From 3dc5986134345b4e8329948c325deb5e49193bde Mon Sep 17 00:00:00 2001 From: niten Date: Wed, 29 Sep 2021 17:55:13 -0700 Subject: [PATCH] Initial, broken --- config/hardware/atom.nix | 2 - config/hardware/clunk.nix | 2 - config/hardware/france.nix | 8 --- config/hardware/lambda.nix | 2 - config/hardware/limina.nix | 2 - config/hardware/nostromo.nix | 2 - config/hardware/plato.nix | 2 - config/hardware/procul.nix | 2 - config/hardware/socrates.nix | 2 - config/hardware/spark.nix | 4 -- config/hardware/system3.nix | 2 - config/hardware/zbox.nix | 2 - config/host-config/france.nix | 1 + config/hosts/atom.nix | 1 + config/hosts/clunk.nix | 1 + config/hosts/france.nix | 2 + config/hosts/lambda.nix | 1 + config/hosts/limina.nix | 1 + config/hosts/nostromo.nix | 1 + config/hosts/plato.nix | 1 + config/hosts/procul.nix | 1 + config/hosts/socrates.nix | 1 + config/hosts/spark.nix | 1 + config/hosts/system3.nix | 1 + config/hosts/zbox.nix | 1 + config/profile-config/common.nix | 6 +-- flake.lock | 92 ++++++++++++++++++++++++++++++++ flake.nix | 33 ++++++++---- initialize.nix | 8 +-- lib/default.nix | 2 + lib/fudo/deploy.nix | 14 +++++ lib/fudo/distributed-builds.nix | 47 ++++++++++++++++ lib/fudo/hosts.nix | 61 +++++++++------------ lib/fudo/local-network.nix | 9 +++- lib/fudo/sites.nix | 7 +-- lib/fudo/ssh.nix | 64 ++++++++++++++++++++++ lib/hosts.nix | 2 +- lib/system.nix | 6 ++- 38 files changed, 302 insertions(+), 95 deletions(-) create mode 100644 lib/fudo/deploy.nix create mode 100644 lib/fudo/distributed-builds.nix create mode 100644 lib/fudo/ssh.nix diff --git a/config/hardware/atom.nix b/config/hardware/atom.nix index 4ea87f8..7c857ac 100644 --- a/config/hardware/atom.nix +++ b/config/hardware/atom.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: { - imports = [ ]; - system.stateVersion = "20.03"; boot = { diff --git a/config/hardware/clunk.nix b/config/hardware/clunk.nix index 685b213..cde8ff4 100644 --- a/config/hardware/clunk.nix +++ b/config/hardware/clunk.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: { - imports = [ ]; - boot = { initrd = { availableKernelModules = diff --git a/config/hardware/france.nix b/config/hardware/france.nix index 4297626..db0d7bb 100644 --- a/config/hardware/france.nix +++ b/config/hardware/france.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: { - imports = [ ]; - boot = { initrd = { availableKernelModules = @@ -21,12 +19,6 @@ }; }; - boot.initrd.availableKernelModules = - [ "uhci_hcd" "ehci_pci" "ata_piix" "ahci" "floppy" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - fileSystems = { "/boot" = { device = "/dev/disk/by-label/france-boot"; diff --git a/config/hardware/lambda.nix b/config/hardware/lambda.nix index fb1fa8e..3e924bb 100644 --- a/config/hardware/lambda.nix +++ b/config/hardware/lambda.nix @@ -4,8 +4,6 @@ with lib; let in { - imports = [ ]; - system.stateVersion = "21.05"; boot = { diff --git a/config/hardware/limina.nix b/config/hardware/limina.nix index 5c3c47b..4830684 100644 --- a/config/hardware/limina.nix +++ b/config/hardware/limina.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: with lib; { - imports = [ ]; - system.stateVersion = "20.09"; boot = { diff --git a/config/hardware/nostromo.nix b/config/hardware/nostromo.nix index c5e4691..f5313fb 100644 --- a/config/hardware/nostromo.nix +++ b/config/hardware/nostromo.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: { - imports = [ ]; - boot = { initrd = { availableKernelModules = [ diff --git a/config/hardware/plato.nix b/config/hardware/plato.nix index 42391fe..eae363f 100644 --- a/config/hardware/plato.nix +++ b/config/hardware/plato.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: with lib; { - imports = [ ]; - boot = { initrd = { availableKernelModules = diff --git a/config/hardware/procul.nix b/config/hardware/procul.nix index f136dcd..f7f58e4 100644 --- a/config/hardware/procul.nix +++ b/config/hardware/procul.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: { - imports = [ ]; - boot = { initrd.availableKernelModules = [ "uhci_hcd" diff --git a/config/hardware/socrates.nix b/config/hardware/socrates.nix index 2ca7ca5..15d7e5e 100644 --- a/config/hardware/socrates.nix +++ b/config/hardware/socrates.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: { - imports = [ ]; - config = { boot = { diff --git a/config/hardware/spark.nix b/config/hardware/spark.nix index 024b4ee..d302722 100644 --- a/config/hardware/spark.nix +++ b/config/hardware/spark.nix @@ -1,10 +1,6 @@ { config, lib, pkgs, ... }: { - imports = - [ - ]; - system.stateVersion = "20.03"; boot = { diff --git a/config/hardware/system3.nix b/config/hardware/system3.nix index 5ec2e71..e2928d9 100644 --- a/config/hardware/system3.nix +++ b/config/hardware/system3.nix @@ -4,8 +4,6 @@ with lib; let in { - imports = [ ]; - system.stateVersion = "21.05"; boot = { diff --git a/config/hardware/zbox.nix b/config/hardware/zbox.nix index 6ea5506..c65b4e7 100644 --- a/config/hardware/zbox.nix +++ b/config/hardware/zbox.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: { - imports = [ ]; - boot = { loader = { systemd-boot.enable = true; diff --git a/config/host-config/france.nix b/config/host-config/france.nix index f4fe89a..aef4184 100644 --- a/config/host-config/france.nix +++ b/config/host-config/france.nix @@ -2,6 +2,7 @@ let primary-ip = "208.81.3.117"; + git-server-ip = "208.81.3.118"; hostname = config.instance.hostname; domain-name = config.fudo.hosts.${hostname}.domain; domain = config.fudo.domains.${domain-name}; diff --git a/config/hosts/atom.nix b/config/hosts/atom.nix index 3e7b457..79e6843 100644 --- a/config/hosts/atom.nix +++ b/config/hosts/atom.nix @@ -7,4 +7,5 @@ site = "seattle"; profile = "laptop"; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/hosts/clunk.nix b/config/hosts/clunk.nix index b12ea44..bc2c133 100644 --- a/config/hosts/clunk.nix +++ b/config/hosts/clunk.nix @@ -15,4 +15,5 @@ ssh-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5"; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/hosts/france.nix b/config/hosts/france.nix index 3375ebf..f05b3ee 100644 --- a/config/hosts/france.nix +++ b/config/hosts/france.nix @@ -15,4 +15,6 @@ ssh-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn"; arch = "x86_64-linux"; + # Just to stop this evaluating for now + nixos-system = false; } diff --git a/config/hosts/lambda.nix b/config/hosts/lambda.nix index 0631187..323dfbb 100644 --- a/config/hosts/lambda.nix +++ b/config/hosts/lambda.nix @@ -16,4 +16,5 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPB5JY6jnHCRLxjqWKYkK8Xpmfyq2nA+0noPazYGd9a+"; enable-gui = false; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/hosts/limina.nix b/config/hosts/limina.nix index 393ee8a..f02dbf7 100644 --- a/config/hosts/limina.nix +++ b/config/hosts/limina.nix @@ -15,4 +15,5 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI"; tmp-on-tmpfs = false; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/hosts/nostromo.nix b/config/hosts/nostromo.nix index 086312a..be8e5f8 100644 --- a/config/hosts/nostromo.nix +++ b/config/hosts/nostromo.nix @@ -15,4 +15,5 @@ ssh-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb"; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/hosts/plato.nix b/config/hosts/plato.nix index 103ae06..a8cef82 100644 --- a/config/hosts/plato.nix +++ b/config/hosts/plato.nix @@ -18,4 +18,5 @@ ]; tmp-on-tmpfs = false; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/hosts/procul.nix b/config/hosts/procul.nix index 8ac0a10..3fa96ed 100644 --- a/config/hosts/procul.nix +++ b/config/hosts/procul.nix @@ -17,4 +17,5 @@ tmp-on-tmpfs = false; enable-gui = false; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/hosts/socrates.nix b/config/hosts/socrates.nix index 8de2bb5..754d449 100644 --- a/config/hosts/socrates.nix +++ b/config/hosts/socrates.nix @@ -15,4 +15,5 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TqqumZwSDLkg8cTpR734zM+nuqEp1ufaQPoFdqCab"; tmp-on-tmpfs = false; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/hosts/spark.nix b/config/hosts/spark.nix index 00e8cca..c0aab5e 100644 --- a/config/hosts/spark.nix +++ b/config/hosts/spark.nix @@ -16,4 +16,5 @@ site = "seattle"; android-dev = true; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/hosts/system3.nix b/config/hosts/system3.nix index d9cc059..e8d86cd 100644 --- a/config/hosts/system3.nix +++ b/config/hosts/system3.nix @@ -16,4 +16,5 @@ site = "seattle"; android-dev = true; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/hosts/zbox.nix b/config/hosts/zbox.nix index 6ddacd7..95c69d2 100644 --- a/config/hosts/zbox.nix +++ b/config/hosts/zbox.nix @@ -16,4 +16,5 @@ site = "seattle"; android-dev = true; arch = "x86_64-linux"; + nixos-system = true; } diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index 795a61c..fca97ee 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -33,13 +33,9 @@ in { ''; }; - # TODO: remove? - nixpkgs.config.permittedInsecurePackages = [ - "openssh-with-gssapi-8.4p1" # CVE-2021-28041 - ]; - nixpkgs.config.allowUnfree = true; security.acme.acceptTerms = true; + hardware.enableRedistributableFirmware = true; krb5 = { enable = true; diff --git a/flake.lock b/flake.lock index 45dc8df..13bdafd 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,60 @@ { "nodes": { + "backplane-passwords": { + "flake": false, + "locked": { + "narHash": "sha256-Bf5sVg4oSg6uCKMJl21btfBH4NQI/Wz4SU9j130Shyg=", + "path": "./backplane-passwords", + "type": "path" + }, + "original": { + "path": "./backplane-passwords", + "type": "path" + } + }, + "build-keypairs": { + "flake": false, + "locked": { + "narHash": "sha256-4eRLRLCzZ6kQIRZqy51bj60jhFSQ/wlKLeNgABPhTyw=", + "path": "./build-keypairs", + "type": "path" + }, + "original": { + "path": "./build-keypairs", + "type": "path" + } + }, + "filesystem-keys": { + "flake": false, + "locked": { + "narHash": "sha256-K2wdsA4vcNTaLR9A9qxB+aMaeANL0LXOwBWvUm63lX0=", + "path": "./filesystem-keys", + "type": "path" + }, + "original": { + "path": "./filesystem-keys", + "type": "path" + } + }, + "fudo-secrets": { + "inputs": { + "backplane-passwords": "backplane-passwords", + "build-keypairs": "build-keypairs", + "filesystem-keys": "filesystem-keys", + "host-keytabs": "host-keytabs", + "service-passwords": "service-passwords", + "ssh-keypairs": "ssh-keypairs" + }, + "locked": { + "narHash": "sha256-i3c+gzSJO/YckvPXsncOYdrrBoq5WvoHeaB/X2lWr3I=", + "path": "/state/secrets", + "type": "path" + }, + "original": { + "path": "/state/secrets", + "type": "path" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -21,6 +76,18 @@ "type": "github" } }, + "host-keytabs": { + "flake": false, + "locked": { + "narHash": "sha256-yvGgY3mgzaGjYBNHr0m4Lg2rxrB0+CRlzWdJ2A06MeM=", + "path": "./kerberos/host-keytabs", + "type": "path" + }, + "original": { + "path": "./kerberos/host-keytabs", + "type": "path" + } + }, "nixpkgs": { "locked": { "lastModified": 1632291606, @@ -38,9 +105,34 @@ }, "root": { "inputs": { + "fudo-secrets": "fudo-secrets", "home-manager": "home-manager", "nixpkgs": "nixpkgs" } + }, + "service-passwords": { + "flake": false, + "locked": { + "narHash": "sha256-JPMZdokzw+vyWoIKwgDhD60BYi5gch/MfgQyvx5AXZA=", + "path": "./service-passwords", + "type": "path" + }, + "original": { + "path": "./service-passwords", + "type": "path" + } + }, + "ssh-keypairs": { + "flake": false, + "locked": { + "narHash": "sha256-fD2ZTNMc399XtlVWLCU4crC0RZZ8yTZPFzEm9VWjiL8=", + "path": "./ssh-keypairs", + "type": "path" + }, + "original": { + "path": "./ssh-keypairs", + "type": "path" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 7b86fc5..4d90a7d 100644 --- a/flake.nix +++ b/flake.nix @@ -3,17 +3,27 @@ inputs = { nixpkgs.url = "nixpkgs/nixos-21.05"; + home-manager.url = "github:nix-community/home-manager/release-21.05"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + fudo-secrets.url = "path:/state/secrets"; }; - outputs = { self, nixpkgs, home-manager, ... }: { + outputs = { self, nixpkgs, home-manager, fudo-secrets, ... }: { nixosConfigurations = let - hostlib = import ./lib/hosts.nix { lib = nixpkgs.lib; }; - hosts = hostlib.base-host-config ./config/hosts; - in nixpkgs.lib.mapAttrs (hostname: hostOpts: let + lib = nixpkgs.lib; + + hostlib = import ./lib/hosts.nix { inherit lib; }; + + hosts = lib.filterAttrs (hostname: hostOpts: + hostOpts.nixos-system) (hostlib.base-host-config ./config/hosts); + + build-timestamp = self.sourceInfo.lastModified; + in lib.mapAttrs (hostname: hostOpts: let pkgs = import nixpkgs { + system = hostOpts.arch; config = { allowUnfree = true; permittedInsecurePackages = [ @@ -24,10 +34,15 @@ (import ./fudo-pkgs/overlay.nix) ]; }; - in import ./initialize.nix { - inherit hostname pkgs; - home-manager-module = import "${home-manager}/nixos"; - include-secrets = true; - }) hosts; + in lib.nixosSystem { + system = hostOpts.arch; + + modules = [ + "${home-manager}/nixos" + (import ./initialize.nix { + inherit hostname pkgs build-timestamp fudo-secrets; + }) + ]; + }) hosts; }; } diff --git a/initialize.nix b/initialize.nix index cfec1ff..8dc6590 100644 --- a/initialize.nix +++ b/initialize.nix @@ -1,4 +1,4 @@ -{ hostname, home-manager-module, pkgs, include-secrets ? true, ... }: +{ hostname, pkgs, build-timestamp, fudo-secrets ? null, ... }: let # Get info on this host so we know what to load @@ -9,7 +9,7 @@ in { ./lib ./config - home-manager-module + #home-manager-module (./. + "/config/hardware/${hostname}.nix") (./. + "/config/host-config/${hostname}.nix") @@ -19,10 +19,12 @@ in { ]; config = { + fudo.local-network.timestamp = build-timestamp; + instance = { hostname = hostname; }; nixpkgs.pkgs = pkgs; - fudo.secrets.enable = include-secrets; + fudo.secrets.enable = fudo-secrets != null; }; } diff --git a/lib/default.nix b/lib/default.nix index 97c9f3f..ace0f0b 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -11,6 +11,7 @@ with lib; { ./fudo/backplane ./fudo/chat.nix ./fudo/client/dns.nix + ./fudo/distributed-builds.nix ./fudo/dns.nix ./fudo/domains.nix ./fudo/garbage-collector.nix @@ -35,6 +36,7 @@ with lib; { ./fudo/secure-dns-proxy.nix ./fudo/sites.nix ./fudo/slynk.nix + ./fudo/ssh.nix ./fudo/system.nix ./fudo/system-networking.nix ./fudo/users.nix diff --git a/lib/fudo/deploy.nix b/lib/fudo/deploy.nix new file mode 100644 index 0000000..6cf795d --- /dev/null +++ b/lib/fudo/deploy.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + sys = callPackage ./system.nix {}; + + site-cfg = config.fudo.sites.${sys.local-site}; + +in { + config = { + users.usersroot.openssh.authorizedKeys.keys = mkIf (site-cfg.deploy-pubkeys != null) + site-cfg.deploy-pubkeys; + }; +} diff --git a/lib/fudo/distributed-builds.nix b/lib/fudo/distributed-builds.nix new file mode 100644 index 0000000..84d7004 --- /dev/null +++ b/lib/fudo/distributed-builds.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + sys = callPackage ../system.nix {}; + + site-cfg = config.fudo.sites.${sys.local-site}; + + has-build-servers = (length (attrNames site-cfg.build-servers)) > 0; + + build-keypair = config.fudo.secrets.host-secrets.${hostname}.build-keypair; + + enable-distributed-builds = + site-cfg.enable-distributed-builds && has-build-servers && build-keypair != null; + + local-build-cfg = + mkIf (hasKey site-cfg.build-servers hostname) + site-cfg.build-servers.hostname; + +in { + config = { + nix = mkIf enable-distributed-builds { + buildMachines = mapAttrsToList (hostname: buildOpts: { + hostName = "${hostname}.${domain-name}"; + maxJobs = buildOpts.max-jobs; + speedFactor = buildOpts.speed-factor; + supportedFeatures = buildOpts.supportedFeatures; + sshKey = build-keypair.private-key; + sshUser = buildOpts.user; + }) site-cfg.build-servers; + distributedBuilds = true; + + trustedUsers = mkIf (local-build-cfg != null) [ + local-build-host.build-user + ]; + }; + + users.users = mkIf (local-build-cfg != null) { + ${local-build-cfg.build-user} = { + isSystemUser = true; + openssh.authorizedKeys.keyFiles = + foldr (a: b: a ++ b) [] + mapAttrsToList (host: hostOpts: hostOpts.build-pubkeys) sys.local-hosts; + }; + }; + }; +} diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index b27b6c0..748ed77 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -39,8 +39,7 @@ let }; profile = mkOption { - # FIXME: get this list from profiles directly - type = listof (enum "desktop" "laptop" "server"); + type = listOf (enumOf (attrNames config.fudo.profiles)); description = "The profile to be applied to the host, determining what software is included."; }; @@ -109,11 +108,11 @@ let default = [ "ssh" "host" ]; }; - ssh-pubkey = mkOption { - type = nullOr str; + ssh-pubkeys = mkOption { + type = listOf str; description = - "SSH key of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key."; - default = null; + "SSH keys of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key."; + default = []; }; build-pubkeys = mkOption { @@ -207,22 +206,22 @@ in { mode = "0444"; }; - fudo.hosts.${hostname}.build-pubkeys = - map builtins.readFile - (map (build-key-path: "${build-key-path}/${hostname}.key.pub") - (optional (site.build-key-path != null) site.build-key-path)); + # fudo.hosts.${hostname}.build-pubkeys = + # map builtins.readFile + # (map (build-key-path: "${build-key-path}/${hostname}.key.pub") + # (optional (site.build-key-path != null) site.build-key-path)); - nix = mkIf - (has-build-servers && has-build-keys && site.enable-distributed-builds) { - buildMachines = mapAttrsToList (hostname: buildOpts: { - hostName = "${hostname}.${domain-name}"; - maxJobs = buildOpts.max-jobs; - speedFactor = buildOpts.speed-factor; - supportedFeatures = buildOpts.supported-features; - sshKey = config.fudo.secrets.host-secrets.${hostname}.build-private-key.target-file; - }) site.build-servers; - distributedBuilds = true; - }; + # nix = mkIf + # (has-build-servers && has-build-keys && site.enable-distributed-builds) { + # buildMachines = mapAttrsToList (hostname: buildOpts: { + # hostName = "${hostname}.${domain-name}"; + # maxJobs = buildOpts.max-jobs; + # speedFactor = buildOpts.speed-factor; + # supportedFeatures = buildOpts.supported-features; + # sshKey = config.fudo.secrets.host-secrets.${hostname}.build-private-key.target-file; + # }) site.build-servers; + # distributedBuilds = true; + # }; time.timeZone = site.timezone; @@ -242,26 +241,14 @@ in { boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs; fudo.secrets.host-secrets.${hostname} = { - host-keytab = let - keytab-file = mapOptional (keytab-path: - if (pathExists keytab-path) then - /. + builtins.toPath keytab-path - else - null) (mapOptional (keytab-dir: "${keytab-dir}/${hostname}.keytab") - site.keytab-path); - in mkIf (keytab-file != null) { - source-file = /. + builtins.toPath keytab-file; + host-keytab = mkIf (fudo.secrets.files.host-keytabs.${hostname} != null) { + source-file = fudo.secrets.files.host-keytabs.${hostname}; target-file = "/etc/krb5.keytab"; user = "root"; }; - build-private-key = let - build-key-file = mapOptional - (build-key-file: if (pathExists build-key-file) then (/. + builtins.toPath build-key-file) else null) - (mapOptional (build-key-path: "${build-key-path}/${hostname}.key") - site.build-key-path); - in mkIf (build-key-file != null) { - source-file = build-key-file; + build-private-key = mkIf (fudo.secrets.files.build-keypairs.${hostname} != null) { + source-file = fudo.secrets.files.build-keypairs.${hostname}.private-key; target-file = "/var/run/nix-build/host.key"; user = "root"; }; diff --git a/lib/fudo/local-network.nix b/lib/fudo/local-network.nix index 0de269c..2c58b01 100644 --- a/lib/fudo/local-network.nix +++ b/lib/fudo/local-network.nix @@ -83,6 +83,11 @@ in { description = "Definition of network to be served by local server."; default = { }; }; + + timestamp = mkOption { + type = int; + description = "Timestamp of build, to be used as a serial."; + }; }; config = mkIf cfg.enable { @@ -144,7 +149,7 @@ in { $TTL 1h @ IN SOA ns1.${cfg.domain}. hostmaster.${cfg.domain}. ( - ${toString builtins.currentTime} + ${toString cfg.timestamp} 1800 900 604800 @@ -201,7 +206,7 @@ in { name = cfg.domain; file = pkgs.writeText "${cfg.domain}-zone" '' @ IN SOA ns1.${cfg.domain}. hostmaster.${cfg.domain}. ( - ${toString builtins.currentTime} + ${toString cfg.timestamp} 5m 2m 6w diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix index 2f895c8..7efa4a1 100644 --- a/lib/fudo/sites.nix +++ b/lib/fudo/sites.nix @@ -108,7 +108,7 @@ let dropbear-ssh-port = mkOption { type = port; - description = "Port to be used for the deploy SSH server."; + description = "Port to be used for the backup SSH server."; default = 2112; }; @@ -206,16 +206,13 @@ in { config = { users.users = { - root.openssh.authorizedKeys.keys = - mkIf (site-cfg.deploy-pubkeys != null) site-cfg.deploy-pubkeys; - ${site-cfg.build-user} = mkIf (any (build-host: build-host == config.instance.hostname) (attrNames site-cfg.build-servers)) { isSystemUser = true; openssh.authorizedKeys.keys = concatMap (hostOpts: hostOpts.build-pubkeys) - (attrValues site-hosts); + (attrValues site-hosts); shell = pkgs.bash; }; }; diff --git a/lib/fudo/ssh.nix b/lib/fudo/ssh.nix new file mode 100644 index 0000000..9ce050b --- /dev/null +++ b/lib/fudo/ssh.nix @@ -0,0 +1,64 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + hostname = config.fudo.instance.hostname; + has-attrs = set: length (attrNames set) > 0; + host-keypairs = config.fudo.secrets.files.host-ssh-keypairs.${hostname}; + + sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record"; + + dns-sshfp-records = host: keypair: let + filename = sshfp-filename host keypair; + in mkDerivation { + buildInputs = with pkgs; [ openssh ]; + + buildPhase = '' + ssh-keygen -r REMOVEME -f ${keypair.public-key} | sed 's/^REMOVEME IN SSHFP //' > ${filename} + ''; + + installPhase = '' + mv ${filename} $out/${filename} + ''; + }; + +in { + config = { + fudo = { + secrets.host-secrets.${hostname} = mkIf (host-keypairs != []) + map (keypair: { + "host-${keypair.key-type}-private-key" = { + source-file = keypair.private-key; + target-file = "/var/run/ssh/private/host-${keypair.key-type}-private-key"; + user = "root"; + }; + }); + + hosts = mapAttrs (hostname: keypairs: { + ssh-pubkeys = map (keypair: keypair.public-key) keypairs; + ssh-fingerprints = map (keypair: + let + fingerprint-derivation = dns-sshfp-records hostname keypair.public-key; + filename = sshfp-filename hostname keypair; + in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs; + } config.fudo.secrets.files.host-ssh-keypairs); + + + }; + + services.openssh.hostKeys = mkIf (host-keypairs != []) + (map (keypair: { + path = "/var/run/ssh/private/host-${keypair.key-type}-private-key"; + type = keypair.key-type; + }) host-keypairs); + + programs.ssh.knownHosts = mapAttrs (hostname: keypairs: { + publicKeyFile = keypairs.public-key; + hostNames = let + host-cfg = config.fudo.hosts.${hostname}; + domains = [host-cfg.domain] ++ host-cfg.extra-domains; + in [ hostname ] ++ + (map (domain: "${hostname}.${domain}") domains); + }); + }; +} diff --git a/lib/hosts.nix b/lib/hosts.nix index 88e3389..da4ca03 100644 --- a/lib/hosts.nix +++ b/lib/hosts.nix @@ -11,6 +11,6 @@ with lib; host-files = attrNames (filterAttrs is-nix-file (filterAttrs is-regular-file (builtins.readDir host-path))); hosts = map hostname-from-file host-files; - load-host-file = hostname: import (./. + "/hosts/${hostname}.nix"); + load-host-file = hostname: import (host-path + "/${hostname}.nix"); in genAttrs hosts (hostname: load-host-file hostname); } diff --git a/lib/system.nix b/lib/system.nix index af09310..6da9a79 100644 --- a/lib/system.nix +++ b/lib/system.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ config, lib, ... }: with lib; let @@ -24,6 +24,9 @@ let getAttrs (host-group-list ++ domain-group-list ++ site-group-list) config.fudo.groups; + local-hosts = + filterAttrs (host: hostOpts: hostOpts.site == local-site) config.fudo.hosts; + in { local-host = local-host; local-domain = local-domain; @@ -31,4 +34,5 @@ in { local-users = local-users; local-admins = local-admins; local-groups = local-groups; + local-hosts = local-hosts; }