From 1df9fb9d3708770df129770d6e773fd43aeecd1d Mon Sep 17 00:00:00 2001 From: albert Date: Mon, 6 May 2024 12:01:37 +0900 Subject: [PATCH] Testing --- docs/setup-no-usb.sh | 65 ----------------------- docs/setup.sh | 22 ++++---- home-manager/common/software/cli/fish.nix | 36 +++++++------ home-manager/users/albert/default.nix | 7 +++ keys/users/albert-new.asc | 2 + 5 files changed, 40 insertions(+), 92 deletions(-) delete mode 100755 docs/setup-no-usb.sh diff --git a/docs/setup-no-usb.sh b/docs/setup-no-usb.sh deleted file mode 100755 index 2d37a4f1..00000000 --- a/docs/setup-no-usb.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/env bash -pushd /etc/nixos/git - -# Home-Manager Setup -echo ">>> Setting up Home Manager..... " -sudo mkdir /nix/var/nix/profiles/per-user/albert - -# For some reason the syncthing folder takes this over and makes it owned by root -sudo mkdir /home/albert/.config -sudo chown albert:albert /home/albert/.config -sudo chown -R albert:root /nix/var/nix/profiles/per-user/albert -home-manager switch -b backup --flake /etc/nixos/git -source ~/.bashrc - -# Import and trust the GPG key -echo ">>> Setting up user GPG key..... " -gpg --import ~/keys.pgp -echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust - -# Setup SOPS -echo "Setting up SOPS keys..... " -echo ">>> !!!!!" -echo ">>> !!!!!" -echo ">>> !!!!!" -echo ">>> !!!!! Copy this signature to .sops.yaml: " - -# Currently only RSA keys are allowed -sudo ssh-to-pgp \ - -comment "Generated `date +%Y.%m.%d`" \ - -email "root@`hostname`" \ - -i /etc/ssh/ssh_host_rsa_key \ - -o /etc/nixos/git/keys/hosts/$(hostname).asc - -echo ">>> !!!!!" -echo ">>> !!!!!" -echo ">>> !!!!!" - -# Set up ssh keys -echo ">>> Setting up SSH Keys..... " -ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N "" -echo "" >> ./keys/ssh/keys.txt -echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt -cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt - -# echo ">>> Setting up Distributed Build SSH Keys..... " -# sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N "" -# echo "" >> ./keys/ssh/builder-keys.txt -# echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt -# sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt - -# Add all changes to git and and push -echo ">>> Pushing to git..... " -git add keys/hosts/`hostname`.asc -git commit -am "Setup: `hostname`" -git push - -echo -echo -echo ">>> Complete. Once '.sops.yaml' is updated, " -echo ">>> run 'update-secrets' and reboot." -echo -echo -echo ">>> Reminder: Upload these changes to git" - -popd diff --git a/docs/setup.sh b/docs/setup.sh index 7d7b9812..854c527c 100755 --- a/docs/setup.sh +++ b/docs/setup.sh @@ -10,19 +10,19 @@ sudo mkdir /home/albert/.config sudo chown albert:albert /home/albert/.config sudo chown -R albert:root /nix/var/nix/profiles/per-user/albert home-manager switch -b backup --flake /etc/nixos/git -source ~/.bashrc +# source ~/.bashrc # Import and trust the GPG key -echo ">>> Setting up user GPG key..... " -drive=$(lsblk -o serial,name | grep NGN130R000980P2202 | awk {'print $2'}) -sudo mkdir -p /tmp/drive -sudo cryptsetup luksOpen /dev/${drive}3 usb-luks -sudo mount /dev/mapper/usb-luks /tmp/drive -gpg --import /tmp/drive/gpg/albert@sysctl.io/keys.pgp -sudo umount /tmp/drive -sudo rmdir /tmp/drive -sudo cryptsetup luksClose /dev/mapper/usb-luks -echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust +# echo ">>> Setting up user GPG key..... " +# drive=$(lsblk -o serial,name | grep NGN130R000980P2202 | awk {'print $2'}) +# sudo mkdir -p /tmp/drive +# sudo cryptsetup luksOpen /dev/${drive}3 usb-luks +# sudo mount /dev/mapper/usb-luks /tmp/drive +# gpg --import /tmp/drive/gpg/albert@sysctl.io/keys.pgp +# sudo umount /tmp/drive +# sudo rmdir /tmp/drive +# sudo cryptsetup luksClose /dev/mapper/usb-luks +# echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust # Setup SOPS echo "Setting up SOPS keys..... " diff --git a/home-manager/common/software/cli/fish.nix b/home-manager/common/software/cli/fish.nix index 643c9c93..d0c5865d 100644 --- a/home-manager/common/software/cli/fish.nix +++ b/home-manager/common/software/cli/fish.nix @@ -11,7 +11,7 @@ ssh-add > /dev/null &> /dev/null ''; - loginShellInit = ''ssh-add''; + loginShellInit = ''ssh-add > /dev/null &> /dev/null''; interactiveShellInit = '' if not set -q TMUX && not set -q DISABLE_TMUX if tmux has-session -t Main @@ -28,6 +28,16 @@ body = "__fish_default_command_not_found_handler $argv[1]"; onEvent = "fish_command_not_found"; }; + # GPG related functions + encrypt = '' + set output $argv-$(ddate).enc + gpg --encrypt --armor --output $output -r $PGP_KEY_ID "$argv" && echo "Encrypted: $argv -> $output" + ''; + decrypt = '' + set output $(echo $argv | rev | cut -c16- | rev) + gpg --decrypt --output $output && echo "Decrypted: $argv -> $output" + ''; + update_secrets = '' pushd /etc/nixos/git nix develop -c \ @@ -42,26 +52,15 @@ popd ''; # Build ISOs/SD Card Images - nixos-build-all-images-verbose = '' - echo "Building Linode image..." - nixos-build-linode-img-verbose - echo "Building Raspberry Pi image..." - nixos-build-pi-img-verbose - echo "Building ISO Console image..." - nixos-build-console-verbose - echo "Building ISO Desktop image..." - nixos-build-desktop-verbose - ls -lah ~/ | grep nixos - ''; nixos-build-all-images = '' echo "Building Linode image..." - nixos-build-linode-img + nixos-build-linode-img $argv echo "Building Raspberry Pi image..." - nixos-build-pi-img + nixos-build-pi-img $argv echo "Building ISO Console image..." - nixos-build-console + nixos-build-console $argv echo "Building ISO Desktop image..." - nixos-build-desktop + nixos-build-desktop $argv ls -lah ~/ | grep nixos ''; nixos-build-pi-img-verbose = '' @@ -141,6 +140,11 @@ }; shellAliases = { + + # GPG Related + sign = "gpg --armor --clearsign"; + verify = "gpg --verify"; + prime-select = "nvidia-offload"; screenshot = ''grim -g "$(slurp)" | wl-copy -t image/png''; diff --git a/home-manager/users/albert/default.nix b/home-manager/users/albert/default.nix index 2c607532..d8f7fc8c 100644 --- a/home-manager/users/albert/default.nix +++ b/home-manager/users/albert/default.nix @@ -12,9 +12,16 @@ programs.bash.sessionVariables = { # SOPS comma delimited list of GPG keys allowed to edit files + # TODO Update old key fingerprints SOPS_PGP_FP = "D98BBC6C9A27324654C2D8C464F6C4EB46C4543A"; + TEST = "Hello World."; }; + programs.fish.shellInit = '' + set SOPS_PGP_FP "4A89D6B44B7E423B647C7AE848FBC3335A26DED6" + set PGP_KEY_ID "48FBC3335A26DED6" + ''; + sops = { gnupg.home = "~/.gnupg/"; gnupg.sshKeyPaths = []; diff --git a/keys/users/albert-new.asc b/keys/users/albert-new.asc index 0b618c06..2ed15678 100644 --- a/keys/users/albert-new.asc +++ b/keys/users/albert-new.asc @@ -1,4 +1,6 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: 4A89 D6B4 4B7E 423B 647C 7AE8 48FB C333 5A26 DED6 +Comment: Albert Copeland mQINBGY0tJkBEACq+55CkqrHmqF+YHWrIgSbmmLfpo5OZTBlqfDQmrubuP8Kc1Io Nq3EBWQOhWt0VeZ0hYpI9c5z3Oy2U9gF8NZDbXk6IEBBBxwlwF/l2LPT9oO/rHyR