From 970de0bd95da94a94c44a616263feefd52ed3508 Mon Sep 17 00:00:00 2001 From: = Date: Sun, 31 Mar 2024 19:47:19 -0500 Subject: [PATCH] onboard new machine --- readme.md | 34 +++++++++++++++++++++++------ secrets/nix2bitbucket.age | 45 ++++++++++++++++++++++----------------- secrets/nix2github.age | 43 ++++++++++++++++++++----------------- 3 files changed, 77 insertions(+), 45 deletions(-) diff --git a/readme.md b/readme.md index 8ab908e..bfe9b7a 100644 --- a/readme.md +++ b/readme.md @@ -1,12 +1,34 @@ -# First Install +# First Install on new Machine - First follow nixos installation guide: https://nixos.wiki/wiki/NixOS_Installation_Guide -- Checkout this repo into /etc/nixos -- Before anything else, ensure the generated hardware-configuration is copied over into the desired HOSTNAME target in systems directory. -- switch into flake mode `nixos-rebuild switch --flake /etc/nixos#HOSTNAME` + - Follow up to generate config command +- in hardware-configuration.nix + - change to use by-labels made in nixos installation guide (optional but nice for updating device in the future) +- in configuration.nix + - set networking.hostname to HOSTNAME + - enable networkmanager + - add in `users.users.root.initialPassword = 'password1';` [[ TODO this may not be necessary at all, it seems to prompt for this regardless at end of install ]] + - uncomment systemPackages and add: git curl + - add `nix.settings.experimental-features = [ "nix-command" "flakes" ];` +- Install nixos: `cd /mnt` `sudo nixos-install` +- `passwd` to change root password (if not already prompted to do so) +- `reboot` -- copy over this systems ssh public key pairs into the ./secrets/secrets.nix file - push those up, using another computer re-key all the secrets, push up again - - pull new secrets down with new added keys +-- TODO come up with a way to pregen keys so onboarding is less stupid with secrets? + +- `cp -r /etc/nixos ~/nixos_bak` Backup configuration +- Checkout this repo into /etc/nixos: `rm -rf /etc/nixos` `git clone https://github.com/ringofstorms/dotfiles /etc/nixos` +- Copy hardware-configuration into the new /etc/nixos/systems/HOSTNAME/hardware-configuration.nix `mkdir /etc/nixos/systems/HOSTNAM && cp ~/hardware-configuration.nix /etx/nixos/systems/HOSTNAME` +- copy the existing configuration/other configuration nix of an existing system and edit it to desires state. [[ TODO make this step cleaner/easier... ]] +- switch into flake mode `nixos-rebuild switch --flake /etc/nixos[#HOSTNAME]` and switch to new system +- copy system ssh public key and create a key for user and copy those into the nixos secrets.nix file + - `cat /etc/ssh/ssh_host_ed25519_key.pub` + - `cat ~/.ssh/id_ed25519.pub` +- Push changes to remote using temp user password +- rekey secrets with any other onboarded system + - TODO +- copy over this systems ssh public key ( /etc/shh/*ed25519* ) into the ./secrets/secrets.nix file - push those up, using another computer re-key all the secrets, push up again + - pull new secrets down with new added keys and rebuild # Later updates diff --git a/secrets/nix2bitbucket.age b/secrets/nix2bitbucket.age index b02177f..19aa91f 100644 --- a/secrets/nix2bitbucket.age +++ b/secrets/nix2bitbucket.age @@ -1,22 +1,27 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBCK29s -T0R3ZGlBUFRKUFFEUWQ5cnFlVmV5SlFiWlRBSWZFY2ZoYlY5ZlI4CmcrWlRkT0Y5 -elo2aFR2Y0pYZVZmQ2RFQ0I4UGwxTk5hbWdzZUxXRXBwMDgKLT4gc3NoLWVkMjU1 -MTkgSjkxOXNRIGJZQmptaW9Dc1FxZHNxQ1Y1dk9oUy9TdHc4dU1QRVlJY0k3VWNu -aW9Jd28KNFFJS1FDcldXU3JJMzk1VU1HQ3lUc0x4eWF4cU84WjZzVXlyNFBwdFBR -RQotPiBzc2gtZWQyNTUxOSBlNmUwbFEgMGtYY1lDdmQvMFoySHdRb2ErY2FpcG5J -cjEyRFhwMXNGM2dCeEtRZDVqUQpvQm9lNUNMRjc4R1dSaFhUb2FFTzJEb0pyRFN3 -WTA4ME4wM1d4S2ZXZ3JZCi0+IFQ6WnlZLWdyZWFzZSBNXmcgIlRgd2x0O04KVXV6 -QmdJZWNMS2RueVBqMTRlTXQyTmFvaFZyN2pOTVkzWDMxeU5IeC8vclZ0S2k4VG0w -Rk56Q3VpWi9UYUxQQwpHcGpMVkdPMTk2Skg0WEUKLS0tIE1YdHllN0VXRHR0L1Yx -VlV2aHc4cDNFYnB5L1Q5a1I5ZVRCR0lCUzI1RFEKJgGmOo27BuWg1IT8PHCLbI9v -3oY3AxiHVEGMTQ1tSIO8TAdw1ul3ZkOIpOxHAw6bOjs772/fbnHkFN9elEgIXqvN -O16gpAUWT0NhlBv+deaTsJHRZ3uLZvxSSTwLY9iYHrAf9nyub8i6GJPVxSiyoaaM -bJ+9niD8tgj6sG4QpWFN9iTQCGEfLk7b3FNjBWUmmQJJNI2prmlSOGlP6C5tRov+ -YJGQnj4pH2EwkVb91A1TgwDBmupEYkWiW1FH48E2VwRglAqjrBGWGZICtph4X+2t -IDKJ/wKsKQQsSj7UpPLjZhMSHAUB52JiH6T4Ay+hVN/CgXalcx8hN9hzlcWzfa5h -9SxjJSrITiiCUQaxRwd8tI5EzTDPWZu/Yfm892LViYfeueabFducOyYvQ5KQ9JCD -IJCHjk3xjKsdw2UNNZKEUl3jLDLxE7s5zBHaU3GkS9QEGHOd+vNou4yL4AhM2R+T -WUtlPtsH1L7YLHGFinfB4C0hdEKg/I4w6G/A55pudWIu7syFqSo7zyjxHUFhSkrq -T0zNaiNZFInqhreb2USm59s6isZaGZlf7btfv2c= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBvdm8z +MGkweENnTjlxK3lubmtXUlRHUDJLOTM0MGRJQmtOUXZpSG1IUlJZClY1amJtdkZw +T3dWRnBqdFVlRGpxQWFydUJUcm9hRTI0WHYrVjh3ZVE5bUEKLT4gc3NoLWVkMjU1 +MTkgSjkxOXNRIGZQWG85d0lzZWVtWG4weXRBY0ZoQVN6WmdEemtxa2FpYm1FRHND +SXZSd2cKbWRLbUdrTm1oMFZtNnR6eDU4ckJOK2RyTENnV1NaWjlSVTZ5eEhOQ0N0 +dwotPiBzc2gtZWQyNTUxOSBlNmUwbFEgNzJ1TG5rbllNaThwTDNtZmdVSHZuK2hp +MWw5TFJZbEtOdHdmY2g5VittWQpHRjdMelI3TURuYUYwVXFRSWVHeU1UUzRUaDFh +SDVWR3pmV1gvMkV2c1NBCi0+IHNzaC1lZDI1NTE5IEJZS0crdyBXUWFJc2ljM0Nr +cUJxVWJrSjVvWkE5MnV6SmpWYit4dnZraWxJQTYwelYwClNzSGhOWGFXcXVyc3pq +bVBzeW1UNE1RdUU4SWZEd1FwUmhkb1lmKzRKalkKLT4gc3NoLWVkMjU1MTkgWHpm +bWFRIFk2SkxTRjBUNUhLdDZIbituV3BGckVoaEZsSnkrQVpRQ1I1QkZmaURWR1UK +aUpmbm1TUDlFYTBXZ2EvSWxPWmh5S0prTE5CcTFPanlZSDFpOFhtbEVEZwotPiAi +MXYrOyVZby1ncmVhc2Ugdk1fOlIoIG9WIHFmOiBeImc1Cis0bnA0a3UvU2tlZUJl +REFJa2owa056UEhGbTh6ZWdtM1VpY1pJZDdpL3Q3L0gvRTJMRnQzcjNsUFY5VHZh +dVUKREE1MzF4eEtIQmh0MU1uK2NMSWtFVk0zTGxxd0sxcDhtUmhpencKLS0tIElt +c2taOFBaWndsV0FhdXhtdy9JeFJTbFNJQ21iclI4UXVnZmZzZnlXWG8KU47pTls2 +3ZARHmIb7/3fPTn3a5wwOmV8x4jqz+IfKcmSapkLn2y0PIptecAHSIm+a6CgkH8i +ZA/qvrB/m5AYfAIUVcbhpb6zT1jj4K1ZqY1yUP8BeCOa+wrZeiOkcGkAxtzvKIF7 +4GCz92dpEayxsdFLgQKJpG+37hyWP1dlASTnk114/Nv99wGR8HG+Bg85eY2PWluz +hLI8dVKPURDmwQcXRionE8IjnEmSHI6XdggMAQwB0mh6AZRZFzK76Flb1Fr7C/fQ +8ecNbhvxPUDxPNYVLpN7EGyaPiMbpxOVd8HYWfCcJWQoqGBFNUXaQI3pSy68zVQh +cw+DJX6dCO7e4K+BDugS6CY2skvf58TVX0dq3SZ6dMJhtz/hCNdsnb0qVnjnSdUF +PK06nlRRxwNwJt8m1ar+3a85gkt3/U1t2hIT5dUVtRxD4OEr5fZbtZQfVvaYclVk +YbGgCWIoq4DYhNc10lwvMfq22uj1LaewEpgJKMGNQezfXf4LkDK5knnlCoaxFCpL +E4DWpCI9HfZAaqElLApqdfoslkK/14Cs3BLGC0PM9/3pNP9bAyaMwMA= -----END AGE ENCRYPTED FILE----- diff --git a/secrets/nix2github.age b/secrets/nix2github.age index 198797d..ee0bcad 100644 --- a/secrets/nix2github.age +++ b/secrets/nix2github.age @@ -1,21 +1,26 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBCR0Mx -RkRvNnNJbDRybFNKbmY4M0VzTGYwNElZbm8wZEQ4Wm9JaytweDFZClROYm5IdFJ0 -K0cxUEdGWEhKUWthSjd3VWUxYlNFeCtrRmNWbzc5NDBYYnMKLT4gc3NoLWVkMjU1 -MTkgSjkxOXNRIE16OTdGNURLWC9TY2ErRmNFV0UyLy9MbDhCTjhRUVNoaE9Gc3kv -cEJDMm8Kc2lkYk1oR3lsNzI3MkxYem5YS3d5VE8vQzJKMXVFNVIrOTUzYXBwb0s0 -cwotPiBzc2gtZWQyNTUxOSBlNmUwbFEgTGFWa3JYNlRCM1RkbEpJZHFoSHdYOE5q -dmEzbUFhKzZGRUtybWlvMEIxVQpwU0ppMmRMKzlnYVpiL2pnOXR0RkNmb0ZIeGpw -YzhZRmMwbHY4Q3hhZk1NCi0+ICQtZ3JlYXNlIEJYRl4gJiFxSSBsICVvXCs1CkZi -UURNYjl1RUY4RU5TdVFwOXAxRWRhcllwU09DMmhvWWlCUwotLS0gRnl6YkN2eFVI -TjhrWFFTblN1eHZFV25RL0Y0NUh3UVI3MjJjTkViSG9pTQpt+8IsRW49ki68inEg -Ny7+LslHhypyLdGldrB/Zb8oIVHZiIk8m/nRQRZCq/7ESV5Kb8ygcM4fIICdhMn3 -jED2802rMZFzzXi7IWkUUqcNOx2AoSWSXdpjX3wJoLXGTe23ipYe6EEbltmqZ/Vw -Ga6eupId1Ux/oYQBGmlfRRyQT74vMB8mk815qaLUvuXTk9BSVc0Ysl40IZz8H7u+ -lJwsfl04dFfJkrmgoB2H0HVjmLowYHDMyEXXo/l8Ulh+vnD2ndSi5CzD5KJnuVWP -uc3Ijtmpx0aZUaFcduQPGpmNf7zfRc1eoTnA9OmEIgnWRmE8tQdtIbr9YPREBBw2 -eKfzNBOlACK5YWCnO0tsGHlQq0zYa7b/oreU6Rpr+CjbVxYVj1dFJkPXuCnCjZnD -8X0JpiZAzNg9nCm9NLVuYOmLvRdvwdAkirELV0vJFASlFbZOZYm4XBtKSpcIQrdh -U9E2phZXQZmIJK/6doddPR0F9GM78T1ZTryOgPF4A8Lqf+DSHbOC3DkkxR8JYhcH -eSrTr06Y+cDf+uTerq6p5ZAGn5SZUAI5kdM4eNgxwNBYew== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6MzN5USBDVnVp +ck9SRFpLSkY1MFo0cXNERWlPRi9zcHhNbHdlYVJzcWE1YmZScjFrCjEyTmtLOUkr +VW5HZzdrOHFvWWs1bGFjS0FBd1kwTzA4ZEZSUVVMWWtWaDgKLT4gc3NoLWVkMjU1 +MTkgSjkxOXNRIDY1T00vYVN0Nm5sbEMrcEw4VzIzV241Um1QZHpnS1dSaWJYN3FF +S2pNRjQKQmxzaE9pTlI5L2E0NTZvNlp4QWJ0MXJHdmlwNS9HU3MzQ0NrRnJ5cjJC +awotPiBzc2gtZWQyNTUxOSBlNmUwbFEgcmQyVld2b0JKbUcrWDBxZHdJNDVESU9y +Qk13Y3hicGNFV0tjMHhYQjF6dwpLSDc4VW14NVVEV21oQldHWEVxWXcwRFViTGFv +LzhhcjRPdlZKTWZQS3U0Ci0+IHNzaC1lZDI1NTE5IEJZS0crdyBsL3lwTURwT1Z0 +Vmt0czdNMk9scDZPdzJtbUNyalNhR242c0k3WTJEcmlZCmxnRDBSREFQdFB0dHFI +aU13NjlYeDIrUlB5WmUvZ21takkybHE3M1VlSXcKLT4gc3NoLWVkMjU1MTkgWHpm +bWFRIFhhaVA1aTUzNnFQeDZIaWV4VFZpa2pyVFIzTDJCSGhxMHpUaDNzRnlOVG8K +ZkNPbTd5ZEUweld3bUdRNFdkZkVuK3Jtamx5Y3lSbkxFMWs5VjhKenVkawotPiBK +W1ZLNC1ncmVhc2UgZF9aNUhAdgowTHowdTVwbnM1YmJzL1VoSUlvOXpxT2lDQ21o +bmlzWkJrc21WOTlIM0xhcG50YWs0U2lqSXNtN1pWdwotLS0gQ0lTQ2tMbkgxVW9D +ZHlRdjRkTmd0STBRR25UQTgrSXNrTnAzTjRrZUdFRQqsIz6SbS8zaf/NjwqqxgKg +W++hUEr40EzqYp5ubyIhSpUCuf52kBWRiDtS1aABEZbMDWNKcqYxxK7L7Bz/sDQN +SjR/H6HZmcxTuJWVL32c16d9rPAGcKzxfPWF7nrB5vx6KMVp/iZvuQOqtRgQuF8s +1fUHnUrLkSwQNwpqNzuHuU0kXEbrb7unPVv8ES/iKec+QR353KIM1xe62AYMRSfM +baHlLNx1NHs2e3KiHNH8rXH58nRm+26xXpNyIksUyYGhAMNV4/0+dx/saUlmUtDg +nm3iph8EUqCpjVuwhgRdylABgZglruSuAKYyVQceQkyd2XOePXsfn05hF9V1IyrX +6I2OT49WFizz67Y4tPaOe/oYOVIqLDOz7V/StJEn99LwHIZnQ4khm7+nmhQUtICH +KrOIAZmikWmou4KY2dnqGv0gWR1Gg4GYNDOXEUt9twbdUAUwU8qDzgX5MtIc+DMK +JnfKQ1zNM1KJ6arg3v1ECttmfpc5nJzr1voF4oEkK2wTsKpKBlG1h8tVKkF1byIP +PPkCLKTJKJgmF80/HOLB6a9vKEMpssGRsAPY1Vq08g== -----END AGE ENCRYPTED FILE-----