remove ansible

deploy ssh host and user keys using agenix deploy ssh certificates using ssh
2023-11-14 23:53:04 +01:00 · 2023-11-14 23:53:04 +01:00 · 022a6aabb4
commit 022a6aabb4
parent dd8b23f5a9
20 changed files with 159 additions and 160 deletions
--- a/agenix.nix
+++ b/agenix.nix
@ -0,0 +1,11 @@
 {
  age = {
    identityPaths = [ "/root/age_ed25519" ];
    secrets = {
      # TODO: make machine independent
      "jefke_host_ed25519".file = ./secrets/jefke_host_ed25519.age;
      "jefke_user_ed25519".file = ./secrets/jefke_user_ed25519.age;
    };
  };
 }
--- a/ansible/.envrc
+++ b/ansible/.envrc
@ -1 +0,0 @@
 use flake
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -1,8 +0,0 @@
 [defaults]
 inventory=inventory
 vault_password_file=$HOME/.config/home/ansible-vault-secret
 host_key_checking = False
 remote_user = root
 [diff]
 always = True
--- a/ansible/deploy_secrets.yml
+++ b/ansible/deploy_secrets.yml
@ -1,32 +0,0 @@
 - name: Deploy secrets
  hosts: jefke
  tasks:
    - name: Place user certificate
      copy:
        src: files/jefke_user_ed25519.crt
        dest: /etc/ssh/ssh_user_ed25519_key-cert.pub
    - name: Place user public key
      copy:
        src: files/jefke_user_ed25519.pub
        dest: /etc/ssh/ssh_user_ed25519_key.pub
    - name: Place user private key
      copy:
        src: files/jefke_user_ed25519
        dest: /etc/ssh/ssh_user_ed25519_key
    - name: Place host certificate
      copy:
        src: files/jefke_host_ed25519.crt
        dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
    - name: Place host public key
      copy:
        src: files/jefke_host_ed25519.pub
        dest: /etc/ssh/ssh_host_ed25519_key.pub
    - name: Place host private key
      copy:
        src: files/jefke_host_ed25519
        dest: /etc/ssh/ssh_host_ed25519_key
--- a/ansible/files/jefke_host_ed25519
+++ b/ansible/files/jefke_host_ed25519
@ -1,25 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 37613631656435623262663132613734663862346638313566623466663838333634663934663539
 3035363062373461313937383365383233643861346562660a666235323134663361366635343037
 35316364633964333963363866333364333834646636326632313261633863616661373763346539
 3266346433356362620a663634356331306538386463616261626232396464663166316533613330
 63633664626261333862623366666235383862386233313761616561623932666364636237346663
 32616633616364356537336463643237383233356232363836376337343166336332386530653338
 31643635303630386166393236616237343262653862323436636465613736393762623239646538
 35666266656465656333666266326639326161323230326232363461383634356264336333663664
 61656361666430356238666366363138343239316631313861636463376462613336613631633233
 38343161356464353138376131333563633539323231646530636566386434613463623934646162
 36323665353766313034623261336336393862366561343165613733396236326365656436373930
 65633838333438356464353436343638616163363637313665333336313137623035346235323332
 36383731663366356634653837306561613037633166653939336434623637353665326538303165
 66636332363131313332663130663332393237643361363166663634633661626137346264303938
 30383132376331633938353934393939373437343438613861653837613337373638336636653039
 39336637373730333434636134633062623064653432633730366139666265373066346132373639
 64353536646639366636656634633431316330656634383234343631626138393936663637653239
 62393130366136396363633264623139323437643862343964383963663162636332386630363363
 34636535376264323564383533306162316437306462326636313936316430326235633761356138
 39666235646364353332613038623935343265346661633032303036653461396139383933316263
 36316465383063643961353031633365613962383264663636623662363461626365356330663232
 39393632366439623063326232373733333766353638393466396365663039666130383239366534
 32326139306235306332376565366137373630303363346366306337306439643866393361333032
 38626139633761613365
--- a/ansible/files/jefke_host_ed25519.pub
+++ b/ansible/files/jefke_host_ed25519.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTzrsjwRmKg3JbRLY/RrWnIBfCupfFdMWZ/8AQAXg9u root@jefke
--- a/ansible/files/jefke_user_ed25519
+++ b/ansible/files/jefke_user_ed25519
@ -1,25 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 61393933316139623835666133666433393235376532643538363733656439356465393062636265
 3236373661386566326631636333346430316264616537320a386336376239613865363032666239
 63616166363837393562643836333765393536363564636365616638333939323436383735616262
 3331363766353038620a626662666331613734313564636564633238653762336364666237353635
 36353837666366346565626162666466353661646630376261643133393966336236656234626139
 38326164366565646539396139343538636234646330623965623430303535316131636261336133
 61373763326566666565366432353535653430326466316130376337656431363038666334653332
 63646439323635303432653536643464666266303533633330663137376432353563366133663661
 31393430356235323535303562323662313936393132383162316238666162373232313736646630
 34343131393963313839393330356539636532613936383932393537346134356337306336633434
 32653961616161656136306234313335653336336230366237303336346631623735646564323962
 31316165333264613433313761393936643433323762363161393730363161613839333038363032
 63393038346365353362366639386334666134613961383033306566333361373630353539366635
 32363732353262313436376462616437363337623933363964333763396233656438346638633432
 66383338336237313266666161656633656264623532633764333565663331666665623031353265
 31646233383238313734633234653666313734343263653936333636323463653636333535656565
 30646133366265363938363561623335653239643637656339393236313535326366643238396562
 30623631656530353362613536633935343131353961353735333561626463353632623465613063
 37373661333339353030626437653863653736353939643966373834663262383035336337656335
 34333836373535373164623436666465346564356539313032316130616439323161653134646364
 32363938356235343736396431333639656366663130366439363062643137326162366563346266
 30343834386135616663613964353262333462613465646362353437373362326363326136333131
 66356466656162393038316361323335363261653036316533646563376262353039623939306663
 35333430633836373064
--- a/ansible/files/jefke_user_ed25519.pub
+++ b/ansible/files/jefke_user_ed25519.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZ3aw6gjrOt561j1Mh7kINqlavorKeujN1Q8mn/Fy69 root@jefke
--- a/ansible/flake.lock
+++ b/ansible/flake.lock
@ -1,27 +0,0 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1698434055,
        "narHash": "sha256-Phxi5mUKSoL7A0IYUiYtkI9e8NcGaaV5PJEaJApU1Ko=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "1a3c95e3b23b3cdb26750621c08cc2f1560cb883",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/ansible/flake.nix
+++ b/ansible/flake.nix
@ -1,26 +0,0 @@
 {
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
  };
  outputs = {
    self,
    nixpkgs,
    ...
  }: let
    supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"];
    forEachSupportedSystem = f:
      nixpkgs.lib.genAttrs supportedSystems (system:
        f {
          pkgs = import nixpkgs {inherit system;};
        });
  in {
    devShells = forEachSupportedSystem ({pkgs}: {
      default = pkgs.mkShell {
        packages = with pkgs; [
          ansible
        ];
      };
    });
  };
 }
--- a/ansible/inventory/hosts.yml
+++ b/ansible/inventory/hosts.yml
@ -1,5 +0,0 @@
 all:
  hosts:
    jefke:
      ansible_user: root
      ansible_host: jefke.hyp
--- a/configuration.nix
+++ b/configuration.nix
@ -1,5 +1,5 @@
-{ pkgs, ... }: {
+{ pkgs, config, ... }: {
-  imports = [ ./hardware-configuration.nix ./disk-config.nix ];
+  imports = [ ./hardware-configuration.nix ./disk-config.nix ./agenix.nix ];
  boot.loader = {
    systemd-boot.enable = true;
@ -31,8 +31,10 @@
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };
      # TODO! machine independent
      extraConfig = ''
-        HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+        HostCertificate ${builtins.toFile "jefke_host_ed25519-cert.pub" (builtins.readFile ./jefke_host_ed25519-cert.pub)}
        HostKey ${config.age.secrets.jefke_host_ed25519.path}
      '';
    };
@ -64,9 +66,10 @@
      };
    };
    # TODO: machine independent
    extraConfig = ''
-      CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub
+      CertificateFile ${builtins.toFile "jefke_user_ed25519-cert.pub" (builtins.readFile ./jefke_user_ed25519-cert.pub)}
-      HostKey /etc/ssh/ssh_user_ed25519_key
+      HostKey ${config.age.secrets.jefke_user_ed25519.path}
    '';
  };
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,49 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1696775529,
        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1673295039,
        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -20,6 +64,26 @@
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1699781810,
        "narHash": "sha256-LD+PIUbm1yQmQmGIbSsc/PB1dtJtGqXFgxRc1C7LlfQ=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "2d7d77878c5d70f66f3d676ff66708d8d4f9d7df",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "disko",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -36,6 +100,27 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1682203081,
        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1671417167,
@ -70,7 +155,9 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "deploy-rs": "deploy-rs",
        "disko": "disko",
        "nixpkgs": "nixpkgs_2"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@ -4,11 +4,17 @@
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
    deploy-rs.url = "github:serokell/deploy-rs";
-    disko.url = "github:nix-community/disko";
+    disko = {
-    disko.inputs.nixpkgs.follows = "nixpkgs";
+      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
-  outputs = { self, nixpkgs, deploy-rs, disko, ... }:
+  outputs = { self, nixpkgs, deploy-rs, disko, agenix, ... }:
    let system = "x86_64-linux";
    in {
@ -16,7 +22,11 @@
      nixosConfigurations.hypervisor = nixpkgs.lib.nixosSystem {
        inherit system;
-        modules = [ disko.nixosModules.disko ./configuration.nix ];
+        modules = [
          disko.nixosModules.disko
          agenix.nixosModules.default
          ./configuration.nix
        ];
      };
      deploy = {
--- a/ansible/files/jefke_host_ed25519.crt
+++ b/ansible/files/jefke_host_ed25519.crt
--- a/ansible/files/jefke_user_ed25519.crt
+++ b/ansible/files/jefke_user_ed25519.crt
--- a/nixos-anywhere.sh
+++ b/nixos-anywhere.sh
@ -0,0 +1,23 @@
 #!/usr/bin/env bash
 # Create a temporary directory
 temp=$(mktemp -d)
 # Function to cleanup temporary directory on exit
 cleanup() {
  rm -rf "$temp"
 }
 trap cleanup EXIT
 # TODO from here
 # Create the directory where sshd expects to find the host keys
 install -d -m755 "$temp/etc/ssh"
 # Decrypt your private key from the password store and copy it to the temporary directory
 pass ssh_host_ed25519_key > "$temp/etc/ssh/ssh_host_ed25519_key"
 # Set the correct permissions so sshd will accept the key
 chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
 # Install NixOS to the host system with our secrets
 nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip
--- a/secrets/jefke_host_ed25519.age
+++ b/secrets/jefke_host_ed25519.age
--- a/secrets/jefke_user_ed25519.age
+++ b/secrets/jefke_user_ed25519.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,16 @@
 let
  pkgs = import <nixpkgs> { };
  lib = pkgs.lib;
  secrets = {
    jefke = {
      publicKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a pim@x260"
      ];
      encryptedFiles = [ "jefke_host_ed25519.age" "jefke_user_ed25519.age" ];
    };
  };
 in lib.attrsets.mergeAttrsList (builtins.map ({ publicKeys, encryptedFiles }:
  lib.attrsets.mergeAttrsList (builtins.map
    (encryptedFile: { "${encryptedFile}" = { inherit publicKeys; }; })
    encryptedFiles)) (lib.attrsets.attrValues secrets))
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTzrsjwRmKg3JbRLY/RrWnIBfCupfFdMWZ/8AQAXg9u root@jefke`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZ3aw6gjrOt561j1Mh7kINqlavorKeujN1Q8mn/Fy69 root@jefke`