bootstrapping

default bootstrap password think this is required pw update pseudoterm change pw
2025-01-02 16:21:43 +01:00 · 2025-01-02 16:21:43 +01:00 · 08a7004dda
commit 08a7004dda
parent 3d7a1d7b44
10 changed files with 126 additions and 14 deletions
--- a/flake.nix
+++ b/flake.nix
@ -23,17 +23,16 @@
    inputs@{ self, nixpkgs, ... }:
    let
      kclib = import ./lib.nix {
-        nixpkgs = inputs.nixpkgs;
        inputs = inputs;
      };
    in
    {
      nixosConfigurations = {
-        tailscale-proxy = kclib.mkHost {
-          name = "tailscale-proxy";
+        bootstrap = kclib.mkHost {
+          name = "bootstrap";
        };
-        entrypoint = kclib.mkHost {
-          name = "entrypoint";
+        etcd0 = kclib.mkHost {
+          name = "etcd0";
        };
        hydra = kclib.mkHost {
          name = "hydra";
--- a/hosts/base/hardware-config.nix
+++ b/hosts/base/hardware-config.nix
@ -1,7 +1,5 @@
 {
-  config,
  lib,
-  pkgs,
  modulesPath,
  ...
 }:
--- a/hosts/bootstrap/default.nix
+++ b/hosts/bootstrap/default.nix
@ -0,0 +1,7 @@
+{ ... }:
+{
+  kropcloud = {
+    networking.enable = false;
+    admin.password = "changeme";
+  };
+}
--- a/hosts/etcd0/default.nix
+++ b/hosts/etcd0/default.nix
@ -0,0 +1,18 @@
+{ ... }:
+{
+  kropcloud =
+    let
+      serverIp = "192.168.1.161";
+    in
+    {
+      services = {
+      };
+      networking = {
+        ipv4 = {
+          address = serverIp;
+          prefixLength = 24;
+          defaultGateway = "192.168.1.1";
+        };
+      };
+    };
+}
--- a/lib.nix
+++ b/lib.nix
@ -1,5 +1,4 @@
 {
-  nixpkgs,
  inputs,
 }:
 {
@ -8,7 +7,7 @@
      name,
      arch ? "x86_64-linux",
    }:
-    nixpkgs.lib.nixosSystem {
+    inputs.nixpkgs.lib.nixosSystem {
      system = arch;
      modules = [
        ./hosts/base
--- a/nixosModules/users/default.nix
+++ b/nixosModules/users/default.nix
@ -14,6 +14,11 @@ in
      default = [ ];
      description = "List of SSH public keys to authorize for the admin user.";
    };
+    password = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Password for the admin user. Should be used only for initial setup.";
+    };
  };

  config = {
@ -21,11 +26,15 @@ in
    age.secrets.mypassword.file = ../../secrets/mypassword.age;

    # Define the admin user
-    users.users.${cfg.user} = {
-      passwordFile = config.age.secrets.mypassword.path;
-      isNormalUser = true;
-      extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = cfg.sshKeys;
+    users = {
+      mutableUsers = false;
+      users.${cfg.user} = {
+        password = if cfg.password != null then cfg.password else null;
+        hashedPasswordFile = if cfg.password != null then null else config.age.secrets.mypassword.path;
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = cfg.sshKeys;
+      };
    };
  };
 }
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# Parameters
+ip=$1
+if [ -z "$ip" ]; then
+    echo "Usage: $0 <ip>"
+    exit 1
+fi
+
+# This script is used to bootstrap nixos machine so I can get their ssh keys
+
+nix run \
+    github:nix-community/nixos-anywhere \
+    -- \
+    --flake '.#bootstrap' \
+    --target-host root@$ip \
+    --build-on-remote
+
+ret=$?
+if [ $ret -ne 0 ]; then
+    echo "Failed to bootstrap $ip"
+    exit $ret
+fi
--- a/scripts/install.sh
+++ b/scripts/install.sh
@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# Parameters
+ip=$1
+host=$2
+if [ -z "$ip" ] || [ -z "$host" ]; then
+    echo "Usage: $0 <ip> <host>"
+    exit 1
+fi
+
+# This script is used to bootstrap nixos machine so I can get their ssh keys
+
+nixos-rebuild boot \
+    --flake ".#$host" \
+    --fast \
+    --target-host krop@$ip \
+    --build-host krop@$ip \
+    --use-remote-sudo
+
+ret=$?
+if [ $ret -ne 0 ]; then
+    echo "Failed to install $host"
+    exit $ret
+fi
+
+echo "Successfully installed $host, rebooting"
+
+ssh -t krop@$ip "sudo reboot now"
+
+ret=$?
+if [ $ret -ne 0 ]; then
+    echo "Failed to reboot $host"
+    exit $ret
+fi
--- a/scripts/update.sh
+++ b/scripts/update.sh
@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Parameters
+ip=$1
+if [ -z "$ip" ]; then
+    echo "Usage: $0 <ip>"
+    exit 1
+fi
+
+# This script is used to bootstrap nixos machine so I can get their ssh keys
+
+nixos-rebuild switch \
+    --flake ".#$host" \
+    --fast \
+    --target-host krop@$ip \
+    --build-host krop@$ip \
+    --use-remote-sudo
+
+ret=$?
+if [ $ret -ne 0 ]; then
+    echo "Failed to update $ip"
+    exit $ret
+fi
+
+echo "Successfully updated $ip, rebooting"
--- a/secrets/mypassword.age
+++ b/secrets/mypassword.age