.sops.yaml

@@ -1,10 +0,0 @@
-#  see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
-keys:
-  - &user_homefree 06321D7F20335A7E08595BA905D137EE114BA2C2
-  - &host_homefree 0BC4F8FF51F3167F06683FFB19008821C072983E
-creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *user_homefree
-      - *host_homefree

README.md

@@ -1,42 +1,10 @@
 HomeFree Sample Config
 ======================
 
-## Edit config
+Clone this repo and modify configuration.nix as needed, then deploy with:
-
-Clone this repo and modify configuration.nix as needed onto a freshly installed NixOS machine.
-
-## Create secrets
-
-- Generate appropriate GPG keys. You will need a private SSH key at ~/.ssh/id_rsa
 
 ```
-./generate-gpg-keys.sh
+./install.sh
 ```
 
-- Create secrets file in this folder. Use the following commands.
+Make sure to create secrets files in the secrets folder, as described by the README file in that folder.
-
-```
-sops secrets/authentik.yaml
-sops secrets/backup.yaml
-sops secrets/ddclient.yaml
-sops secrets/linkwarden.yaml
-sops secrets/nextcloud.yaml
-sops secrets/tailscale.yaml
-```
-
-And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing
-the values as required.
-
-## Build
-
-```
-./build.sh
-```
-
-## You can also deploy remotely to a machine running the Live CD
-
-```
-./deploy.sh
-```
-
-BUT, you'll have to check out the source onto the server and run the `./generate-gpg-keys.sh` script again after deployment.

build.sh

@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-
-sudo nixos-rebuild switch --flake .#${HOSTNAME} -L

generate-gpg-keys.sh

@@ -1,36 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p gnupg ssh-to-pgp
-
-## Import user SSH key into GPG
-
-cp ~/.ssh/id_rsa /tmp/id_rsa
-ssh-keygen -p -N "" -f /tmp/id_rsa
-{
-    IFS=$'\n' read -r -d '' CAPTURED_STDERR;
-    IFS=$'\n' read -r -d '' CAPTURED_STDOUT;
-} < <((printf '\0%s\0' "$(ssh-to-pgp -private-key -i /tmp/id_rsa | gpg --import --allow-non-selfsigned-uid --quiet)" 1>&2) 2>&1)
-USER_GPG_FINGERPRINT=$(echo $CAPTURED_STDERR | awk '{print $1;}')
-echo "FINGERPRINT: ${USER_GPG_FINGERPRINT}"
-rm /tmp/id_rsa
-# set ultimate trust level
-echo "${USER_GPG_FINGERPRINT}:6:" | gpg --import-ownertrust
-echo -e "adduid\n\n${USER}@localhost\n\nsave\nexit\n" | gpg --command-fd=0 --status-fd=1 --edit-key ${USER_GPG_FINGERPRINT}
-
-sed -i -e "s/\&user .\+$/\&user $USER_GPG_FINGERPRINT/g" .sops.yaml
-
-## Import host SSH key into GPG
-
-# Get GPG fingerprint of server RSA key
-# HOST_GPG_FINGERPRINT=$(sudo cat /etc/ssh/ssh_host_rsa_key | ssh-to-pgp -private-key | gpg --import --allow-non-selfsigned-uid --quiet 2> /dev/null | head -n 1)
-{
-    IFS=$'\n' read -r -d '' CAPTURED_STDERR;
-    IFS=$'\n' read -r -d '' CAPTURED_STDOUT;
-} < <((printf '\0%s\0' "$(sudo cat /etc/ssh/ssh_host_rsa_key | ssh-to-pgp -private-key | gpg --import --allow-non-selfsigned-uid --quiet)" 1>&2) 2>&1)
-HOST_GPG_FINGERPRINT=$(echo $CAPTURED_STDERR | awk '{print $1;}')
-echo "FINGERPRINT: ${HOST_GPG_FINGERPRINT}"
-# set ultimate trust level
-echo "${HOST_GPG_FINGERPRINT}:6:" | gpg --import-ownertrust
-echo -e "adduid\n\n${USER}@localhost\n\nsave\nexit\n" | gpg --command-fd=0 --status-fd=1 --edit-key ${HOST_GPG_FINGERPRINT}
-
-sed -i -e "s/\&host_$HOST .\+$/\&host_$HOST $HOST_GPG_FINGERPRINT/g" .sops.yaml
-

secrets/README.md

@@ -0,0 +1,16 @@
+Secrets config
+--------------
+
+Create secrets file in this folder. Use the following commands:
+
+```
+sops authentik.yaml
+sops backup.yaml
+sops ddclient.yaml
+sops linkwarden.yaml
+sops nextcloud.yaml
+sops tailscale.yaml
+```
+
+And copy the contents from the appropriate file in the `secrets-unencrypted` folder, changing
+the values as required.