrrOuZJWRjlc2dKBUKKE4ybqifJeVOn7x9J5IxIS josh@joe"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+GYfPPKxR/18RdD736G7IQhImX/CYU3A+Gifud3CHg root@joe"
  ];
--- a/users/_common/nix_modules/ssh-key.nix
+++ b/users/_common/nix_modules/ssh-key.nix
@ -1,21 +1,4 @@
 { settings, pkgs, ... }:
-let
-  sshScript = pkgs.writeScript "ssh-key-generation" ''
-    #!${pkgs.stdenv.shell}
-    if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519]; then
-      if [ -v DRY_RUN ]; then
-        echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
-      else
-        echo "Generating SSH key for ${settings.user.username}."
-        mkdir -p /home/${settings.user.username}/.ssh
-        chmod 700 /home/${settings.user.username}/.ssh
-        /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519-N ""
-      fi
-    else
-      echo "SSH key already exists for ${settings.user.username}."
-    fi
-  '';
-in
 {
  # Ensure SSH key pair generation for non-root users
  systemd.services.generate_ssh_key = {
@ -24,7 +7,21 @@ in
    serviceConfig = {
      User = "${settings.user.username}";
      Type = "oneshot";
-      ExecStart = sshScript;
    };
+    script = ''
+      #!/run/current-system/sw/bin/bash
+      if [ ! -f /home/${settings.user.username}/.ssh/id_ed25519bbb ]; then
+        if [ -v DRY_RUN ]; then
+          echo "DRY_RUN is set. Would generate SSH key for ${settings.user.username}."
+        else
+          echo "Generating SSH key for ${settings.user.username}."
+          mkdir -p /home/${settings.user.username}/.ssh
+          chmod 700 /home/${settings.user.username}/.ssh
+          /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${settings.user.username}/.ssh/id_ed25519bbb -N ""
+        fi
+      else
+        echo "SSH key already exists for ${settings.user.username}."
+      fi
+    '';
  };
 }