diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..101c2cb --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +# see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +keys: + - &user_homefree 06321D7F20335A7E08595BA905D137EE114BA2C2 + - &host_homefree 0BC4F8FF51F3167F06683FFB19008821C072983E +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *user_homefree + - *host_homefree diff --git a/README.md b/README.md index f0137d0..ef4dec8 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,42 @@ HomeFree Sample Config ====================== -Clone this repo and modify configuration.nix as needed, then deploy with: +## Edit config + +Clone this repo and modify configuration.nix as needed onto a freshly installed NixOS machine. + +## Create secrets + +- Generate appropriate GPG keys. You will need a private SSH key at ~/.ssh/id_rsa ``` -./install.sh +./generate-gpg-keys.sh ``` -Make sure to create secrets files in the secrets folder, as described by the README file in that folder. +- Create secrets file in this folder. Use the following commands. + +``` +sops secrets/authentik.yaml +sops secrets/backup.yaml +sops secrets/ddclient.yaml +sops secrets/linkwarden.yaml +sops secrets/nextcloud.yaml +sops secrets/tailscale.yaml +``` + +And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing +the values as required. + +## Build + +``` +./build.sh +``` + +## You can also deploy remotely to a machine running the Live CD + +``` +./deploy.sh +``` + +BUT, you'll have to check out the source onto the server and run the `./generate-gpg-keys.sh` script again after deployment. diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..5c89c88 --- /dev/null +++ b/build.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +sudo nixos-rebuild switch --flake .#${HOSTNAME} -L diff --git a/install.sh b/deploy.sh similarity index 100% rename from install.sh rename to deploy.sh diff --git a/generate-gpg-keys.sh b/generate-gpg-keys.sh new file mode 100755 index 0000000..376005e --- /dev/null +++ b/generate-gpg-keys.sh @@ -0,0 +1,36 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p gnupg ssh-to-pgp + +## Import user SSH key into GPG + +cp ~/.ssh/id_rsa /tmp/id_rsa +ssh-keygen -p -N "" -f /tmp/id_rsa +{ + IFS=$'\n' read -r -d '' CAPTURED_STDERR; + IFS=$'\n' read -r -d '' CAPTURED_STDOUT; +} < <((printf '\0%s\0' "$(ssh-to-pgp -private-key -i /tmp/id_rsa | gpg --import --allow-non-selfsigned-uid --quiet)" 1>&2) 2>&1) +USER_GPG_FINGERPRINT=$(echo $CAPTURED_STDERR | awk '{print $1;}') +echo "FINGERPRINT: ${USER_GPG_FINGERPRINT}" +rm /tmp/id_rsa +# set ultimate trust level +echo "${USER_GPG_FINGERPRINT}:6:" | gpg --import-ownertrust +echo -e "adduid\n\n${USER}@localhost\n\nsave\nexit\n" | gpg --command-fd=0 --status-fd=1 --edit-key ${USER_GPG_FINGERPRINT} + +sed -i -e "s/\&user .\+$/\&user $USER_GPG_FINGERPRINT/g" .sops.yaml + +## Import host SSH key into GPG + +# Get GPG fingerprint of server RSA key +# HOST_GPG_FINGERPRINT=$(sudo cat /etc/ssh/ssh_host_rsa_key | ssh-to-pgp -private-key | gpg --import --allow-non-selfsigned-uid --quiet 2> /dev/null | head -n 1) +{ + IFS=$'\n' read -r -d '' CAPTURED_STDERR; + IFS=$'\n' read -r -d '' CAPTURED_STDOUT; +} < <((printf '\0%s\0' "$(sudo cat /etc/ssh/ssh_host_rsa_key | ssh-to-pgp -private-key | gpg --import --allow-non-selfsigned-uid --quiet)" 1>&2) 2>&1) +HOST_GPG_FINGERPRINT=$(echo $CAPTURED_STDERR | awk '{print $1;}') +echo "FINGERPRINT: ${HOST_GPG_FINGERPRINT}" +# set ultimate trust level +echo "${HOST_GPG_FINGERPRINT}:6:" | gpg --import-ownertrust +echo -e "adduid\n\n${USER}@localhost\n\nsave\nexit\n" | gpg --command-fd=0 --status-fd=1 --edit-key ${HOST_GPG_FINGERPRINT} + +sed -i -e "s/\&host_$HOST .\+$/\&host_$HOST $HOST_GPG_FINGERPRINT/g" .sops.yaml + diff --git a/secrets/.gitignore b/secrets/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/secrets/README.md b/secrets/README.md deleted file mode 100644 index 27812c0..0000000 --- a/secrets/README.md +++ /dev/null @@ -1,16 +0,0 @@ -Secrets config --------------- - -Create secrets file in this folder. Use the following commands: - -``` -sops authentik.yaml -sops backup.yaml -sops ddclient.yaml -sops linkwarden.yaml -sops nextcloud.yaml -sops tailscale.yaml -``` - -And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing -the values as required.