From a4bcb6cc77c66cbde6fe7b99d9108bf9c1feb1e6 Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Mon, 16 Oct 2023 18:32:46 +0200 Subject: [PATCH] update helper script --- template/README.md | 4 +- template/flake.nix | 4 +- ...h-ssh-fingerprint.sh => install-helper.sh} | 64 ++++++++++++++++--- 3 files changed, 60 insertions(+), 12 deletions(-) rename template/{install-with-ssh-fingerprint.sh => install-helper.sh} (50%) diff --git a/template/README.md b/template/README.md index 34f4ab4..694475d 100644 --- a/template/README.md +++ b/template/README.md @@ -39,11 +39,11 @@ nix --extra-experimental-features nix-command --extra-experimental-features flak run github:numtide/nixos-anywhere -- --flake '.#mysystem' -p 22 root@192.168.178.106 ``` -To install on remote target machine **and** print the SSH fingerprint of the new system: +To install on remote target machine **and** print the SSH fingerprint of the new system. If no encrypted disks are set up, the disk password can be left empty: ```shell # yodaHP -./install-with-ssh-fingerprint.sh 22 root@192.168.178.106 +./install-helper.sh 22 root@192.168.178.106 ``` ## Updating dependencies diff --git a/template/flake.nix b/template/flake.nix index d39c2f9..305381e 100644 --- a/template/flake.nix +++ b/template/flake.nix @@ -25,8 +25,8 @@ ./hardware-configs/yodaHP.nix # Select disko disk layout configuration. - ./disk-configs/simple-efi.nix - #./disk-configs/zfs.nix + #./disk-configs/simple-efi.nix + ./disk-configs/luks-btrfs.nix #./disk-configs/luks-lvm.nix # Change device name match your block device. diff --git a/template/install-with-ssh-fingerprint.sh b/template/install-helper.sh similarity index 50% rename from template/install-with-ssh-fingerprint.sh rename to template/install-helper.sh index f5ae1b2..687f8e0 100755 --- a/template/install-with-ssh-fingerprint.sh +++ b/template/install-helper.sh @@ -6,21 +6,59 @@ set -e # cleanup() { - printf '%s\n' 'Deleting local copy of SSH ed25519 key ...' - rm -rf "${temp}" + printf '%s\n' 'Cleanup on exit.' + if [ -d "${temp}" ]; then + printf '%s\n' 'Deleting local copy of SSH ed25519 key ...' + rm -rf "${temp}" + fi + if [ -d "${pwd_temp}" ]; then + printf '%s\n' 'Deleting local copy of disk encryption password ...' + rm -rf "${pwd_temp}" + fi } gen_ssh_key() { # Create a temporary directory. temp="$(mktemp -d)" - # Cleanup temporary directory on exit. - trap cleanup EXIT # Create the directory where sshd expects to find the host keys. install -d -m755 "${temp}/etc/ssh" # Generate host key. ssh-keygen -t ed25519 -f "${temp}/etc/ssh/ssh_host_ed25519_key" -q -N "" } +ssh_fingerprint() { + printf '%s\n' 'SSH ed25519 fingerprint:' + ssh-keygen -lf "${temp}/etc/ssh/ssh_host_ed25519_key" +} + +save_pwd() { + # Create a temporary directory. + pwd_temp="$(mktemp -d)" + + # Get password from user without echoing. + # https://stackoverflow.com/a/3980713 + stty -echo + printf "Disk encryption password: " + read -r password + stty echo + printf "\n" + + stty -echo + printf "Retype disk encryption password: " + read -r password2 + stty echo + printf "\n" + + if [ "${password}" != "${password2}" ]; then + printf '%s\n' 'Passwords don'\''t match!' + return 1 + fi + + # Create password-file. + install -m600 /dev/stdin "${pwd_temp}/pwd.key" << EOF +${password} +EOF +} main(){ num_args=2 @@ -37,13 +75,23 @@ main(){ ssh_port="${1}" ssh_target="${2}" - printf '%s\n' 'Generating SSH ed25519 key ...' + # Cleanup temporary directories on exit. + trap cleanup EXIT + gen_ssh_key - printf '%s\n' 'SSH ed25519 fingerprint:' - ssh-keygen -lf "${temp}/etc/ssh/ssh_host_ed25519_key" + save_pwd + +# echo "$temp" +# echo "$pwd_temp" +# echo "Press enter start the installation:" +# read -r _foo # Install NixOS to the target machine with our secrets. nix --extra-experimental-features nix-command --extra-experimental-features flakes \ - run github:numtide/nixos-anywhere -- --extra-files "${temp}" --flake '.#mysystem' -p "${ssh_port}" "${ssh_target}" + run github:numtide/nixos-anywhere -- --extra-files "${temp}" \ + --disk-encryption-keys /tmp/secret.key "${pwd_temp}/pwd.key" --flake '.#mysystem' \ + -p "${ssh_port}" "${ssh_target}" + + ssh_fingerprint } main "$@"