swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 17:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: make bootstrapper more secure (confirm pw)

Browse source
This commit is contained in:
Swarsel 2024-12-28 12:46:15 +01:00
parent 47b99bb39d
commit 71a9020d17
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
2 changed files with 84 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

31
SwarselSystems.org
View file

@ -2959,6 +2959,13 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
red "Swap: X" red "Swap: X"
fi fi
SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
if [[ $SECUREBOOT == "true" ]]; then
green "Secure Boot: ✓"
else
red "Secure Boot: X"
fi
ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination" ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination"
# ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value # ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value
ssh_root_cmd=${ssh_cmd/${target_user}@/root@} ssh_root_cmd=${ssh_cmd/${target_user}@/root@}
@ -2994,23 +3001,27 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
# when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later # when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later
# via the config # via the config
if [ "$disk_encryption" -eq 1 ]; then if [ "$disk_encryption" -eq 1 ]; then
green "--encryption set: Preparing a temporary password for disko." while true; do
green "[Optional] Set disk encryption passphrase:" green "Set disk encryption passphrase:"
read -rs luks_passphrase read -rs luks_passphrase
if [ -n "$luks_passphrase" ]; then green "Please confirm passphrase:"
read -rs luks_passphrase_confirm
if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
$ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
break
else else
$ssh_root_cmd "/bin/sh -c 'echo passphrase > /tmp/disko-password'" red "Passwords do not match"
fi fi
else done
green "--encryption not set: Not using disk encryption.."
fi fi
# ------------------------ # ------------------------
green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
$ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
if [[ $SECUREBOOT == "true" ]]; then
green "Injecting initialSetup" green "Injecting initialSetup"
$ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" $ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
fi
mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
@ -3034,6 +3045,8 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
done done
# ------------------------ # ------------------------
if [[ $SECUREBOOT == "true" ]]; then
green "Setting up secure boot keys" green "Setting up secure boot keys"
$ssh_root_cmd "mkdir -p /var/lib/sbctl" $ssh_root_cmd "mkdir -p /var/lib/sbctl"
read -ra scp_call <<< "${scp_cmd}" read -ra scp_call <<< "${scp_cmd}"
@ -3042,6 +3055,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
# ------------------------ # ------------------------
green "restoring hardware-configuration" green "restoring hardware-configuration"
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
fi
if [ -n "$persist_dir" ]; then if [ -n "$persist_dir" ]; then
$ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true" $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
@ -3121,11 +3135,6 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
echo echo
fi fi
# # ------------------------
# green "Enrolling secure boot keys"
# $ssh_root_cmd "sbctl enroll-keys --microsoft"
# ------------------------
if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
cd "${git_root}" cd "${git_root}"
deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe

31
scripts/bootstrap.sh
View file

@ -151,6 +151,13 @@ else
red "Swap: X" red "Swap: X"
fi fi
SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
if [[ $SECUREBOOT == "true" ]]; then
green "Secure Boot: ✓"
else
red "Secure Boot: X"
fi
ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination" ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination"
# ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value # ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value
ssh_root_cmd=${ssh_cmd/${target_user}@/root@} ssh_root_cmd=${ssh_cmd/${target_user}@/root@}
@ -186,23 +193,27 @@ ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
# when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later # when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later
# via the config # via the config
if [ "$disk_encryption" -eq 1 ]; then if [ "$disk_encryption" -eq 1 ]; then
green "--encryption set: Preparing a temporary password for disko." while true; do
green "[Optional] Set disk encryption passphrase:" green "Set disk encryption passphrase:"
read -rs luks_passphrase read -rs luks_passphrase
if [ -n "$luks_passphrase" ]; then green "Please confirm passphrase:"
read -rs luks_passphrase_confirm
if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
$ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'" $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
break
else else
$ssh_root_cmd "/bin/sh -c 'echo passphrase > /tmp/disko-password'" red "Passwords do not match"
fi fi
else done
green "--encryption not set: Not using disk encryption.."
fi fi
# ------------------------ # ------------------------
green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config." green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
$ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
if [[ $SECUREBOOT == "true" ]]; then
green "Injecting initialSetup" green "Injecting initialSetup"
$ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix" $ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
fi
mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname" mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
@ -226,6 +237,8 @@ while true; do
done done
# ------------------------ # ------------------------
if [[ $SECUREBOOT == "true" ]]; then
green "Setting up secure boot keys" green "Setting up secure boot keys"
$ssh_root_cmd "mkdir -p /var/lib/sbctl" $ssh_root_cmd "mkdir -p /var/lib/sbctl"
read -ra scp_call <<< "${scp_cmd}" read -ra scp_call <<< "${scp_cmd}"
@ -234,6 +247,7 @@ $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
# ------------------------ # ------------------------
green "restoring hardware-configuration" green "restoring hardware-configuration"
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
fi
if [ -n "$persist_dir" ]; then if [ -n "$persist_dir" ]; then
$ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true" $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
@ -313,11 +327,6 @@ else
echo echo
fi fi
# # ------------------------
# green "Enrolling secure boot keys"
# $ssh_root_cmd "sbctl enroll-keys --microsoft"
# ------------------------
if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
cd "${git_root}" cd "${git_root}"
deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe