76 lines
1.4 KiB
Bash
Executable file
76 lines
1.4 KiB
Bash
Executable file
#!/usr/bin/env nix-shell
|
|
#! nix-shell -i bash -p ssh-to-age ssh-to-age boxes
|
|
|
|
EXTRA_FILES=$( mktemp -d )
|
|
LUKS_KEY=$( mktemp )
|
|
SSH_HOST_KEY="$EXTRA_FILES/etc/ssh/ssh_host_ed25519_key"
|
|
|
|
cat <<EOF | boxes -d ian_jones
|
|
- create ssh host keys
|
|
- create age key from ssh host key (for sops)
|
|
- create luks encryption key
|
|
EOF
|
|
|
|
# make sure you set
|
|
# services.openssh.hostKeys = [ { bits = 4096; path = /etc/ssh/ssh_host_ed25519_key; rounds = 100; type = "ed25519"; } ]
|
|
mkdir -p "$( dirname "$SSH_HOST_KEY")"
|
|
ssh-keygen -a 100 -q -N "" -t ed25519 -f "$SSH_HOST_KEY"
|
|
AGE_KEY=$( ssh-to-age < "$SSH_HOST_KEY.pub")
|
|
|
|
echo
|
|
echo
|
|
IFS= read -s -p 'LUKS Encryption Password please: ' password
|
|
echo -n "$password" > "$LUKS_KEY"
|
|
echo
|
|
echo
|
|
echo
|
|
|
|
|
|
cat <<EOF | boxes -d shell
|
|
put this in you .sops.yaml
|
|
and run sops updatekeys secrets/<machine>.yaml
|
|
EOF
|
|
|
|
cat <<EOF
|
|
|
|
keys:
|
|
- &palo 42AC51C9482D0834CF488AF1389EC2D64AC71EAC
|
|
creation_rules:
|
|
- path_regex: secrets/<machine>.yaml
|
|
key_groups:
|
|
- age:
|
|
- *palo
|
|
- $AGE_KEY
|
|
|
|
EOF
|
|
|
|
|
|
|
|
echo
|
|
echo make sure you configure services.openssh.hostKeys | boxes -d shell
|
|
|
|
cat <<EOF
|
|
|
|
services.openssh.hostKeys = [
|
|
{
|
|
bits = 4096;
|
|
path = /etc/ssh/ssh_host_ed25519_key;
|
|
rounds = 100;
|
|
type = "ed25519";
|
|
}
|
|
];
|
|
|
|
|
|
EOF
|
|
|
|
echo
|
|
echo add this to your nixos-anywhere options | boxes -d shell
|
|
|
|
cat <<EOF
|
|
|
|
nixos-anywhere \\
|
|
--extra-files $EXTRA_FILES \\
|
|
--disk-encryption-keys <remote_path> $LUKS_KEY
|
|
|
|
|
|
EOF
|