diff --git a/SwarselSystems.org b/SwarselSystems.org index ba5825d..feed39a 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -2886,14 +2886,14 @@ This program sets up a new NixOS host remotely. It also takes care of secret man SOPS_FILE=".sops.yaml" sed -i "{ - # Remove any * and & entries for this host - /[*&]$key_name/ d; - # Inject a new age: entry - # n matches the first line following age: and p prints it, then we transform it while reusing the spacing - /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; - # Inject a new hosts or user: entry - /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} - }" $SOPS_FILE + # Remove any * and & entries for this host + /[*&]$key_name/ d; + # Inject a new age: entry + # n matches the first line following age: and p prints it, then we transform it while reusing the spacing + /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; + # Inject a new hosts or user: entry + /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} + }" $SOPS_FILE green "Updating .sops.yaml" cd - } @@ -2959,6 +2959,13 @@ This program sets up a new NixOS host remotely. It also takes care of secret man red "Swap: X" fi + SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)" + if [[ $SECUREBOOT == "true" ]]; then + green "Secure Boot: ✓" + else + red "Secure Boot: X" + fi + ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination" # ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value ssh_root_cmd=${ssh_cmd/${target_user}@/root@} @@ -2994,23 +3001,27 @@ This program sets up a new NixOS host remotely. It also takes care of secret man # when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later # via the config if [ "$disk_encryption" -eq 1 ]; then - green "--encryption set: Preparing a temporary password for disko." - green "[Optional] Set disk encryption passphrase:" - read -rs luks_passphrase - if [ -n "$luks_passphrase" ]; then - $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" - else - $ssh_root_cmd "/bin/sh -c 'echo passphrase > /tmp/disko-password'" - fi - else - green "--encryption not set: Not using disk encryption.." + while true; do + green "Set disk encryption passphrase:" + read -rs luks_passphrase + green "Please confirm passphrase:" + read -rs luks_passphrase_confirm + if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then + $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" + break + else + red "Passwords do not match" + fi + done fi # ------------------------ green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" - green "Injecting initialSetup" - $ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" + if [[ $SECUREBOOT == "true" ]]; then + green "Injecting initialSetup" + $ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" + fi mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix @@ -3034,14 +3045,17 @@ This program sets up a new NixOS host remotely. It also takes care of secret man done # ------------------------ - green "Setting up secure boot keys" - $ssh_root_cmd "mkdir -p /var/lib/sbctl" - read -ra scp_call <<< "${scp_cmd}" - sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/ - $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true" - # ------------------------ - green "restoring hardware-configuration" - sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix + + if [[ $SECUREBOOT == "true" ]]; then + green "Setting up secure boot keys" + $ssh_root_cmd "mkdir -p /var/lib/sbctl" + read -ra scp_call <<< "${scp_cmd}" + sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/ + $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true" + # ------------------------ + green "restoring hardware-configuration" + sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix + fi if [ -n "$persist_dir" ]; then $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true" @@ -3121,11 +3135,6 @@ This program sets up a new NixOS host remotely. It also takes care of secret man echo fi - # # ------------------------ - # green "Enrolling secure boot keys" - # $ssh_root_cmd "sbctl enroll-keys --microsoft" - # ------------------------ - if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then cd "${git_root}" deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh index ecdaef1..1211dac 100644 --- a/scripts/bootstrap.sh +++ b/scripts/bootstrap.sh @@ -78,14 +78,14 @@ function update_sops_file() { SOPS_FILE=".sops.yaml" sed -i "{ - # Remove any * and & entries for this host - /[*&]$key_name/ d; - # Inject a new age: entry - # n matches the first line following age: and p prints it, then we transform it while reusing the spacing - /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; - # Inject a new hosts or user: entry - /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} - }" $SOPS_FILE + # Remove any * and & entries for this host + /[*&]$key_name/ d; + # Inject a new age: entry + # n matches the first line following age: and p prints it, then we transform it while reusing the spacing + /age:/{n; p; s/\(.*- \*\).*/\1$key_name/}; + # Inject a new hosts or user: entry + /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/} + }" $SOPS_FILE green "Updating .sops.yaml" cd - } @@ -151,6 +151,13 @@ else red "Swap: X" fi +SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)" +if [[ $SECUREBOOT == "true" ]]; then + green "Secure Boot: ✓" +else + red "Secure Boot: X" +fi + ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination" # ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value ssh_root_cmd=${ssh_cmd/${target_user}@/root@} @@ -186,23 +193,27 @@ ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true # when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later # via the config if [ "$disk_encryption" -eq 1 ]; then - green "--encryption set: Preparing a temporary password for disko." - green "[Optional] Set disk encryption passphrase:" - read -rs luks_passphrase - if [ -n "$luks_passphrase" ]; then - $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" - else - $ssh_root_cmd "/bin/sh -c 'echo passphrase > /tmp/disko-password'" - fi -else - green "--encryption not set: Not using disk encryption.." + while true; do + green "Set disk encryption passphrase:" + read -rs luks_passphrase + green "Please confirm passphrase:" + read -rs luks_passphrase_confirm + if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then + $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" + break + else + red "Passwords do not match" + fi + done fi # ------------------------ green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" -green "Injecting initialSetup" -$ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" +if [[ $SECUREBOOT == "true" ]]; then + green "Injecting initialSetup" + $ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" +fi mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix @@ -226,14 +237,17 @@ while true; do done # ------------------------ -green "Setting up secure boot keys" -$ssh_root_cmd "mkdir -p /var/lib/sbctl" -read -ra scp_call <<< "${scp_cmd}" -sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/ -$ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true" -# ------------------------ -green "restoring hardware-configuration" -sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix + +if [[ $SECUREBOOT == "true" ]]; then + green "Setting up secure boot keys" + $ssh_root_cmd "mkdir -p /var/lib/sbctl" + read -ra scp_call <<< "${scp_cmd}" + sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/ + $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true" + # ------------------------ + green "restoring hardware-configuration" + sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix +fi if [ -n "$persist_dir" ]; then $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true" @@ -313,11 +327,6 @@ else echo fi -# # ------------------------ -# green "Enrolling secure boot keys" -# $ssh_root_cmd "sbctl enroll-keys --microsoft" -# ------------------------ - if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then cd "${git_root}" deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe