mirror of
https://codeberg.org/privacy1st/nixos-anywhere-example
synced 2025-01-22 06:35:45 +01:00
112 lines
2.7 KiB
Bash
Executable File
112 lines
2.7 KiB
Bash
Executable File
#!/usr/bin/env sh
|
|
set -e
|
|
#
|
|
# This script is based on the work of Solomon <ssbothwell@gmail.com>.
|
|
# https://github.com/solomon-b/nixos-config/blob/ca047bdbb95859ee902e4750a3b0e018f2396bfe/installer/install-server.sh
|
|
#
|
|
|
|
cleanup() {
|
|
printf '%s\n' 'Cleanup on exit.'
|
|
if [ -d "${temp}" ]; then
|
|
printf '%s\n' 'Deleting local copy of SSH ed25519 key ...'
|
|
rm -rf "${temp}"
|
|
fi
|
|
if [ -d "${pwd_temp}" ]; then
|
|
printf '%s\n' 'Deleting local copy of disk encryption password ...'
|
|
rm -rf "${pwd_temp}"
|
|
fi
|
|
}
|
|
temp_dir(){
|
|
# Cleanup temporary directories on exit.
|
|
trap cleanup EXIT
|
|
# Create a temporary directory.
|
|
temp="$(mktemp -d)"
|
|
}
|
|
|
|
gen_ssh_key() {
|
|
# Create parent directories.
|
|
install -d -m755 "${temp}/etc/ssh"
|
|
# Generate SSH host key.
|
|
ssh-keygen -t ed25519 -f "${temp}/etc/ssh/ssh_host_ed25519_key" -q -N ""
|
|
}
|
|
ssh_fingerprint() {
|
|
printf '%s\n' 'host SSH ed25519 fingerprint:'
|
|
ssh-keygen -lf "${temp}/etc/ssh/ssh_host_ed25519_key"
|
|
}
|
|
|
|
gen_initrd_ssh_key() {
|
|
# Create parent directories.
|
|
install -d -m755 "${temp}/etc/secrets/initrd"
|
|
# Generate initrd SSH key.
|
|
ssh-keygen -t ed25519 -f "${temp}/etc/secrets/initrd/ssh_host_ed25519_key" -q -N ""
|
|
}
|
|
initrd_ssh_fingerprint() {
|
|
printf '%s\n' 'initrd SSH ed25519 fingerprint:'
|
|
ssh-keygen -lf "${temp}/etc/secrets/initrd/ssh_host_ed25519_key"
|
|
}
|
|
|
|
save_pwd() {
|
|
# Create a temporary directory.
|
|
pwd_temp="$(mktemp -d)"
|
|
|
|
# Get password from user without echoing.
|
|
# https://stackoverflow.com/a/3980713
|
|
stty -echo
|
|
printf "Disk encryption password: "
|
|
read -r password
|
|
stty echo
|
|
printf "\n"
|
|
|
|
stty -echo
|
|
printf "Retype disk encryption password: "
|
|
read -r password2
|
|
stty echo
|
|
printf "\n"
|
|
|
|
if [ "${password}" != "${password2}" ]; then
|
|
printf '%s\n' 'Passwords don'\''t match!'
|
|
return 1
|
|
fi
|
|
|
|
# Create password-file.
|
|
install -m600 /dev/stdin "${pwd_temp}/pwd.key" << EOF
|
|
${password}
|
|
EOF
|
|
}
|
|
|
|
main(){
|
|
num_args=2
|
|
if [ "$#" -ne "${num_args}" ]; then
|
|
printf '%s%s%s\n' 'ERROR: ' "${num_args}" ' arguments required'
|
|
return 1
|
|
fi
|
|
for i in "$@"; do
|
|
if [ -z "${i}" ]; then
|
|
printf '%s\n' 'ERROR: All given args must not be empty'
|
|
return 1
|
|
fi
|
|
done
|
|
ssh_port="${1}"
|
|
ssh_target="${2}"
|
|
|
|
temp_dir
|
|
gen_ssh_key
|
|
gen_initrd_ssh_key
|
|
save_pwd
|
|
|
|
# echo "$temp"
|
|
# echo "$pwd_temp"
|
|
# echo "Press enter start the installation:"
|
|
# read -r _foo
|
|
|
|
# Install NixOS to the target machine with our secrets.
|
|
nix --extra-experimental-features nix-command --extra-experimental-features flakes \
|
|
run github:numtide/nixos-anywhere -- --extra-files "${temp}" \
|
|
--disk-encryption-keys /tmp/secret.key "${pwd_temp}/pwd.key" --flake '.#mysystem' \
|
|
-p "${ssh_port}" "${ssh_target}"
|
|
|
|
ssh_fingerprint
|
|
initrd_ssh_fingerprint
|
|
}
|
|
main "$@"
|