Use primary SSH server for deploy...but use a backup ssh server too.

2021-04-10 10:43:40 -07:00 · 2021-04-10 10:43:40 -07:00 · 43e11861d1
parent 1d89667433
commit 43e11861d1
3 changed files with 32 additions and 29 deletions
--- a/config/host-config/plato.nix
+++ b/config/host-config/plato.nix
@ -14,7 +14,7 @@ in {
        source = "/state/etc/plato.keytab";
        user = "root";
        group = "root";
-        mode = "0400";
+        mode = "0600";
      };
    };

--- a/config/sites.nix
+++ b/config/sites.nix
@ -9,7 +9,8 @@
      dynamic-network = "10.0.1.0/24";
      timezone = "America/Los_Angeles";
      gateway-host = "nostromo";
-      deploy-pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs=";
+      deploy-pubkey =
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0=";
      # FIXME: good idea?
      # network-mounts = {
      #   "/mnt/documents" = {
--- a/lib/fudo/sites.nix
+++ b/lib/fudo/sites.nix
@ -84,6 +84,8 @@ let
        default = null;
      };

+      enable-ssh-backdoor = mkEnableOption "Enable a backup SSH server in case of failures of the primary.";
+
      dropbear-rsa-key-path = mkOption {
        type = str;
        description = "Location of Dropbear RSA key.";
@ -96,7 +98,7 @@ let
        default = "/etc/dropbear/host_ecdsa_key";
      };

-      dropbear-deploy-port = mkOption {
+      dropbear-port = mkOption {
        type = port;
        description = "Port to be used for the deploy SSH server.";
        default = 2112;
@ -111,15 +113,15 @@ in {
    default = { };
  };

-  config = mkIf (site-cfg.deploy-pubkey != null) {
-    environment.etc."dropbear/authorized_keys" = {
-      text = "${site-cfg.deploy-pubkey} root@deploy";
-      mode = "0400";
-    };
+  config = {
+    users.users.root.openssh.authorizedKeys.keys = mkIf (site-cfg.deploy-pubkey != null) [
+      site-cfg.deploy-pubkey
+    ];

-    networking.firewall.allowedTCPPorts = [ site-cfg.dropbear-deploy-port ];
+    networking.firewall.allowedTCPPorts = mkIf site-cfg.enable-ssh-backdoor
+      [ site-cfg.dropbear-deploy-port ];

-    systemd = {
+    systemd = mkIf site-cfg.enable-ssh-backdoor {
      sockets = {
        dropbear-deploy = {
          wantedBy = [ "sockets.target" ];
@ -127,40 +129,40 @@ in {
            ListenStream = "0.0.0.0:${toString site-cfg.dropbear-deploy-port}";
            Accept = true;
          };
-          unitConfig = {
-            restartIfChanged = true;
-          };
+          unitConfig = { restartIfChanged = true; };
        };
      };
-      
+
      services = {
        dropbear-deploy-init = {
          wantedBy = [ "multi-user.target" ];
          script = ''
-          if [ ! -d /etc/dropbear ]; then
-            mkdir /etc/dropbear
-            chmod 700 /etc/dropbear
-          fi
+            if [ ! -d /etc/dropbear ]; then
+              mkdir /etc/dropbear
+              chmod 700 /etc/dropbear
+            fi

-          if [ ! -f ${site-cfg.dropbear-rsa-key-path} ]; then
-            ${pkgs.dropbear}/bin/dropbearkey -t rsa -f ${site-cfg.dropbear-rsa-key-path}
-            ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-rsa-key-path}
-          fi
+            if [ ! -f ${site-cfg.dropbear-rsa-key-path} ]; then
+              ${pkgs.dropbear}/bin/dropbearkey -t rsa -f ${site-cfg.dropbear-rsa-key-path}
+              ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-rsa-key-path}
+            fi

-          if [ ! -f ${site-cfg.dropbear-ecdsa-key-path} ]; then
-            ${pkgs.dropbear}/bin/dropbearkey -t ecdsa -f ${site-cfg.dropbear-ecdsa-key-path}
-            ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path}
-          fi
-        '';
+            if [ ! -f ${site-cfg.dropbear-ecdsa-key-path} ]; then
+              ${pkgs.dropbear}/bin/dropbearkey -t ecdsa -f ${site-cfg.dropbear-ecdsa-key-path}
+              ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path}
+            fi
+          '';
        };

        "dropbear-deploy@" = {
-          description = "Per-connection service for deployment, using dropbear.";
+          description =
+            "Per-connection service for deployment, using dropbear.";
          requires = [ "dropbear-deploy-init.service" ];
          after = [ "network.target" ];
          serviceConfig = {
            Type = "simple";
-            ExecStart = "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}";
+            ExecStart =
+              "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}";
            ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
            StandardInput = "socket";
          };