Fixed deploy keys and added ssh keys pushed from deploy server

2021-09-22 18:43:23 -07:00 · 2021-09-22 18:43:23 -07:00 · 1041a63ec3
parent 3eef9e04a3
commit 1041a63ec3
6 changed files with 86 additions and 25 deletions
--- a/config/common.nix
+++ b/config/common.nix
@ -1,11 +1,14 @@
 { config, lib, pkgs, ... }:

+with lib;
 # Config common to all hosts, which don't belong anywhere else
 {
  config = let
    home-generator = pkgs.callPackage ../nix-home {};
    host-domain = config.fudo.hosts.${config.instance.hostname}.domain;
  in {
+    nix.nixPath = lib.mkBefore [ "/nix/var/nix/profiles/per-user/$USER/channels" ];
+
    home-manager.users.root = home-generator.generate-config {
      username = "root";
      home-dir = "/root";
--- a/config/host-config/lambda.nix
+++ b/config/host-config/lambda.nix
@ -6,7 +6,10 @@ let
  state-dir = "/state"; # This must be a string!

 in {
-  boot.loader.grub.copyKernels = true;
+  boot = {
+    loader.grub.copyKernels = true;
+    kernelModules = [ "rpcsec_gss_krb5" ];
+  };

  networking = {
    interfaces = {
--- a/config/sites.nix
+++ b/config/sites.nix
@ -11,19 +11,21 @@
      gateway-host = "nostromo";
      deploy-pubkeys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGVez4of30f+j0cWKj5kYCKeFjyNsYvG9UbOMxF5hImD2lP5MSbFBv31gFgHjx3yCG4zQRZlpuyU5uWo0qIwe9N84/LcZcB9WrWKZXDmuof7zPFy0J+Hj+LVLDQI/mVXHNwkMhBMHpPrdwA05EYDAYCYklWT4cSByu10pHtST+olF8i+A+UQgUzgNZzdJVeiYZv6MBDTYsJWptGeDUkl2B0Es3gtbGYcCCfnyS3RC7DIXlDo3NBbAr7WaHY2MBbT+R/+jicn9E3IY3NCM5jENxqmvHy9MDsxEEYgFNm7IDwq4V1VRUWy277YsvRbmEaHb+osOA5u1VNN4z3UftOZcSZgR5C/vR71cENXoPt1YQpCzu7i38ojtvL+tDVEKT7sIovrQw8q1sszNlW2nXh8RSPiIq5TMnrV73MP0egKcr9n3tfxwi1BIkLjvfom/02BkTK9R9v+VMNhYU1YwROhORCiMIgoxUGiUvtH8u38JGr7E0hhMoAjCE5k80WPUivl0="
      ];
      build-servers = {
        nostromo = {
-          max-jobs = 2;
+          max-jobs = 4;
          speed-factor = 2;
        };
        lambda = {
-          max-jobs = 2;
+          max-jobs = 4;
          speed-factor = 2;
        };
      };
      enable-distributed-builds = false;
-      keytab-directory = "/state/secrets/kerberos";
+      keytab-path = "/state/secrets/kerberos";
+      build-key-path = "/state/secrets/build-keys";
      # FIXME: good idea?
      # network-mounts = {
      #   "/mnt/documents" = {
@ -75,6 +77,7 @@
      timezone = "America/Winnipeg";
      deploy-pubkeys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGVez4of30f+j0cWKj5kYCKeFjyNsYvG9UbOMxF5hImD2lP5MSbFBv31gFgHjx3yCG4zQRZlpuyU5uWo0qIwe9N84/LcZcB9WrWKZXDmuof7zPFy0J+Hj+LVLDQI/mVXHNwkMhBMHpPrdwA05EYDAYCYklWT4cSByu10pHtST+olF8i+A+UQgUzgNZzdJVeiYZv6MBDTYsJWptGeDUkl2B0Es3gtbGYcCCfnyS3RC7DIXlDo3NBbAr7WaHY2MBbT+R/+jicn9E3IY3NCM5jENxqmvHy9MDsxEEYgFNm7IDwq4V1VRUWy277YsvRbmEaHb+osOA5u1VNN4z3UftOZcSZgR5C/vR71cENXoPt1YQpCzu7i38ojtvL+tDVEKT7sIovrQw8q1sszNlW2nXh8RSPiIq5TMnrV73MP0egKcr9n3tfxwi1BIkLjvfom/02BkTK9R9v+VMNhYU1YwROhORCiMIgoxUGiUvtH8u38JGr7E0hhMoAjCE5k80WPUivl0="
      ];
      keytab-directory = "/state/secrets/kerberos";
    };
--- a/lib/fudo/hosts.nix
+++ b/lib/fudo/hosts.nix
@ -2,6 +2,8 @@

 with lib;
 let
+  mapOptional = f: val: if (val != null) then (f val) else null;
+
  hostOpts = { hostname, ... }: {
    options = with types; {
      domain = mkOption {
@ -183,14 +185,6 @@ in {
      #defaultGateway = site.gateway-v4;
      #defaultGateway6 = site.gateway-v6;

-      # Necessary to ensure that Kerberos and Avahi both work. Kerberos needs
-      # the fqdn of the host, whereas Avahi wants just the simple hostname.`
-      # hosts = {
-      #   "127.0.0.2" = mkForce [ "${hostname}.${domain-name}" "${hostname}" ];
-      #   "127.0.0.1" = mkForce [ "${hostname}.${domain-name}" "${hostname}" ];
-      #   "::1" = mkForce [ "${hostname}.${domain-name}" "${hostname}" ];
-      # };
-
      firewall = {
        enable = (length host-cfg.external-interfaces) > 0;
        allowedTCPPorts = [ 22 ];
@ -214,6 +208,11 @@ in {
      mode = "0444";
    };

+    fudo.hosts.${hostname}.build-pubkeys =
+      map builtins.readFile
+        (map (build-key-path: "${build-key-path}/${hostname}.key.pub")
+          (optional (site.build-key-path != null) site.build-key-path));
+
    nix = mkIf
      (has-build-servers && has-build-keys && site.enable-distributed-builds) {
        buildMachines = mapAttrsToList (hostname: buildOpts: {
@ -221,6 +220,7 @@ in {
          maxJobs = buildOpts.max-jobs;
          speedFactor = buildOpts.speed-factor;
          supportedFeatures = buildOpts.supported-features;
+          sshKey = config.fudo.secrets.host-secrets.${hostname}.build-private-key.target-file;
        }) site.build-servers;
        distributedBuilds = true;
      };
@ -242,18 +242,30 @@ in {

    boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;

-    fudo.secrets.host-secrets.${hostname}.host-keytab = let
-      mapOptional = f: val: if (val != null) then (f val) else null;
-      keytab-file = mapOptional (keytab-path:
-        if (pathExists keytab-path) then
-          /. + builtins.toPath keytab-path
-        else
-          null) (mapOptional (keytab-dir: "${keytab-dir}/${hostname}.keytab")
-            site.keytab-directory);
-    in mkIf (keytab-file != null) {
-      source-file = /. + builtins.toPath keytab-file;
-      target-file = "/etc/krb5.keytab";
-      user = "root";
+    fudo.secrets.host-secrets.${hostname} = {
+      host-keytab = let
+        keytab-file = mapOptional (keytab-path:
+          if (pathExists keytab-path) then
+            /. + builtins.toPath keytab-path
+          else
+            null) (mapOptional (keytab-dir: "${keytab-dir}/${hostname}.keytab")
+              site.keytab-path);
+      in mkIf (keytab-file != null) {
+        source-file = /. + builtins.toPath keytab-file;
+        target-file = "/etc/krb5.keytab";
+        user = "root";
+      };
+
+      build-private-key = let
+        build-key-file = mapOptional
+          (build-key-file: if (pathExists build-key-file) then (/. + builtins.toPath build-key-file) else null)
+          (mapOptional (build-key-path: "${build-key-path}/${hostname}.key")
+            site.build-key-path);
+      in mkIf (build-key-file != null) {
+        source-file = build-key-file;
+        target-file = "/var/run/nix-build/host.key";
+        user = "root";
+      };
    };

    programs.adb.enable = host-cfg.android-dev;
--- a/lib/fudo/sites.nix
+++ b/lib/fudo/sites.nix
@ -140,7 +140,7 @@ let
        default = [ ];
      };

-      keytab-directory = mkOption {
+      keytab-path = mkOption {
        type = nullOr str;
        description = ''
          Directory containing site keytabs (files named $hostname.keytab).
@ -149,6 +149,16 @@ let
        '';
        default = null;
      };
+
+      build-key-path = mkOption {
+        type = nullOr str;
+        description = ''
+          Directory containing host build keys (files named $hostname.key).
+
+          Should exist only on build host.
+        '';
+        default = null;
+      };
    };
  };

--- a/lib/fudo/users.nix
+++ b/lib/fudo/users.nix
@ -94,6 +94,26 @@ let
        description = "List of Kerberos principals that map to this user.";
        default = [ ];
      };
+
+      ssh-keys = mkOption {
+        type = nullOr (submodule sshKeyOpts);
+        description = "Path to the user's public and private key files.";
+        default = null;
+      };
+    };
+  };
+
+  sshKeyOpts = { ... }: {
+    options = with types; {
+      private-key = mkOption {
+        type = str;
+        description = "Path to the user's private key.";
+      };
+
+      public-key = mkOption {
+        type = str;
+        description = "Path to the user's public key.";
+      };
    };
  };

@ -211,6 +231,16 @@ in {
      }) config.fudo.system-users;
    };

+    programs.ssh.extraConfig = mkAfter ''
+      IdentityFile %h/.ssh/id_rsa
+      IdentityFile /etc/ssh/private_keys.d/%u.key
+    '';
+
+    environment.etc = let
+      privkey-users = filterAttrs (username: userOpts: userOpts.ssh-keys != null) sys.local-users;
+    in mapAttrs' (username: userOpts:
+      nameValuePair "ssh/private_keys.bd/${username}.key" userOpts.ssh-keys.private-key) privkey-users;
+
    users = {
      users = mapAttrs (username: userOpts: {
        isNormalUser = true;