diff options
-rw-r--r-- | lass/5pkgs/l-gen-secrets/default.nix | 102 |
1 files changed, 64 insertions, 38 deletions
diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index 6cb60eaa1..b6e565245 100644 --- a/lass/5pkgs/l-gen-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -1,56 +1,82 @@ { pkgs }: -pkgs.writeDashBin "l-gen-secrets" '' - HOSTNAME="$1" +pkgs.writers.writeDashBin "l-gen-secrets" '' + set -efu + HOSTNAME=$1 TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + if [ "''${DRYRUN-n}" = "n" ]; then + trap 'rm -rf $TMPDIR' EXIT + else + echo "$TMPDIR" + set -x + fi + mkdir -p $TMPDIR/out + PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null + # ssh ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null - ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null - ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null - ${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/wiregrill.key - ${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub - cat <<EOF > $TMPDIR/hashedPasswords.nix + ${pkgs.coreutils}/bin/mv $TMPDIR/ssh.id_ed25519 $TMPDIR/out/ + + # tor + ${pkgs.coreutils}/bin/timeout 1 ${pkgs.tor}/bin/tor --HiddenServiceDir $TMPDIR/tor --HiddenServicePort 1 --SocksPort 0 || : + ${pkgs.coreutils}/bin/mv $TMPDIR/tor/hs_ed25519_secret_key $TMPDIR/out/ssh-tor.priv + + # tinc + ${pkgs.coreutils}/bin/mkdir -p $TMPDIR/tinc + ${pkgs.tinc_pre}/bin/tinc --config $TMPDIR/tinc generate-keys 4096 </dev/null + ${pkgs.coreutils}/bin/mv $TMPDIR/tinc/ed25519_key.priv $TMPDIR/out/retiolum.ed25519_key.priv + ${pkgs.coreutils}/bin/mv $TMPDIR/tinc/rsa_key.priv $TMPDIR/out/retiolum.rsa_key.priv + + # wireguard + ${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/out/wiregrill.key + ${pkgs.coreutils}/bin/cat $TMPDIR/out/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub + + # system passwords + cat <<EOF > $TMPDIR/out/hashedPasswords.nix { root = "$HASHED_PASSWORD"; mainUser = "$HASHED_PASSWORD"; } EOF - cd $TMPDIR - for x in *; do - ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null - done - echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null + set +f + if [ "''${DRYRUN-n}" = "n" ]; then + cd $TMPDIR/out + for x in *; do + ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null + done + echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null + ${pkgs.coreutils}/bin/cat $TMPDIR/tor/hostname | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/torname > /dev/null + fi + set -f cat <<EOF - $HOSTNAME = { - nets = { - retiolum = { - ip4.addr = "10.243.0.changeme"; - ip6.addr = r6 "changeme"; - aliases = [ - "$HOSTNAME.r" - ]; - tinc.pubkey = ${"''"} - $(cat $TMPDIR/retiolum.rsa_key.pub) - ${"''"}; - }; - wiregrill = { - ip6.addr = w6 "changeme"; - aliases = [ - "$HOSTNAME.w" - ]; - wireguard.pubkey = ${"''"} - $(cat $TMPDIR/wiregrill.pub) - ${"''"}; - }; + { r6, w6, ... }: + { + nets = { + retiolum = { + ip4.addr = "10.243.0.changeme"; + ip6.addr = r6 "changeme"; + aliases = [ + "$HOSTNAME.r" + ]; + tinc.pubkey = ${"''"} + $(cat $TMPDIR/tinc/rsa_key.pub | sed 's/^/ /') + ${"''"}; + tinc.pubkey_ed25519 = "$(cat $TMPDIR/tinc/ed25519_key.pub | ${pkgs.gnused}/bin/sed 's/.* = //')"; + }; + wiregrill = { + ip6.addr = w6 "changeme"; + aliases = [ + "$HOSTNAME.w" + ]; + wireguard.pubkey = ${"''"} + $(cat $TMPDIR/wiregrill.pub) + ${"''"}; }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; }; + ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; + } EOF - - rm -rf $TMPDIR '' - |