From 0fc9ee7531a3b2caa9324c78c07362f5fa223aac Mon Sep 17 00:00:00 2001 From: Swarsel Date: Tue, 17 Dec 2024 23:36:40 +0100 Subject: [PATCH] fix: minor adjustments to bootstrapping --- SwarselSystems.org | 50 +++++++++++++++++++++++-------------- hosts/nixos/iso/default.nix | 3 ++- profiles/iso/minimal.nix | 1 + scripts/bootstrap.sh | 44 +++++++++++++++++++------------- 4 files changed, 61 insertions(+), 37 deletions(-) diff --git a/SwarselSystems.org b/SwarselSystems.org index 7368b03..2f5c4cd 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -1180,7 +1180,7 @@ Every host is housed in the =hosts/= directory, which is then subdivided by each This is a list of all physical machines that I maintain. -**** live (ISO) +**** drugstore (ISO) :PROPERTIES: :CUSTOM_ID: h:8583371d-5d47-468b-84ba-210aad7e2c90 :END: @@ -1222,6 +1222,7 @@ This is a live environment ISO that I use to bootstrap new systems. It only load services.getty.autologinUser = lib.mkForce "swarsel"; users = { + allowNoPasswordLogin = true; groups.swarsel = {}; users = { swarsel = { @@ -1257,7 +1258,7 @@ This is a live environment ISO that I use to bootstrap new systems. It only load system.stateVersion = lib.mkForce "23.05"; networking = { - hostName = "live"; + hostName = "drugstore"; wireless.enable = false; }; @@ -2704,14 +2705,14 @@ This program sets up a new NixOS host. SOPS_FILE=".sops.yaml" sed -i "{ - # Remove any * and & entries for this host - /[*&]$key_name/ d; - # Inject a new age: entry - # n matches the first line following age: and p prints it, then we transform it while reusing the spacing - /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; - # Inject a new hosts or user: entry - /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} - }" $SOPS_FILE + # Remove any * and & entries for this host + /[*&]$key_name/ d; + # Inject a new age: entry + # n matches the first line following age: and p prints it, then we transform it while reusing the spacing + /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; + # Inject a new hosts or user: entry + /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} + }" $SOPS_FILE green "Updating .sops.yaml" cd - } @@ -2754,8 +2755,19 @@ This program sets up a new NixOS host. # ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value ssh_root_cmd=${ssh_cmd/${target_user}@/root@} scp_cmd="scp -oport=${ssh_port} -o StrictHostKeyChecking=no" - git_root=$(git rev-parse --show-toplevel) + if [[ -z ${FLAKE} ]]; then + FLAKE=/home/"$target_user"/.dotfiles + fi + if [ ! -d "$FLAKE" ]; then + cd /home/"$target_user" + yellow "Flake directory not found - cloning repository from GitHub" + git clone git@github.com:Swarsel/.dotfiles.git || (yellow "Could not clone repository via SSH - defaulting to HTTPS" && git clone https://github.com/Swarsel/.dotfiles.git) + FLAKE=/home/"$target_user"/.dotfiles + fi + + cd "$FLAKE" + git_root=$(git rev-parse --show-toplevel) # ------------------------ green "Wiping known_hosts of $target_destination" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts @@ -2840,13 +2852,9 @@ This program sets up a new NixOS host. # __________________________ if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then - if [ "$target_user" == "root" ]; then - home_path="/root" - else - home_path="/home/$target_user" - fi green "Adding ssh host fingerprints for git{lab,hub}" - $ssh_cmd "mkdir -p $home_path/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >>$home_path/.ssh/known_hosts" + $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /home/$target_user/.ssh/known_hosts" + $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /root/.ssh/known_hosts" fi # -------------------------- @@ -2859,7 +2867,7 @@ This program sets up a new NixOS host. if yes_or_no "Do you want to rebuild immediately?"; then green "Rebuilding nix-config on $target_hostname" - #FIXME:(bootstrap) there are still a gitlab fingerprint request happening during the rebuild + $ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' > /root/.local/share/nix/trusted-settings.json" $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch" fi else @@ -2881,7 +2889,10 @@ This program sets up a new NixOS host. deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe nixpkgs-fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix (pre-commit run --all-files 2> /dev/null || true) && - git add "$git_root/hosts/$target_hostname/hardware-configuration.nix" && (git commit -m "feat: hardware-configuration.nix for $target_hostname" || true) && git push + git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" && + git add "$git_root/.sops.yaml" && + git add "$git_root/secrets" && + (git commit -m "feat: deployed $target_hostname" || true) && git push fi #+end_src @@ -7448,6 +7459,7 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9 security.sudo.extraConfig = '' Defaults env_keep+=SSH_AUTH_SOCK + Defaults lecture = never ''; security.pam = { diff --git a/hosts/nixos/iso/default.nix b/hosts/nixos/iso/default.nix index dd5c798..d0fc00b 100644 --- a/hosts/nixos/iso/default.nix +++ b/hosts/nixos/iso/default.nix @@ -32,6 +32,7 @@ in services.getty.autologinUser = lib.mkForce "swarsel"; users = { + allowNoPasswordLogin = true; groups.swarsel = { }; users = { swarsel = { @@ -67,7 +68,7 @@ in system.stateVersion = lib.mkForce "23.05"; networking = { - hostName = "live"; + hostName = "drugstore"; wireless.enable = false; }; diff --git a/profiles/iso/minimal.nix b/profiles/iso/minimal.nix index 3b4d62c..d274891 100644 --- a/profiles/iso/minimal.nix +++ b/profiles/iso/minimal.nix @@ -34,6 +34,7 @@ security.sudo.extraConfig = '' Defaults env_keep+=SSH_AUTH_SOCK + Defaults lecture = never ''; security.pam = { diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index 2538473..b2e01b4 100644 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -77,14 +77,14 @@ function update_sops_file() { SOPS_FILE=".sops.yaml" sed -i "{ - # Remove any * and & entries for this host - /[*&]$key_name/ d; - # Inject a new age: entry - # n matches the first line following age: and p prints it, then we transform it while reusing the spacing - /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; - # Inject a new hosts or user: entry - /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} - }" $SOPS_FILE + # Remove any * and & entries for this host + /[*&]$key_name/ d; + # Inject a new age: entry + # n matches the first line following age: and p prints it, then we transform it while reusing the spacing + /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; + # Inject a new hosts or user: entry + /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} + }" $SOPS_FILE green "Updating .sops.yaml" cd - } @@ -127,8 +127,19 @@ ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFil # ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value ssh_root_cmd=${ssh_cmd/${target_user}@/root@} scp_cmd="scp -oport=${ssh_port} -o StrictHostKeyChecking=no" -git_root=$(git rev-parse --show-toplevel) +if [[ -z ${FLAKE} ]]; then + FLAKE=/home/"$target_user"/.dotfiles +fi +if [ ! -d "$FLAKE" ]; then + cd /home/"$target_user" + yellow "Flake directory not found - cloning repository from GitHub" + git clone git@github.com:Swarsel/.dotfiles.git || (yellow "Could not clone repository via SSH - defaulting to HTTPS" && git clone https://github.com/Swarsel/.dotfiles.git) + FLAKE=/home/"$target_user"/.dotfiles +fi + +cd "$FLAKE" +git_root=$(git rev-parse --show-toplevel) # ------------------------ green "Wiping known_hosts of $target_destination" sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts @@ -213,13 +224,9 @@ $ssh_root_cmd "chown $target_user:users /home/swarsel/.ssh/ssh_host_ed25519_key" # __________________________ if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then - if [ "$target_user" == "root" ]; then - home_path="/root" - else - home_path="/home/$target_user" - fi green "Adding ssh host fingerprints for git{lab,hub}" - $ssh_cmd "mkdir -p $home_path/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >>$home_path/.ssh/known_hosts" + $ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /home/$target_user/.ssh/known_hosts" + $ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com swagit.swarsel.win >> /root/.ssh/known_hosts" fi # -------------------------- @@ -232,7 +239,7 @@ if yes_or_no "Do you want to copy your full nix-config and nix-secrets to $targe if yes_or_no "Do you want to rebuild immediately?"; then green "Rebuilding nix-config on $target_hostname" - #FIXME:(bootstrap) there are still a gitlab fingerprint request happening during the rebuild + $ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' > /root/.local/share/nix/trusted-settings.json" $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch" fi else @@ -254,5 +261,8 @@ if yes_or_no "You can now commit and push the nix-config, which includes the har deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe nixpkgs-fmt hosts/nixos/"$target_hostname"/hardware-configuration.nix (pre-commit run --all-files 2> /dev/null || true) && - git add "$git_root/hosts/$target_hostname/hardware-configuration.nix" && (git commit -m "feat: hardware-configuration.nix for $target_hostname" || true) && git push + git add "$git_root/hosts/nixos/$target_hostname/hardware-configuration.nix" && + git add "$git_root/.sops.yaml" && + git add "$git_root/secrets" && + (git commit -m "feat: deployed $target_hostname" || true) && git push fi