diff --git a/README.md b/README.md new file mode 100644 index 0000000..4c2d8aa --- /dev/null +++ b/README.md @@ -0,0 +1,53 @@ + +## Deploy +Everything (all servers, all clients) + +```bash +colmena apply switch +``` + +All Clients + +```bash +colmena apply switch --on@client +``` + +Append `--on=HOSTNAME` or `--on=@TAG` to target specific hosts. + + +### Building disk image +You can build a ready to use disk image containing the whole system using the following command: + +```bash +nix build .#images. +``` + + +## Secret management +Secrets are encrypted using sops. +Sops encrypts the secrets for all administrators and the target machines using the secret. + +### Prepare your system +You must derive an age key from your SSH key: +```bash +mkdir -p ~/.config/sops/age +read -s SSH_TO_AGE_PASSPHRASE +export SSH_TO_AGE_PASSPHRASE +ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt +unset SSH_TO_AGE_PASSPHRASE +``` + +### Edit/show secrets +Secrets are stored in `secrets.yaml` or in files in the `secrets` folder. +To show or edit their content, use the `sops` command. I.e.: + +``` +sops machines/nfs/secrets.yaml +``` + +### Update encryption after fresh deployment +The target machines ues the SSH host key of the target system to decryt the secrets required for that machine. +Therefore the host keys spcified in `sops-config.nix` must be kept in sync with the actual host keys. +These keys change after a fresh installation (a re-deployment, a changed disk, a lost filesystem). +After the keys have been updates, the `contrib/updatekeys.sh` script must be executed. + diff --git a/contrib/updatekeys.sh b/contrib/updatekeys.sh new file mode 100755 index 0000000..7e23f54 --- /dev/null +++ b/contrib/updatekeys.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p yq +#shellcheck shell=bash + +if [[ ! -f ".sops.yaml" ]]; then + echo "Error: .sops.yaml file not found in $(pwd)" + echo "Please ensure you are running this script from the repository root directory." + exit 1 +fi + +# Schritt 1: Alle Regex aus der .sops.yaml-Datei extrahieren +regex_list=$(yq -r '.creation_rules[].path_regex' .sops.yaml) + +# Schritt 2: Alle Dateien finden, die zu den Regex passen +matching_files=() +for regex in $regex_list; do + # Entferne eventuelle ^ und $ Zeichen, damit die Regex auch in find funktionieren + simplified_regex=$(echo "$regex" | sed 's/^\^//;s/\$$//') + found_files=$(find . -type f | grep -E "$simplified_regex") + + # Füge die gefundenen Dateien zur Liste hinzu + for file in $found_files; do + matching_files+=("$file") + done +done + +# Deduplizieren der Dateiliste mit mapfile +mapfile -t unique_files < <(printf "%s\n" "${matching_files[@]}" | sort -u) + +# Schritt 3: sops updatekeys für jede Datei ausführen +for file in "${unique_files[@]}"; do + echo "Updating keys for: $file" + sops updatekeys -y "$file" +done + +echo "Finished updating keys." \ No newline at end of file