This commit is contained in:
albert 2024-05-06 12:01:37 +09:00
parent be50b769fc
commit 1df9fb9d37
No known key found for this signature in database
GPG key ID: 64F6C4EB46C4543A
5 changed files with 40 additions and 92 deletions

View file

@ -1,65 +0,0 @@
#!/usr/bin/env bash
pushd /etc/nixos/git
# Home-Manager Setup
echo ">>> Setting up Home Manager..... "
sudo mkdir /nix/var/nix/profiles/per-user/albert
# For some reason the syncthing folder takes this over and makes it owned by root
sudo mkdir /home/albert/.config
sudo chown albert:albert /home/albert/.config
sudo chown -R albert:root /nix/var/nix/profiles/per-user/albert
home-manager switch -b backup --flake /etc/nixos/git
source ~/.bashrc
# Import and trust the GPG key
echo ">>> Setting up user GPG key..... "
gpg --import ~/keys.pgp
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust
# Setup SOPS
echo "Setting up SOPS keys..... "
echo ">>> !!!!!"
echo ">>> !!!!!"
echo ">>> !!!!!"
echo ">>> !!!!! Copy this signature to .sops.yaml: "
# Currently only RSA keys are allowed
sudo ssh-to-pgp \
-comment "Generated `date +%Y.%m.%d`" \
-email "root@`hostname`" \
-i /etc/ssh/ssh_host_rsa_key \
-o /etc/nixos/git/keys/hosts/$(hostname).asc
echo ">>> !!!!!"
echo ">>> !!!!!"
echo ">>> !!!!!"
# Set up ssh keys
echo ">>> Setting up SSH Keys..... "
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
echo "" >> ./keys/ssh/keys.txt
echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt
cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt
# echo ">>> Setting up Distributed Build SSH Keys..... "
# sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
# echo "" >> ./keys/ssh/builder-keys.txt
# echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt
# sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt
# Add all changes to git and and push
echo ">>> Pushing to git..... "
git add keys/hosts/`hostname`.asc
git commit -am "Setup: `hostname`"
git push
echo
echo
echo ">>> Complete. Once '.sops.yaml' is updated, "
echo ">>> run 'update-secrets' and reboot."
echo
echo
echo ">>> Reminder: Upload these changes to git"
popd

View file

@ -10,19 +10,19 @@ sudo mkdir /home/albert/.config
sudo chown albert:albert /home/albert/.config
sudo chown -R albert:root /nix/var/nix/profiles/per-user/albert
home-manager switch -b backup --flake /etc/nixos/git
source ~/.bashrc
# source ~/.bashrc
# Import and trust the GPG key
echo ">>> Setting up user GPG key..... "
drive=$(lsblk -o serial,name | grep NGN130R000980P2202 | awk {'print $2'})
sudo mkdir -p /tmp/drive
sudo cryptsetup luksOpen /dev/${drive}3 usb-luks
sudo mount /dev/mapper/usb-luks /tmp/drive
gpg --import /tmp/drive/gpg/albert@sysctl.io/keys.pgp
sudo umount /tmp/drive
sudo rmdir /tmp/drive
sudo cryptsetup luksClose /dev/mapper/usb-luks
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust
# echo ">>> Setting up user GPG key..... "
# drive=$(lsblk -o serial,name | grep NGN130R000980P2202 | awk {'print $2'})
# sudo mkdir -p /tmp/drive
# sudo cryptsetup luksOpen /dev/${drive}3 usb-luks
# sudo mount /dev/mapper/usb-luks /tmp/drive
# gpg --import /tmp/drive/gpg/albert@sysctl.io/keys.pgp
# sudo umount /tmp/drive
# sudo rmdir /tmp/drive
# sudo cryptsetup luksClose /dev/mapper/usb-luks
# echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust
# Setup SOPS
echo "Setting up SOPS keys..... "

View file

@ -11,7 +11,7 @@
ssh-add > /dev/null &> /dev/null
'';
loginShellInit = ''ssh-add'';
loginShellInit = ''ssh-add > /dev/null &> /dev/null'';
interactiveShellInit = ''
if not set -q TMUX && not set -q DISABLE_TMUX
if tmux has-session -t Main
@ -28,6 +28,16 @@
body = "__fish_default_command_not_found_handler $argv[1]";
onEvent = "fish_command_not_found";
};
# GPG related functions
encrypt = ''
set output $argv-$(ddate).enc
gpg --encrypt --armor --output $output -r $PGP_KEY_ID "$argv" && echo "Encrypted: $argv -> $output"
'';
decrypt = ''
set output $(echo $argv | rev | cut -c16- | rev)
gpg --decrypt --output $output && echo "Decrypted: $argv -> $output"
'';
update_secrets = ''
pushd /etc/nixos/git
nix develop -c \
@ -42,26 +52,15 @@
popd
'';
# Build ISOs/SD Card Images
nixos-build-all-images-verbose = ''
echo "Building Linode image..."
nixos-build-linode-img-verbose
echo "Building Raspberry Pi image..."
nixos-build-pi-img-verbose
echo "Building ISO Console image..."
nixos-build-console-verbose
echo "Building ISO Desktop image..."
nixos-build-desktop-verbose
ls -lah ~/ | grep nixos
'';
nixos-build-all-images = ''
echo "Building Linode image..."
nixos-build-linode-img
nixos-build-linode-img $argv
echo "Building Raspberry Pi image..."
nixos-build-pi-img
nixos-build-pi-img $argv
echo "Building ISO Console image..."
nixos-build-console
nixos-build-console $argv
echo "Building ISO Desktop image..."
nixos-build-desktop
nixos-build-desktop $argv
ls -lah ~/ | grep nixos
'';
nixos-build-pi-img-verbose = ''
@ -141,6 +140,11 @@
};
shellAliases = {
# GPG Related
sign = "gpg --armor --clearsign";
verify = "gpg --verify";
prime-select = "nvidia-offload";
screenshot = ''grim -g "$(slurp)" | wl-copy -t image/png'';

View file

@ -12,9 +12,16 @@
programs.bash.sessionVariables = {
# SOPS comma delimited list of GPG keys allowed to edit files
# TODO Update old key fingerprints
SOPS_PGP_FP = "D98BBC6C9A27324654C2D8C464F6C4EB46C4543A";
TEST = "Hello World.";
};
programs.fish.shellInit = ''
set SOPS_PGP_FP "4A89D6B44B7E423B647C7AE848FBC3335A26DED6"
set PGP_KEY_ID "48FBC3335A26DED6"
'';
sops = {
gnupg.home = "~/.gnupg/";
gnupg.sshKeyPaths = [];

View file

@ -1,4 +1,6 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: 4A89 D6B4 4B7E 423B 647C 7AE8 48FB C333 5A26 DED6
Comment: Albert Copeland <albert@sysctl.io>
mQINBGY0tJkBEACq+55CkqrHmqF+YHWrIgSbmmLfpo5OZTBlqfDQmrubuP8Kc1Io
Nq3EBWQOhWt0VeZ0hYpI9c5z3Oy2U9gF8NZDbXk6IEBBBxwlwF/l2LPT9oO/rHyR