summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--lass/5pkgs/l-gen-secrets/default.nix102
1 files changed, 64 insertions, 38 deletions
diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix
index 6cb60eaa1..b6e565245 100644
--- a/lass/5pkgs/l-gen-secrets/default.nix
+++ b/lass/5pkgs/l-gen-secrets/default.nix
@@ -1,56 +1,82 @@
{ pkgs }:
-pkgs.writeDashBin "l-gen-secrets" ''
- HOSTNAME="$1"
+pkgs.writers.writeDashBin "l-gen-secrets" ''
+ set -efu
+ HOSTNAME=$1
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
+ if [ "''${DRYRUN-n}" = "n" ]; then
+ trap 'rm -rf $TMPDIR' EXIT
+ else
+ echo "$TMPDIR"
+ set -x
+ fi
+ mkdir -p $TMPDIR/out
+
PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1)
HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null
+ # ssh
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
- ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null
- ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
- ${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/wiregrill.key
- ${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub
- cat <<EOF > $TMPDIR/hashedPasswords.nix
+ ${pkgs.coreutils}/bin/mv $TMPDIR/ssh.id_ed25519 $TMPDIR/out/
+
+ # tor
+ ${pkgs.coreutils}/bin/timeout 1 ${pkgs.tor}/bin/tor --HiddenServiceDir $TMPDIR/tor --HiddenServicePort 1 --SocksPort 0 || :
+ ${pkgs.coreutils}/bin/mv $TMPDIR/tor/hs_ed25519_secret_key $TMPDIR/out/ssh-tor.priv
+
+ # tinc
+ ${pkgs.coreutils}/bin/mkdir -p $TMPDIR/tinc
+ ${pkgs.tinc_pre}/bin/tinc --config $TMPDIR/tinc generate-keys 4096 </dev/null
+ ${pkgs.coreutils}/bin/mv $TMPDIR/tinc/ed25519_key.priv $TMPDIR/out/retiolum.ed25519_key.priv
+ ${pkgs.coreutils}/bin/mv $TMPDIR/tinc/rsa_key.priv $TMPDIR/out/retiolum.rsa_key.priv
+
+ # wireguard
+ ${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/out/wiregrill.key
+ ${pkgs.coreutils}/bin/cat $TMPDIR/out/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub
+
+ # system passwords
+ cat <<EOF > $TMPDIR/out/hashedPasswords.nix
{
root = "$HASHED_PASSWORD";
mainUser = "$HASHED_PASSWORD";
}
EOF
- cd $TMPDIR
- for x in *; do
- ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null
- done
- echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null
+ set +f
+ if [ "''${DRYRUN-n}" = "n" ]; then
+ cd $TMPDIR/out
+ for x in *; do
+ ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null
+ done
+ echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null
+ ${pkgs.coreutils}/bin/cat $TMPDIR/tor/hostname | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/torname > /dev/null
+ fi
+ set -f
cat <<EOF
- $HOSTNAME = {
- nets = {
- retiolum = {
- ip4.addr = "10.243.0.changeme";
- ip6.addr = r6 "changeme";
- aliases = [
- "$HOSTNAME.r"
- ];
- tinc.pubkey = ${"''"}
- $(cat $TMPDIR/retiolum.rsa_key.pub)
- ${"''"};
- };
- wiregrill = {
- ip6.addr = w6 "changeme";
- aliases = [
- "$HOSTNAME.w"
- ];
- wireguard.pubkey = ${"''"}
- $(cat $TMPDIR/wiregrill.pub)
- ${"''"};
- };
+ { r6, w6, ... }:
+ {
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.changeme";
+ ip6.addr = r6 "changeme";
+ aliases = [
+ "$HOSTNAME.r"
+ ];
+ tinc.pubkey = ${"''"}
+ $(cat $TMPDIR/tinc/rsa_key.pub | sed 's/^/ /')
+ ${"''"};
+ tinc.pubkey_ed25519 = "$(cat $TMPDIR/tinc/ed25519_key.pub | ${pkgs.gnused}/bin/sed 's/.* = //')";
+ };
+ wiregrill = {
+ ip6.addr = w6 "changeme";
+ aliases = [
+ "$HOSTNAME.w"
+ ];
+ wireguard.pubkey = ${"''"}
+ $(cat $TMPDIR/wiregrill.pub)
+ ${"''"};
};
- ssh.privkey.path = <secrets/ssh.id_ed25519>;
- ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
};
+ ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
+ }
EOF
-
- rm -rf $TMPDIR
''
-