Browse Source

ftux: move more stuff into bootstrap

master
parent
commit
4b1be5f335
Signed by: govanify GPG Key ID: DE62E1E2A6145556
6 changed files with 61 additions and 74 deletions
  1. BIN
      assets/black_pixel.png
  2. +0
    -9
      assets/clone-pass.sh
  3. +60
    -0
      bootstrap/bootstrap.sh
  4. +1
    -0
      bootstrap/default.nix
  5. +0
    -38
      bootstrap/gen_secrets.sh
  6. +0
    -27
      common/graphical.nix

BIN
assets/black_pixel.png View File

Before After
Width: 1  |  Height: 1  |  Size: 86 B

+ 0
- 9
assets/clone-pass.sh View File

@ -1,9 +0,0 @@
#!/bin/sh
while [ ! -d ~/.config/pass ]
do
git clone git@code.govanify.com:govanify/passwords.git ~/.config/pass
sleep 5
done
echo "git pull --rebase" > ~/.config/pass/.git/hooks/post-commit
echo "git push" >> ~/.config/pass/.git/hooks/post-commit
chmod +x ~/.config/pass/.git/hooks/post-commit

+ 60
- 0
bootstrap/bootstrap.sh View File

@ -0,0 +1,60 @@
#!/bin/sh
if [ "$#" -ne 2 ]; then
echo "usage: ./bootstrap.sh hostname username root"
echo "example: ./bootstrap.sh alastor govanify /mnt"
exit 1
fi
mkdir $3/var/lib/bootloader
if [ ! -d "$3/var/lib/bootloader" ]; then
echo "could not create secret path! do you have sufficient rights?"
exit 1
fi
old_gpg_home=$GNUPGHOME
export GNUPGHOME="$(mktemp -d)"
script_key="$(mktemp)"
cat >$script_key <<EOF
%no-protection
Key-Type: default
Subkey-Type: default
Name-Real: navi bootloader device key
Name-Email: $1@navi
Passphrase: ''
Expire-Date: 0
EOF
gpg --batch --generate-key $script_key
gpg --output $3/var/lib/bootloader/pub.gpg --export $1@navi
gpg --output $3/var/lib/bootloader/priv.gpg --export-secret-key $1@navi
rm -rf $script_key
rm -rf $GNUPGHOME
export GNUPGHOME=$old_gpg_home
tmp_password=$(mktemp)
echo "Please set the password of your bootloader"
grub-mkpasswd-pbkdf2 | tee $tmp_password
grep "grub." $tmp_password | sed -r 's/.*grub\./grub\./' > $3/var/lib/bootloader/pass_hash
rm -rf $tmp_password
old_gpg_home=$GNUPGHOME
export GNUPGHOME="$3/home/$2/.config/gnupg"
find $3/home/$2/.config/gnupg -type f -exec chmod 600 {} \;
find $3/home/$2/.config/gnupg -type d -exec chmod 700 {} \;
gpg --import ../secrets/key.gpg
gpg --import-ownertrust ../secrets/gpg-trust.txt
mkdir -p $3/home/$2/.local/share/mail/ &> /dev/null
mkdir -p $3/home/$2/.cache/mutt/ &> /dev/null
mkdir -p $3/home/$2/.local/share/wineprefixes/ &> /dev/null
mkdir -p $3/home/$2/.config/gdb &> /dev/null
mkdir -p $3/home/$2/.local/share/wineprefixes/default &> /dev/null
touch $3/home/$2/.config/gdb/init &> /dev/null
git clone git@code.govanify.com:govanify/passwords.git $3/home/$2/.config/pass
echo "git pull --rebase" > $3/home/$2/.config/pass/.git/hooks/post-commit
echo "git push" >> $3/home/$2/.config/pass/.git/hooks/post-commit
chmod +x $3/home/$2/.config/pass/.git/hooks/post-commit
chown $2 -R $3/home/$2/
export GNUPGHOME=$old_gpg_home

+ 1
- 0
bootstrap/default.nix View File

@ -7,5 +7,6 @@ pkgs.mkShell {
gnupg
findutils
coreutils
git
];
}

+ 0
- 38
bootstrap/gen_secrets.sh View File

@ -1,38 +0,0 @@
#!/bin/sh
if [ "$#" -ne 2 ]; then
echo "usage: ./gen_secrets.sh hostname root"
echo "example: ./gen_secrets.sh alastor /mnt"
exit 1
fi
mkdir $2/var/lib/bootloader
if [ ! -d "$2/var/lib/bootloader" ]; then
echo "could not create secret path! do you have sufficient rights?"
exit 1
fi
old_gpg_home=$GNUPGHOME
export GNUPGHOME="$(mktemp -d)"
script_key="$(mktemp)"
cat >$script_key <<EOF
%no-protection
Key-Type: default
Subkey-Type: default
Name-Real: navi bootloader device key
Name-Email: $1@navi
Passphrase: ''
Expire-Date: 0
EOF
gpg --batch --generate-key $script_key
gpg --output $2/var/lib/bootloader/pub.gpg --export $1@navi
gpg --output $2/var/lib/bootloader/priv.gpg --export-secret-key $1@navi
rm -rf $script_key
rm -rf $GNUPGHOME
export GNUPGHOME=$old_gpg_home
tmp_password=$(mktemp)
echo "Please set the password of your bootloader"
grub-mkpasswd-pbkdf2 | tee $tmp_password
grep "grub." $tmp_password | sed -r 's/.*grub\./grub\./' > $2/var/lib/bootloader/pass_hash
rm -rf $tmp_password

+ 0
- 27
common/graphical.nix View File

@ -240,29 +240,6 @@ in
};
};
# the gpg thing should be done in headfull but we need to do that before it
# execs sway because sway obviously never returns
environment.interactiveShellInit = ''
if [ ! -f ~/.config/gnupg/trustdb.gpg ] && [[ $(tty) = /dev/tty1 ]] && [[ "$(whoami)" == "govanify" ]]; then
# let's just put the entire first time setup here
find ~/.config/gnupg -type f -exec chmod 600 {} \;
find ~/.config/gnupg -type d -exec chmod 700 {} \;
gpg --import ~/.config/gnupg/key.gpg
gpg --import-ownertrust ~/.config/gnupg/trust.txt
mkdir -p ~/.local/share/mail/ &> /dev/null
mkdir -p ~/.cache/mutt/ &> /dev/null
mkdir -p ~/.local/share/wineprefixes/ &> /dev/null
mkdir -p ~/.config/gdb &> /dev/null
mkdir -p ~/.local/share/wineprefixes/default &> /dev/null
touch ~/.config/gdb/init &> /dev/null
fi
if [ ! -d ~/.config/pass ] && [[ $(tty) = /dev/tty1 ]]; then
# we try to clone user passwords, network might not be started or
# unreliable yet so we just try to clone until it works
~/.cache/clone-pass.sh &
fi
'';
environment.shellInit = ''
if [[ -z $DISPLAY ]] && [[ "$(whoami)" == "govanify" ]]; then
if ! systemctl is-active --quiet swaywm; then
@ -274,10 +251,6 @@ in
'';
home-manager.users.govanify = {
# initial pass setup
# should i make this global?
home.file.".cache/clone-pass.sh".source = ./../assets/clone-pass.sh;
# QT theme
home.file.".config/qt5ct/qt5ct.conf".source = ./../assets/graphical/qt5ct/qt5ct.conf;
home.file.".config/qt5ct/colors/breeze-dark.conf".source = ./../assets/graphical/qt5ct/breeze-dark.conf;


Loading…
Cancel
Save