From 43e11861d1b862fa71782b89c7fd6426da7d996a Mon Sep 17 00:00:00 2001 From: Root Date: Sat, 10 Apr 2021 10:43:40 -0700 Subject: [PATCH] Use primary SSH server for deploy...but use a backup ssh server too. --- config/host-config/plato.nix | 2 +- config/sites.nix | 3 +- lib/fudo/sites.nix | 56 +++++++++++++++++++----------------- 3 files changed, 32 insertions(+), 29 deletions(-) diff --git a/config/host-config/plato.nix b/config/host-config/plato.nix index b2691d6..11bca26 100644 --- a/config/host-config/plato.nix +++ b/config/host-config/plato.nix @@ -14,7 +14,7 @@ in { source = "/state/etc/plato.keytab"; user = "root"; group = "root"; - mode = "0400"; + mode = "0600"; }; }; diff --git a/config/sites.nix b/config/sites.nix index 212d7e5..1ee6c56 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -9,7 +9,8 @@ dynamic-network = "10.0.1.0/24"; timezone = "America/Los_Angeles"; gateway-host = "nostromo"; - deploy-pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="; + deploy-pubkey = + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="; # FIXME: good idea? # network-mounts = { # "/mnt/documents" = { diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix index f3dcbdc..7a052af 100644 --- a/lib/fudo/sites.nix +++ b/lib/fudo/sites.nix @@ -84,6 +84,8 @@ let default = null; }; + enable-ssh-backdoor = mkEnableOption "Enable a backup SSH server in case of failures of the primary."; + dropbear-rsa-key-path = mkOption { type = str; description = "Location of Dropbear RSA key."; @@ -96,7 +98,7 @@ let default = "/etc/dropbear/host_ecdsa_key"; }; - dropbear-deploy-port = mkOption { + dropbear-port = mkOption { type = port; description = "Port to be used for the deploy SSH server."; default = 2112; @@ -111,15 +113,15 @@ in { default = { }; }; - config = mkIf (site-cfg.deploy-pubkey != null) { - environment.etc."dropbear/authorized_keys" = { - text = "${site-cfg.deploy-pubkey} root@deploy"; - mode = "0400"; - }; + config = { + users.users.root.openssh.authorizedKeys.keys = mkIf (site-cfg.deploy-pubkey != null) [ + site-cfg.deploy-pubkey + ]; - networking.firewall.allowedTCPPorts = [ site-cfg.dropbear-deploy-port ]; + networking.firewall.allowedTCPPorts = mkIf site-cfg.enable-ssh-backdoor + [ site-cfg.dropbear-deploy-port ]; - systemd = { + systemd = mkIf site-cfg.enable-ssh-backdoor { sockets = { dropbear-deploy = { wantedBy = [ "sockets.target" ]; @@ -127,40 +129,40 @@ in { ListenStream = "0.0.0.0:${toString site-cfg.dropbear-deploy-port}"; Accept = true; }; - unitConfig = { - restartIfChanged = true; - }; + unitConfig = { restartIfChanged = true; }; }; }; - + services = { dropbear-deploy-init = { wantedBy = [ "multi-user.target" ]; script = '' - if [ ! -d /etc/dropbear ]; then - mkdir /etc/dropbear - chmod 700 /etc/dropbear - fi + if [ ! -d /etc/dropbear ]; then + mkdir /etc/dropbear + chmod 700 /etc/dropbear + fi - if [ ! -f ${site-cfg.dropbear-rsa-key-path} ]; then - ${pkgs.dropbear}/bin/dropbearkey -t rsa -f ${site-cfg.dropbear-rsa-key-path} - ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-rsa-key-path} - fi + if [ ! -f ${site-cfg.dropbear-rsa-key-path} ]; then + ${pkgs.dropbear}/bin/dropbearkey -t rsa -f ${site-cfg.dropbear-rsa-key-path} + ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-rsa-key-path} + fi - if [ ! -f ${site-cfg.dropbear-ecdsa-key-path} ]; then - ${pkgs.dropbear}/bin/dropbearkey -t ecdsa -f ${site-cfg.dropbear-ecdsa-key-path} - ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path} - fi - ''; + if [ ! -f ${site-cfg.dropbear-ecdsa-key-path} ]; then + ${pkgs.dropbear}/bin/dropbearkey -t ecdsa -f ${site-cfg.dropbear-ecdsa-key-path} + ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path} + fi + ''; }; "dropbear-deploy@" = { - description = "Per-connection service for deployment, using dropbear."; + description = + "Per-connection service for deployment, using dropbear."; requires = [ "dropbear-deploy-init.service" ]; after = [ "network.target" ]; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}"; + ExecStart = + "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}"; ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID"; StandardInput = "socket"; };