Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

l l-gen-secrets: refactor, add tinc ed25519 & tor

Browse Source
This commit is contained in:
lassulus 2022-12-27 22:57:16 +01:00
parent 2d9385c0a7
commit ca26d832e7
1 changed files with 64 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
lass/5pkgs/l-gen-secrets/default.nix
View File

@ -1,56 +1,82 @@
{ pkgs }: { pkgs }:
pkgs.writeDashBin "l-gen-secrets" '' pkgs.writers.writeDashBin "l-gen-secrets" ''
HOSTNAME="$1" set -efu
HOSTNAME=$1
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
if [ "''${DRYRUN-n}" = "n" ]; then
trap 'rm -rf $TMPDIR' EXIT
else
echo "$TMPDIR"
set -x
fi
mkdir -p $TMPDIR/out
PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1)
HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null
# ssh
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null ${pkgs.coreutils}/bin/mv $TMPDIR/ssh.id_ed25519 $TMPDIR/out/
${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/wiregrill.key # tor
${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub ${pkgs.coreutils}/bin/timeout 1 ${pkgs.tor}/bin/tor --HiddenServiceDir $TMPDIR/tor --HiddenServicePort 1 --SocksPort 0 || :
cat <<EOF > $TMPDIR/hashedPasswords.nix ${pkgs.coreutils}/bin/mv $TMPDIR/tor/hs_ed25519_secret_key $TMPDIR/out/ssh-tor.priv
# tinc
${pkgs.coreutils}/bin/mkdir -p $TMPDIR/tinc
${pkgs.tinc_pre}/bin/tinc --config $TMPDIR/tinc generate-keys 4096 </dev/null
${pkgs.coreutils}/bin/mv $TMPDIR/tinc/ed25519_key.priv $TMPDIR/out/retiolum.ed25519_key.priv
${pkgs.coreutils}/bin/mv $TMPDIR/tinc/rsa_key.priv $TMPDIR/out/retiolum.rsa_key.priv
# wireguard
${pkgs.wireguard-tools}/bin/wg genkey > $TMPDIR/out/wiregrill.key
${pkgs.coreutils}/bin/cat $TMPDIR/out/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub
# system passwords
cat <<EOF > $TMPDIR/out/hashedPasswords.nix
{ {
root = "$HASHED_PASSWORD"; root = "$HASHED_PASSWORD";
mainUser = "$HASHED_PASSWORD"; mainUser = "$HASHED_PASSWORD";
} }
EOF EOF
cd $TMPDIR set +f
for x in *; do if [ "''${DRYRUN-n}" = "n" ]; then
${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null cd $TMPDIR/out
done for x in *; do
echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null
done
echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null
${pkgs.coreutils}/bin/cat $TMPDIR/tor/hostname | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/torname > /dev/null
fi
set -f
cat <<EOF cat <<EOF
$HOSTNAME = { { r6, w6, ... }:
nets = { {
retiolum = { nets = {
ip4.addr = "10.243.0.changeme"; retiolum = {
ip6.addr = r6 "changeme"; ip4.addr = "10.243.0.changeme";
aliases = [ ip6.addr = r6 "changeme";
"$HOSTNAME.r" aliases = [
]; "$HOSTNAME.r"
tinc.pubkey = ${"''"} ];
$(cat $TMPDIR/retiolum.rsa_key.pub) tinc.pubkey = ${"''"}
${"''"}; $(cat $TMPDIR/tinc/rsa_key.pub | sed 's/^/ /')
}; ${"''"};
wiregrill = { tinc.pubkey_ed25519 = "$(cat $TMPDIR/tinc/ed25519_key.pub | ${pkgs.gnused}/bin/sed 's/.* = //')";
ip6.addr = w6 "changeme"; };
aliases = [ wiregrill = {
"$HOSTNAME.w" ip6.addr = w6 "changeme";
]; aliases = [
wireguard.pubkey = ${"''"} "$HOSTNAME.w"
$(cat $TMPDIR/wiregrill.pub) ];
${"''"}; wireguard.pubkey = ${"''"}
}; $(cat $TMPDIR/wiregrill.pub)
${"''"};
}; };
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
}; };
ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
}
EOF EOF
rm -rf $TMPDIR
'' ''