jet/noisebridge-wiki
jet/noisebridge-wiki
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: remove default admin
Some checks failed
CI / check (push) Has been cancelled
Details
CI / deploy (push) Has been cancelled
Details

Browse source
This commit is contained in:
Jet 2026-03-25 23:04:45 -07:00
parent b00bd87046
commit 01c0fa76cb
No known key found for this signature in database
2 changed files with 23 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

13
README.md
View file

@ -150,26 +150,27 @@ We haven't fully implemented all the features, but the remaining work is tracked
Bootstrap a brand new Ubuntu 22.04 DigitalOcean VPS into NixOS: Bootstrap a brand new Ubuntu 22.04 DigitalOcean VPS into NixOS:
```sh ```sh
nix run .#bootstrap-host -- [--admin <name>] <main-wiki|replica-wiki> <target-host> [ssh-identity-file] nix run .#bootstrap-host -- --admin <name> <main-wiki|replica-wiki> <target-host> [ssh-identity-file]
nix run .#bootstrap-host -- [--admin <name>] <main-target-host> <replica-target-host> [ssh-identity-file] nix run .#bootstrap-host -- --admin <name> <main-target-host> <replica-target-host> [ssh-identity-file]
``` ```
Example: Example:
```sh ```sh
nix run .#bootstrap-host -- main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
nix run .#bootstrap-host -- --admin jet main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap nix run .#bootstrap-host -- --admin jet main-wiki root@203.0.113.10 ~/.ssh/do-bootstrap
nix run .#bootstrap-host -- root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap nix run .#bootstrap-host -- --admin jet root@203.0.113.10 root@203.0.113.11 ~/.ssh/do-bootstrap
``` ```
`--admin <name>` is required. The admin must exist in `siteConfig.adminUsers` in `flake.nix`.
What bootstrap does: What bootstrap does:
- copies a first-boot module to the host - copies a first-boot module to the host
- runs `nixos-infect` on the Ubuntu VPS - runs `nixos-infect` on the Ubuntu VPS
- converts the machine to NixOS with the `jet` admin user - converts the machine to NixOS with the requested admin user
- disables direct root SSH - disables direct root SSH
- fixes the known bad IPv6 routes generated by `nixos-infect` - fixes the known bad IPv6 routes generated by `nixos-infect`
- verifies that `jet` login and `sudo` work and that the host reaches `running` - verifies that the requested admin login and `sudo` work and that the host reaches `running`
What bootstrap is not: What bootstrap is not:

29
scripts/bootstrap-host.sh
View file

@ -3,8 +3,8 @@ set -euo pipefail
usage() { usage() {
cat <<'USAGE' cat <<'USAGE'
Usage: Usage:
nix run .#bootstrap-host -- [--admin <name>] <main-wiki|replica-wiki> <target-host> [ssh-identity-file] nix run .#bootstrap-host -- --admin <name> <main-wiki|replica-wiki> <target-host> [ssh-identity-file]
nix run .#bootstrap-host -- [--admin <name>] <main-target-host> <replica-target-host> [ssh-identity-file] nix run .#bootstrap-host -- --admin <name> <main-target-host> <replica-target-host> [ssh-identity-file]
USAGE USAGE
} }
@ -17,21 +17,23 @@ fi
admin_users_json='@ADMIN_USERS_JSON@' admin_users_json='@ADMIN_USERS_JSON@'
bootstrap_admin="jet" pinned_nix_install_url='https://releases.nixos.org/nix/nix-2.24.14/install'
bootstrap_admin=""
ssh_identity_file="" ssh_identity_file=""
main_target="" main_target=""
replica_target="" replica_target=""
failures=() failures=()
if [ "${1:-}" = "--admin" ]; then if [ "${1:-}" != "--admin" ] || [ "$#" -lt 4 ]; then
if [ "$#" -lt 4 ]; then printf 'Bootstrap requires --admin <name>\n' >&2
usage usage
exit 1 exit 1
fi
bootstrap_admin="$2"
shift 2
fi fi
bootstrap_admin="$2"
shift 2
if [ "$#" -lt 2 ] || [ "$#" -gt 3 ]; then if [ "$#" -lt 2 ] || [ "$#" -gt 3 ]; then
usage usage
exit 1 exit 1
@ -70,7 +72,7 @@ make_host_module() {
local module_file="$1" local module_file="$1"
local admin_name="$2" local admin_name="$2"
cat > "$module_file" <<'MODULE' cat > "$module_file" <<MODULE
{ ... }: { ... }:
{ {
services.journald.storage = "persistent"; services.journald.storage = "persistent";
@ -97,11 +99,11 @@ make_host_module() {
}; };
}; };
users.users.BOOTSTRAP_ADMIN = { users.users.${admin_name} = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
@ADMIN_KEYS@ $(admin_keys "$admin_name")
]; ];
}; };
@ -110,9 +112,6 @@ make_host_module() {
services.do-agent.enable = false; services.do-agent.enable = false;
} }
MODULE MODULE
sed -i "s/BOOTSTRAP_ADMIN/$admin_name/" "$module_file"
perl -0pi -e 's/\n@ADMIN_KEYS@/\n'"$(admin_keys "$admin_name" | sed 's/[\/&]/\\&/g')"'/g' "$module_file"
} }
run_bootstrap() { run_bootstrap() {
@ -143,7 +142,7 @@ run_bootstrap() {
printf 'Infecting %s onto %s\n' "$host_name" "$target_host" printf 'Infecting %s onto %s\n' "$host_name" "$target_host"
"${ssh_cmd[@]}" "$target_host" \ "${ssh_cmd[@]}" "$target_host" \
'umount /boot/efi 2>/dev/null || true; curl -fsSL https://raw.githubusercontent.com/elitak/nixos-infect/36f48d8feb89ca508261d7390355144fc0048932/nixos-infect | env PROVIDER=digitalocean doNetConf=y NIX_CHANNEL=nixos-24.05 NIXOS_IMPORT=./host-bootstrap.nix bash -x' || true "umount /boot/efi 2>/dev/null || true; curl -fsSL https://raw.githubusercontent.com/elitak/nixos-infect/36f48d8feb89ca508261d7390355144fc0048932/nixos-infect | env NIX_INSTALL_URL='$pinned_nix_install_url' PROVIDER=digitalocean doNetConf=y NIX_CHANNEL=nixos-24.05 NIXOS_IMPORT=./host-bootstrap.nix bash -x" || true
printf 'Waiting for %s to reboot into NixOS\n' "$host_name" printf 'Waiting for %s to reboot into NixOS\n' "$host_name"
for try in $(seq 1 60); do for try in $(seq 1 60); do