diff --git a/docs/setup.sh b/docs/setup.sh index 2ec8a9ca..191379c3 100755 --- a/docs/setup.sh +++ b/docs/setup.sh @@ -2,13 +2,13 @@ pushd /etc/nixos/git # Home-Manager Setup -echo "Setting up Home Manager..... " +echo ">>> Setting up Home Manager..... " sudo mkdir /nix/var/nix/profiles/per-user/albert home-manager switch -b backup --flake /etc/nixos/git source ~/.bashrc # Import and trust the GPG key -echo "Setting up user GPG key..... " +echo ">>> Setting up user GPG key..... " drive=$(lsblk -o serial,name | grep 012345679518 | awk {'print $2'}) sudo mkdir /tmp/drive sudo cryptsetup luksOpen /dev/${drive}3 usb-luks @@ -21,13 +21,13 @@ echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key albert@sysctl.io trus # Setup SOPS echo "Setting up SOPS keys..... " -echo "!!!!!" -echo "!!!!!" -echo "!!!!!" -echo "!!!!! Copy this signature to .sops.yaml: " -echo "!!!!!" -echo "!!!!!" -echo "!!!!!" +echo ">>> !!!!!" +echo ">>> !!!!!" +echo ">>> !!!!!" +echo ">>> !!!!! Copy this signature to .sops.yaml: " +echo ">>> !!!!!" +echo ">>> !!!!!" +echo ">>> !!!!!" sudo ssh-to-pgp \ -comment "Generated `date +%Y.%m.%d`" \ -email "root@`hostname`" \ @@ -35,29 +35,35 @@ sudo ssh-to-pgp \ -o /etc/nixos/git/keys/hosts/$(hostname).asc # Set up ssh keys -echo "Setting up SSH Keys..... " +echo ">>> Setting up SSH Keys..... " ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa -N "" echo "" >> ./keys/ssh/keys.txt echo "# `whoami`@`hostname`" >> ./keys/ssh/keys.txt cat /home/albert/.ssh/id_rsa.pub >> ./keys/ssh/keys.txt +echo ">>> Setting up Distributed Build SSH Keys..... " +sudo ssh-keygen -t rsa -b 8192 -f /root/.ssh/id_rsa -N "" +echo "" >> ./keys/ssh/builder-keys.txt +echo "# root@`hostname`" >> ./keys/ssh/builder-keys.txt +sudo cat /root/.ssh/id_rsa.pub >> ./keys/ssh/builder-keys.txt + # Fix gnupg permissions: -echo "Fixing ~/.gnupg permissions..... " +echo ">>> Fixing ~/.gnupg permissions..... " find ~/.gnupg -type f -exec chmod 600 {} \; find ~/.gnupg -type d -exec chmod 700 {} \; # Add all changes to git and and push -echo "Pushing to git..... " +echo ">>> Pushing to git..... " git add keys/hosts/`hostname`.asc -git commit -am "Setup: `whoami`@`hostname`" +git commit -am "Setup: `hostname`" git push echo echo -echo "Complete. Once '.sops.yaml' is updated, " -echo "run 'update-secrets' and reboot." +echo ">>> Complete. Once '.sops.yaml' is updated, " +echo ">>> run 'update-secrets' and reboot." echo echo -echo "Reminder: Upload these changes to git" +echo ">>> Reminder: Upload these changes to git" popd \ No newline at end of file diff --git a/keys/ssh/builder-keys.txt b/keys/ssh/builder-keys.txt index 7e6461d5..6a5d251e 100644 --- a/keys/ssh/builder-keys.txt +++ b/keys/ssh/builder-keys.txt @@ -1,2 +1,8 @@ # root@nixos-vm-01 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQCbC9cyU8WQt+hWTVT+bviE26cW3+aE+hXWCEJuIxr4+hUIVEHqrysSEyLxTcU6iE4Ov4aNnvtHnQA0iUDh89mnL96Vdt9QF1h0s5slouqq3ep5c/SXxpWhD0nI7POFfpdzZBdX83lxYUbaIRsAkXiBuNWdH/2Jv7BmE/CRozqttebiPXUr/ZKR5ciVg7Tq6HZWDzl/7J/h0zy0XY1D0xl8+RnNWqfdhLU8wLi6Z9wUEyloucnp2l0WAjhqT2SImvTPT1SrvGesRG2xeMAF5PgKrnQjjKlLplvxWXioKFoypzYobmoll6LR+eI8ysMqR5osLX31b10HowcB9oH1QZ2qFNkkDbgyCDnxxHPjbNnhjRtgnOOZMJwsVY3qJRrAZTdVKJsdjjQgB29z8BK2pRZZlWpd+pGv8yxOklPc0HALwt4gGFJl6pQxIMqD4hCcaLHiah994t79UqvbVa3DPaX0nA2bNb8jCVIR4hhTjh7EibQ8gctQce9RGgnV067SBmudUVXt+tvD49dzhPuU2SS2CuzHEA9vxRQm3DB0oyF5FniPeaHhhBz8I/Ig3qUs2CaDoAGFnpH0av5vf+wdrhlJZXjo3rnPI9h3H2NRyu4JXLqZMD+Lh60NqwphgcWuolKQdeoKELgQL5wEXEpUSwqtBhj8LDZ/B3Sgsynt/vAURRmfck7FFWqV+2xB7H4L1BjCFfkrSfYMXqTQC70aZmSPZAiTQw3U05EZKYAnMA4bCqWx9g1R2je6abMBIDYmvGTAbd5jLfNC+sdB0KFEX+fYME5+Jz5Uc0Yu/Yi7xgRdCNGfM4MiAHLfxjoi4g6RCWKHwSGfbq0ry/q4dR97C6U0QhwXOxI2sVeOjKX/vQpS5kQLmGvVYFPzatEaezhr76opnDdeDrbjAlajGlfk2lIyzmL7E7eAmxDU3tgCWswX3ph+CoFpH8JC6rsyUDzbu7kA03YZbTB6HhtYy+LPaoqUbXYn3MUShr26CqWGpW9sR5tCYZNuo8UcEuNPb6fFvdmfGyssHEQFTEXr7Z8xvB2yaZJOQVXSaitOSsFfbfPWCqLGJ27Nz429aKUJJ+x97fXiiGbDJDHMZFQNb3RRSM7VH6R9rxpwkneRJwYAIDW8aPjbXs8qj7z+jYHKySfasBcujQyfsPbBItCglsxFa/T+Nla36TngLR0iDKi8RdLDaBfDxPpHoo5bpOE1W3o1JuyxYy84o94RgmHCuYAKXndilyVm1htD0vvLj1SpNxU6WdSSZyYtDL2CDIt6QGFHjyHV1k4fFxtZ9r62WGusU+p1MToEjeLg0T5RfXMEfnh+CCiYFe68yEFjKS4PEU8R7rAx25/xpk+/VwqvAivTlkpv root@nixos-vm-01 + +# root@nixos-rpi4-02 +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQCakakYFPSysSzIe3a97SEBAajWk7XfKA9R3JPuGl2YB9I9UJBe3d5zMsZWyVD02t1vuwsx2fBYHJ3Wme84IyanbNlnsXzm0NLRV3yIbwzGVbsPDM/M9AE9YyAaKmnqI7RnXpG1oBPKCs/IaW1qh0G9nMsFRpF0ZYYNXWOiqSml0DcpRlwG2OxxuR8Oj6p3QuGODc0SkE3D2pPd1FjY6o0vogEc0l74TJ+/IBeIeFU0w+0nfYY1/EKtOYb2G0qbSOriYjzhx5PKOq0xL/GjD+knwZiEg1Oo+YRJnd37ERifKEPmKzObZXabsqSgREhebqOC37RpPdV7tqI2BP+Ldc0l3aBrsRg9+itLpEo6k2zyAAN61xtQlzSG9YPeq2sFeDjW7dUF65Wl8/pMmhP55FjB3iejt6pfu4ZRfDbJrOuVIRpXz4tnG47f17UMiLzW44eT9gdgNYoIAO/AONGkitlPH/cVGf1AZJDDqLGDrpZHT9jeeJGbKP47A+glVwmm5oMt2NP/Na5w2rr2izAknB1eIy3g787HDEemwnP6ilFcchRhVpUqn1wGQbbdyt2IAy8jy/BtTLpMqRQg8kO1ES2mXoSTZGDVL/YRxLvK4IQPWKdiQ3b8kELF08/eAsoTPmjNmxRzS3TVhEk6QHrQjU7jfRTN9e3aw61x15pVxQW/Z84VvznwdMK3xejSpl70mmFMqjsWZEBrMyxsU8QFsdCDinSP631oZHmoFwj9ldTMbtyCUWApm6lwKH6YthiDG3w6R/2YFrSwrxbIO0O9NrgAx6p0q0iDZPvQjMFtngN4z9XthtftbjpeVUWfz+sGSlSqbySOv7/EjNURBjFh2bkTaLTjGy8TPffTGMpZNKIyw+Vh/Ffvv80i8byfPvA4r484tu1b9WyCgts9daxyDo8jmQMNI6PocvyNqy9Bcez4wJMiJYJ/rXK04YGabxr5Id/IMzAwZzrytJnfl5fFmICrflw1+H/rPbn5THyWH03xZbY2XlkVTEIUhbTWwfRAy5JSDVicj10YuIkrfvuQhLBchguryei0TSt4golV3cr0h1pRA3idNiwqCCsptNENB4cTvn4dUr/R8r2ZdnJ9JCc9bD1Zl3jPRHlUygGZtHY1tCLzv5y8hPUv6F2HImvm21nKhCiq5r4g/6v0pWUxeuv3nhILabq8AfiksV/pywefuKK7vEj7Vptaj7PAFO3Yu1Or/b9N/w6FyNjlFSkU02wl1NCRLAZTInb/5dPt8ExlQz2bVY7kJLw0ytpJTxMNfTUlhn1zxFhZYuY1DtmBT1rukM8N0cfJP9eurh/m7wzpuXO0mR6S7euR5RnvGflQXG+ilUCNTOJLVKBPP7XT3nrx root@nixos-rpi4-02 + +# root@nixos-rpi4-03 +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQCi5N50jto4aHKycWTNx9ufGHvb0tcKOrv7ExFZpXoOK2pglUyjmBB2qpSoApwaz4U4SykvzmQhSQu+41x0mOXRh10IK9B/Eszr9PlsfHYqTddfTnaTuagub7NCkbvjmjY6VY+W5qiJ69RKN+uyhUHyih2BdASv3ALlPFcFbiGdUvZGVpaWEPZHLcRypNYAS3HUDY1w7/ssONpKYWAjQv/8HEbM8yQY+JMjn5D7mJYxtfy5IaVUeTGRHC3a2m1C2Wwc/MDaARLHxyV6v4ZlnoY/syPqJ55SjwKI9Ke6g0u6XDTNxpOdr60FtOVmTUvYQl1AV+eIfCVmzasrTxhyCj4y83JS1jXu9jhwVGS/CbYIHVcjKvpbHwdcMF1UfRXpQI7ztl8c3AumEQjTM52mSpMxeFAVaaBoGEfTrfslK2vymQaLhNfhA56fWC0bxNcoXH2aoQwdu+y6W0T0cP+VscQr+/Y4EZNvQrfI8GxkHx9Q0Zw6IzKYHl4ivgNHqUrW0lPZI6LhjSfEHwB+SwcJP4JGXVel/EQgJRXrNxC3lVjRT7gy9vzRa+pCncVhk6vQL/PBTdvkJsmT3qRt+8jNCA1QW7bZAtsc8qoMggGpBo6zEm4aujf1EwfeWQE/vX87PTqNlxXsHXvBvSYPYbD/X+NQ1e8Hd5/XiRiMjzHQ3mkYjSWbM9Q2cFeMoN13RBYoaTv49fI/0X2y21nAnpHT/Aoa9l0vY99aUwbEJ7+HEOgBsEa+9O25JSSctqKNX7hV/Nob0bjCI096Cjqmb5bu015IRVa2H/GBZG3Qibr+Va1uTQDe0cqiXdUE3UD9UwzU39l+fCb7SK7i13A0CauPTxA3efO/V7FxSPUrXRlykxV+WP1qq3X+OuFyJmHjkOok+F+cfOXies8Ua9/v2SxrycC1S5MJn0bRrl/AmWwJPcT6EtO7zr7dEfDxcaj8OG+1WGYdxluHJ02HotFACIRTP6aETd5n4vugLGrqsGOAIb6wBxlEK3wlNbBSxwAS2VSYd0RLzIrKDIBvjf3O6DNd7xn54q2/gjGnxGTIHZzHlLeVPszfxewgKpMmBZF5cbokjaR6a8DiDpFuLD2Iguve4/2xqKRAbGFuiWSt9nSsic0df6f2FtNyVevTsNccjEDdAM3ZJxIYJ8K1iPFAu17vhAKKxPELsr/oD0mjW5Z+dNb/tflKMwotfJolmi6AeF4SSLGmIby3ea/H2h3Yr2CW+gYxCv8jQry21x9C2fGTeilzF5mKXB53J+Iw6rGgkGr9wO9Vma7D3qvbFnJ1QRmrTyrcqw2d2jQFabZYjepJJkZFwufHEdowbDxPaD719SzK+8Lbj1Dm8Hx1lgr3NYVT7K+P root@nixos-rpi4-03 \ No newline at end of file diff --git a/nixos/common/modules/remote-builders.nix b/nixos/common/modules/remote-builders.nix index 126659e6..87ec0055 100644 --- a/nixos/common/modules/remote-builders.nix +++ b/nixos/common/modules/remote-builders.nix @@ -1,7 +1,5 @@ { - # Allows 'root' to ssh for remote builds - users.users.root.openssh.authorizedKeys.keyFiles = [ ../../../keys/ssh/keys.txt ]; - + nix.trustedUsers = "albert"; nix.buildMachines = [ { hostName = "nixos-vm-01"; # Only availalbe on the Headscale network