-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathframetop_setup.sh
executable file
·179 lines (150 loc) · 6.01 KB
/
frametop_setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
#!/usr/bin/env bash
# Enable strict error handling and logging
# -e: Exit immediately if a command fails
# -u: Treat unset variables as an error
# -o pipefail: Return value of a pipeline is the value of the last (rightmost) command to exit with a non-zero status
set -euo pipefail
# Send all script output to system logger while maintaining console output
exec 1> >(logger -s -t $(basename $0)) 2>&1
# Error handling function to provide detailed feedback on script failures
error_handler() {
echo "Error occurred in script at line: ${1}"
exit 1
}
trap 'error_handler ${LINENO}' ERR
# Git repository management function
# Handles both initial clone and updates of existing repository
manage_git_repo() {
local repo_url="https://github.com/ryanwclark1/nixos-config"
local repo_path="/home/administrator/nixos-config"
if [ -d "$repo_path/.git" ]; then
echo "Repository already exists locally. Updating..."
cd "$repo_path"
git fetch origin
git stash -u || true
git reset --hard origin/main
git clean -fd
echo "Repository successfully updated"
else
echo "Cloning fresh repository..."
git clone "$repo_url" "$repo_path"
echo "Repository successfully cloned"
fi
}
# Directory creation function with security settings
# Creates directories with specific permissions and ownership
create_secure_dir() {
local dir_path="$1"
local mode="$2"
sudo mkdir -p "$dir_path"
sudo chmod "$mode" "$dir_path"
sudo chown administrator:users "$dir_path"
}
# Function for securely copying user-owned files
# Uses temporary directory to handle permissions properly
secure_copy_file() {
local src="$1"
local dest="$2"
local mode="$3"
local temp_dir="/tmp/secure_copy_$$"
# Create temporary directory with restrictive permissions
mkdir -p "$temp_dir"
chmod 700 "$temp_dir"
local filename=$(basename "$dest")
local temp_file="$temp_dir/$filename"
echo "Copying $src to temporary location..."
if ! scp "[email protected]:$src" "$temp_file"; then
echo "Error: SCP failed for $src"
rm -rf "$temp_dir"
return 1
fi
echo "Moving $filename to final destination with proper permissions..."
sudo mv "$temp_file" "$dest"
sudo chmod "$mode" "$dest"
sudo chown administrator:users "$dest"
rm -rf "$temp_dir"
}
# Function for securely copying system SSH host keys
# Handles root-owned system files specifically
secure_copy_system_key() {
local src="$1"
local dest="$2"
local mode="$3"
local temp_dir="/tmp/secure_copy_$$"
# Create temporary directory with restrictive permissions
mkdir -p "$temp_dir"
chmod 700 "$temp_dir"
local filename=$(basename "$dest")
local temp_file="$temp_dir/$filename"
echo "Copying system SSH key $src to temporary location..."
if ! scp "[email protected]:$src" "$temp_file"; then
echo "Error: SCP failed for $src"
rm -rf "$temp_dir"
return 1
fi
echo "Moving $filename to final destination with root ownership..."
sudo mv "$temp_file" "$dest"
sudo chmod "$mode" "$dest"
sudo chown root:root "$dest"
rm -rf "$temp_dir"
}
# Log script start with timestamp
echo "Starting NixOS configuration setup at $(date)"
# Initialize git repository through nix-shell
echo "Setting up git environment and managing repository..."
nix-shell -p git --run "$(declare -f manage_git_repo); manage_git_repo"
# Create necessary directory structure
echo "Creating required directories..."
create_secure_dir "/home/administrator/nixos-config/host/frametop" 755
create_secure_dir "/home/administrator/.ssh" 700
create_secure_dir "/home/administrator/.config/sops/age" 700
# Copy and set up security credentials
echo "Copying security credentials..."
# User SSH keys
secure_copy_file "/home/administrator/.ssh/ssh_host_ed25519_key.pub" \
"/home/administrator/.ssh/ssh_host_ed25519_key.pub" 644
secure_copy_file "/home/administrator/.ssh/ssh_host_ed25519_key" \
"/home/administrator/.ssh/ssh_host_ed25519_key" 600
# System SSH host keys with root ownership
echo "Copying system SSH host keys..."
secure_copy_system_key "/etc/ssh/ssh_host_ed25519_key" \
"/etc/ssh/ssh_host_ed25519_key" 600
secure_copy_system_key "/etc/ssh/ssh_host_ed25519_key.pub" \
"/etc/ssh/ssh_host_ed25519_key.pub" 644
# SOPS age key
secure_copy_file "/home/administrator/.config/sops/age/keys.txt" \
"/home/administrator/.config/sops/age/keys.txt" 600
# Manage system services
echo "Managing systemd services..."
for action in "stop" "disable"; do
sudo systemctl $action efi.automount || echo "Warning: Failed to $action efi.automount service"
done
sudo systemctl daemon-reload || echo "Warning: Failed to reload systemd daemon"
# Copy and configure hardware configuration
echo "Copying hardware configuration..."
sudo cp /etc/nixos/hardware-configuration.nix /home/administrator/nixos-config/host/frametop/hardware-configuration.nix
sudo chown administrator:users /home/administrator/nixos-config/host/frametop/hardware-configuration.nix
nix-shell -p git --run "git add /home/administrator/nixos-config/host/frametop/hardware-configuration.nix"
# Create temporary file for build output
BUILD_LOG=$(mktemp)
trap 'rm -f $BUILD_LOG' EXIT
# Rebuild NixOS configuration with output handling
echo "Rebuilding NixOS configuration..."
if sudo nixos-rebuild test --flake /home/administrator/nixos-config#frametop --verbose --show-trace 2>&1 | tee "$BUILD_LOG"; then
echo "Configuration build successful. Build output saved to: $BUILD_LOG"
echo "Summary of changes:"
grep -E "^(building|installing|activating)" "$BUILD_LOG" || true
else
echo "Configuration build failed. Full error log:"
cat "$BUILD_LOG"
exit 1
fi
# Generate and display password hash
echo "Generating password hash..."
PASSWORD_HASH=$(echo "password" | mkpasswd -s) || {
echo "Error: Failed to generate password hash"
exit 1
}
echo "Password hash: $PASSWORD_HASH"
# Log script completion
echo "NixOS configuration setup completed successfully at $(date)"