feat: add sd flash command and rekey ages
This commit is contained in:
parent
36720e2ba5
commit
faf9701a86
11 changed files with 190 additions and 67 deletions
49
pi/README.md
49
pi/README.md
|
|
@ -26,20 +26,25 @@ boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
|||
|
||||
### 1. Flash the SD card
|
||||
|
||||
Preferred: one command builds the bootstrap image, writes it to the SD card, and installs the
|
||||
bootstrap agenix identity onto the boot partition so the full Pi system can come up on first boot:
|
||||
|
||||
```sh
|
||||
nix run .#flash-pi-sd -- /dev/sdX
|
||||
```
|
||||
|
||||
This bootstrap image already includes the normal Noisebell service, Tailscale, and the Pi config.
|
||||
|
||||
Manual build if you need it:
|
||||
|
||||
```sh
|
||||
nix build .#nixosConfigurations.bootstrap.config.system.build.sdImage
|
||||
dd if=result/sd-image/*.img of=/dev/sdX bs=4M status=progress
|
||||
```
|
||||
|
||||
Boot the Pi. It connects to the Noisebridge WiFi automatically and is discoverable via mDNS as `noisebridge-pi.local`.
|
||||
Boot the Pi. It connects to the Noisebridge WiFi automatically.
|
||||
|
||||
### 2. Find the Pi
|
||||
|
||||
```sh
|
||||
ping noisebridge-pi.local
|
||||
```
|
||||
|
||||
### 3. SSH host key
|
||||
### 2. SSH host key
|
||||
|
||||
Grab the key and add it to `secrets/secrets.nix`:
|
||||
|
||||
|
|
@ -59,7 +64,7 @@ in
|
|||
}
|
||||
```
|
||||
|
||||
### 4. Create secrets
|
||||
### 3. Create secrets
|
||||
|
||||
```sh
|
||||
cd secrets
|
||||
|
|
@ -68,6 +73,29 @@ agenix -e inbound-api-key.age # key the cache uses to poll us
|
|||
agenix -e tailscale-auth-key.age # tailscale auth key
|
||||
```
|
||||
|
||||
### 4. Bootstrap agenix identity
|
||||
|
||||
The Pi uses a dedicated bootstrap age identity stored at `/boot/noisebell-bootstrap.agekey` to
|
||||
decrypt its runtime secrets, so first boot does not depend on the machine's freshly generated SSH
|
||||
host key.
|
||||
|
||||
To refresh recipients after changing `secrets/secrets.nix`:
|
||||
|
||||
```sh
|
||||
cd secrets
|
||||
agenix -r
|
||||
```
|
||||
|
||||
If you use `nix run .#flash-pi-sd -- /dev/sdX`, this file is installed automatically.
|
||||
|
||||
To install the bootstrap identity manually onto a flashed card before first boot:
|
||||
|
||||
```sh
|
||||
cd secrets
|
||||
agenix -d bootstrap-identity.age > /boot/noisebell-bootstrap.agekey
|
||||
chmod 600 /boot/noisebell-bootstrap.agekey
|
||||
```
|
||||
|
||||
### 5. SSH access
|
||||
|
||||
Add your public key to `configuration.nix`:
|
||||
|
|
@ -80,6 +108,9 @@ users.users.root.openssh.authorizedKeys.keys = [
|
|||
|
||||
### 6. Deploy
|
||||
|
||||
After first boot, the Pi should already be running the normal service stack from the flashed image.
|
||||
Use this only for later updates:
|
||||
|
||||
```sh
|
||||
nixos-rebuild switch --flake .#pi --target-host root@noisebell
|
||||
```
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue