Testing
This commit is contained in:
parent
be50b769fc
commit
1df9fb9d37
5 changed files with 40 additions and 92 deletions
|
@ -1,65 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
pushd /etc/nixos/git
|
||||
|
||||
# Home-Manager Setup
|
||||
echo ">>> Setting up Home Manager..... "
|
||||
sudo mkdir /nix/var/nix/profiles/per-user/albert
|
||||
|
||||
# For some reason the syncthing folder takes this over and makes it owned by root
|
||||
sudo mkdir /home/albert/.config
|
||||
sudo chown albert:albert /home/albert/.config
|
||||
sudo chown -R albert:root /nix/var/nix/profiles/per-user/albert
|
||||
home-manager switch -b backup --flake /etc/nixos/git
|
||||
source ~/.bashrc
|
||||
|
||||
# Import and trust the GPG key
|
||||
echo ">>> Setting up user GPG key..... "
|
||||
gpg --import ~/keys.pgp
|
||||
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust
|
||||
|
||||
# Setup SOPS
|
||||
echo "Setting up SOPS keys..... "
|
||||
echo ">>> !!!!!"
|
||||
echo ">>> !!!!!"
|
||||
echo ">>> !!!!!"
|
||||
echo ">>> !!!!! Copy this signature to .sops.yaml: "
|
||||
|
||||
# Currently only RSA keys are allowed
|
||||
sudo ssh-to-pgp \
|
||||
-comment "Generated `date +%Y.%m.%d`" \
|
||||
-email "root@`hostname`" \
|
||||
-i /etc/ssh/ssh_host_rsa_key \
|
||||
-o /etc/nixos/git/keys/hosts/$(hostname).asc
|
||||
|
||||
echo ">>> !!!!!"
|
||||
echo ">>> !!!!!"
|
||||
echo ">>> !!!!!"
|
||||
|
||||
# Set up ssh keys
|
||||
echo ">>> Setting up SSH Keys..... "
|
||||
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""
|
||||
echo "" >> ./keys/ssh/keys.txt
|
||||
echo "# (`date`) `whoami`@`hostname`" >> ./keys/ssh/keys.txt
|
||||
cat /home/albert/.ssh/id_ed25519.pub >> ./keys/ssh/keys.txt
|
||||
|
||||
# echo ">>> Setting up Distributed Build SSH Keys..... "
|
||||
# sudo ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""
|
||||
# echo "" >> ./keys/ssh/builder-keys.txt
|
||||
# echo "# (`date`) root@`hostname`" >> ./keys/ssh/builder-keys.txt
|
||||
# sudo cat /root/.ssh/id_ed25519.pub >> ./keys/ssh/builder-keys.txt
|
||||
|
||||
# Add all changes to git and and push
|
||||
echo ">>> Pushing to git..... "
|
||||
git add keys/hosts/`hostname`.asc
|
||||
git commit -am "Setup: `hostname`"
|
||||
git push
|
||||
|
||||
echo
|
||||
echo
|
||||
echo ">>> Complete. Once '.sops.yaml' is updated, "
|
||||
echo ">>> run 'update-secrets' and reboot."
|
||||
echo
|
||||
echo
|
||||
echo ">>> Reminder: Upload these changes to git"
|
||||
|
||||
popd
|
|
@ -10,19 +10,19 @@ sudo mkdir /home/albert/.config
|
|||
sudo chown albert:albert /home/albert/.config
|
||||
sudo chown -R albert:root /nix/var/nix/profiles/per-user/albert
|
||||
home-manager switch -b backup --flake /etc/nixos/git
|
||||
source ~/.bashrc
|
||||
# source ~/.bashrc
|
||||
|
||||
# Import and trust the GPG key
|
||||
echo ">>> Setting up user GPG key..... "
|
||||
drive=$(lsblk -o serial,name | grep NGN130R000980P2202 | awk {'print $2'})
|
||||
sudo mkdir -p /tmp/drive
|
||||
sudo cryptsetup luksOpen /dev/${drive}3 usb-luks
|
||||
sudo mount /dev/mapper/usb-luks /tmp/drive
|
||||
gpg --import /tmp/drive/gpg/albert@sysctl.io/keys.pgp
|
||||
sudo umount /tmp/drive
|
||||
sudo rmdir /tmp/drive
|
||||
sudo cryptsetup luksClose /dev/mapper/usb-luks
|
||||
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust
|
||||
# echo ">>> Setting up user GPG key..... "
|
||||
# drive=$(lsblk -o serial,name | grep NGN130R000980P2202 | awk {'print $2'})
|
||||
# sudo mkdir -p /tmp/drive
|
||||
# sudo cryptsetup luksOpen /dev/${drive}3 usb-luks
|
||||
# sudo mount /dev/mapper/usb-luks /tmp/drive
|
||||
# gpg --import /tmp/drive/gpg/albert@sysctl.io/keys.pgp
|
||||
# sudo umount /tmp/drive
|
||||
# sudo rmdir /tmp/drive
|
||||
# sudo cryptsetup luksClose /dev/mapper/usb-luks
|
||||
# echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trust
|
||||
|
||||
# Setup SOPS
|
||||
echo "Setting up SOPS keys..... "
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
ssh-add > /dev/null &> /dev/null
|
||||
'';
|
||||
|
||||
loginShellInit = ''ssh-add'';
|
||||
loginShellInit = ''ssh-add > /dev/null &> /dev/null'';
|
||||
interactiveShellInit = ''
|
||||
if not set -q TMUX && not set -q DISABLE_TMUX
|
||||
if tmux has-session -t Main
|
||||
|
@ -28,6 +28,16 @@
|
|||
body = "__fish_default_command_not_found_handler $argv[1]";
|
||||
onEvent = "fish_command_not_found";
|
||||
};
|
||||
# GPG related functions
|
||||
encrypt = ''
|
||||
set output $argv-$(ddate).enc
|
||||
gpg --encrypt --armor --output $output -r $PGP_KEY_ID "$argv" && echo "Encrypted: $argv -> $output"
|
||||
'';
|
||||
decrypt = ''
|
||||
set output $(echo $argv | rev | cut -c16- | rev)
|
||||
gpg --decrypt --output $output && echo "Decrypted: $argv -> $output"
|
||||
'';
|
||||
|
||||
update_secrets = ''
|
||||
pushd /etc/nixos/git
|
||||
nix develop -c \
|
||||
|
@ -42,26 +52,15 @@
|
|||
popd
|
||||
'';
|
||||
# Build ISOs/SD Card Images
|
||||
nixos-build-all-images-verbose = ''
|
||||
echo "Building Linode image..."
|
||||
nixos-build-linode-img-verbose
|
||||
echo "Building Raspberry Pi image..."
|
||||
nixos-build-pi-img-verbose
|
||||
echo "Building ISO Console image..."
|
||||
nixos-build-console-verbose
|
||||
echo "Building ISO Desktop image..."
|
||||
nixos-build-desktop-verbose
|
||||
ls -lah ~/ | grep nixos
|
||||
'';
|
||||
nixos-build-all-images = ''
|
||||
echo "Building Linode image..."
|
||||
nixos-build-linode-img
|
||||
nixos-build-linode-img $argv
|
||||
echo "Building Raspberry Pi image..."
|
||||
nixos-build-pi-img
|
||||
nixos-build-pi-img $argv
|
||||
echo "Building ISO Console image..."
|
||||
nixos-build-console
|
||||
nixos-build-console $argv
|
||||
echo "Building ISO Desktop image..."
|
||||
nixos-build-desktop
|
||||
nixos-build-desktop $argv
|
||||
ls -lah ~/ | grep nixos
|
||||
'';
|
||||
nixos-build-pi-img-verbose = ''
|
||||
|
@ -141,6 +140,11 @@
|
|||
};
|
||||
|
||||
shellAliases = {
|
||||
|
||||
# GPG Related
|
||||
sign = "gpg --armor --clearsign";
|
||||
verify = "gpg --verify";
|
||||
|
||||
prime-select = "nvidia-offload";
|
||||
screenshot = ''grim -g "$(slurp)" | wl-copy -t image/png'';
|
||||
|
||||
|
|
|
@ -12,9 +12,16 @@
|
|||
|
||||
programs.bash.sessionVariables = {
|
||||
# SOPS comma delimited list of GPG keys allowed to edit files
|
||||
# TODO Update old key fingerprints
|
||||
SOPS_PGP_FP = "D98BBC6C9A27324654C2D8C464F6C4EB46C4543A";
|
||||
TEST = "Hello World.";
|
||||
};
|
||||
|
||||
programs.fish.shellInit = ''
|
||||
set SOPS_PGP_FP "4A89D6B44B7E423B647C7AE848FBC3335A26DED6"
|
||||
set PGP_KEY_ID "48FBC3335A26DED6"
|
||||
'';
|
||||
|
||||
sops = {
|
||||
gnupg.home = "~/.gnupg/";
|
||||
gnupg.sshKeyPaths = [];
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Comment: 4A89 D6B4 4B7E 423B 647C 7AE8 48FB C333 5A26 DED6
|
||||
Comment: Albert Copeland <albert@sysctl.io>
|
||||
|
||||
mQINBGY0tJkBEACq+55CkqrHmqF+YHWrIgSbmmLfpo5OZTBlqfDQmrubuP8Kc1Io
|
||||
Nq3EBWQOhWt0VeZ0hYpI9c5z3Oy2U9gF8NZDbXk6IEBBBxwlwF/l2LPT9oO/rHyR
|
||||
|
|
Loading…
Reference in a new issue