Generate Sercrets

Using a Just file, we can generate secrets for a machine.

default:
  @just --list

skarabox:
    #!/run/current-system/sw/bin/bash
    cat ${skarabox-help}

generate_secrets:
    #!/run/current-system/sw/bin/bash

    set -euo pipefail

    hostname = <HOSTNAME>
    host_dir = ../hosts/$hostname
    
    mkdir -p $host_dir/secrets

    cd $host_dir/secrets

    echo -e "Generating Root Passphrase..."
    nix --extra-experimental-features "flakes nix-command" run nixpkgs#openssl -- rand -hex 64 > root_passphrase

    echo -e "Generating Data Passphrase...\n"
    nix --extra-experimental-features "flakes nix-command" run nixpkgs#openssl -- rand -hex 64 > data_passphrase

    echo -e "Generating HostID...\n"
    uuidgen | head -c 8 > hostid

    echo -e "Generating age-secret SSH Private and Public Keys...\n"
    ssh-keygen -t ed25519 -N "" -f ssh_$hostname -C "vince@$hostname" && chmod 600 ssh_$hostname

    echo -e "Generating Machine+Data SSH Private and Public Keys...\n"
    ssh-keygen -t ed25519 -N "" -f  ssh_host_ed25519_key -C "root@$hostname" && chmod 600 ssh_host_ed25519_key

    echo -e "Generating Age Key..."
    nix --extra-experimental-features "flakes nix-command" run nixpkgs#ssh-to-age -- -private-key -i ./ssh_host_ed25519_key -o ./age_host_key

    echo -e "Generating Public Age Key...\n"
    nix --extra-experimental-features "flakes nix-command" run nixpkgs#ssh-to-age -- -i ./ssh_host_ed25519_key.pub -o ./age_host_key.pub

    echo -e "\nThis is your User/Data Public SSH Key: "
    cat ssh_$hostname.pub

    echo -e "\nThis is your Host Public SSH Key: "
    cat ssh_host_ed25519_key.pub

    echo -e "\nThis is your Age Public Key: "
    cat age_host_key.pub

    echo -e "\nPlease Read documentation to understand where these belong for SOPS Configuration."

install:
    #!/run/current-system/sw/bin/bash
    set -x
    set -euo pipefail
    
    hostname = <HOSTNAME>
    host_dir = ../hosts/$hostname
    user = <USER>
    ip_hostname = <IP_ADDRESS/HOSTNAME>

    echo "Adding Variable Root."
    root=$(mktemp -d)

    ${nixos-anywhere}/bin/nixos-anywhere --flake '.#$hostname' --disk-encryption-keys /tmp/host_key $host_dir/secrets/ssh_host_ed25519_key --disk-encryption-keys /tmp/data_passphrase $host_dir/secrets/data_passphrase --disk-encryption-keys /tmp/root_passphrase $host_dir/secrets/root_passphrase --ssh-port 22 --target-host $user$@$ip_hostname