nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Various minor fixes

Browse Source
This commit is contained in:
niten 2021-09-29 18:44:33 -07:00
parent 3dc5986134
commit 4df4d2e7db
5 changed files with 43 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
flake.lock generated
View File

@ -46,7 +46,7 @@
"ssh-keypairs": "ssh-keypairs" "ssh-keypairs": "ssh-keypairs"
}, },
"locked": { "locked": {
"narHash": "sha256-i3c+gzSJO/YckvPXsncOYdrrBoq5WvoHeaB/X2lWr3I=", "narHash": "sha256-fCEml2rFMgJboI7EN0QQLsAYSKdKegnu23IwRK5GBdE=",
"path": "/state/secrets", "path": "/state/secrets",
"type": "path" "type": "path"
}, },
@ -90,11 +90,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1632291606, "lastModified": 1632918953,
"narHash": "sha256-oEN24XJYAFK9tsD13TzLEizpgQigEfgC6i9x1b/1pVU=", "narHash": "sha256-XY3TKBfhP7wCu/SeqrwIkTWkyYHy5W1yRR8pxyzRY9Y=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "83413f47809790e4ca012e314e7782adeae36cf2", "rev": "ee90403e147b181300dffca5b0afa405e14f1945",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
flake.nix
View File

@ -38,6 +38,7 @@
system = hostOpts.arch; system = hostOpts.arch;
modules = [ modules = [
fudo-secrets.nixosModule
"${home-manager}/nixos" "${home-manager}/nixos"
(import ./initialize.nix { (import ./initialize.nix {
inherit hostname pkgs build-timestamp fudo-secrets; inherit hostname pkgs build-timestamp fudo-secrets;

20
lib/fudo/hosts.nix
View File

@ -240,15 +240,25 @@ in {
boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs; boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
fudo.secrets.host-secrets.${hostname} = { fudo.secrets.host-secrets.${hostname} = let
host-keytab = mkIf (fudo.secrets.files.host-keytabs.${hostname} != null) { keytab-file =
source-file = fudo.secrets.files.host-keytabs.${hostname}; if (hasAttr hostname config.fudo.secrets.files.host-keytabs) then
config.fudo.secrets.files.host-keytabs.${hostname}
else null;
build-private-key-file =
if (hasAttr hostname config.fudo.secrets.files.build-keypairs) then
config.fudo.secrets.files.build-keypairs.${hostname}
else null;
in {
host-keytab = mkIf (keytab-file != null) {
source-file = keytab-file;
target-file = "/etc/krb5.keytab"; target-file = "/etc/krb5.keytab";
user = "root"; user = "root";
}; };
build-private-key = mkIf (fudo.secrets.files.build-keypairs.${hostname} != null) { build-private-key = mkIf (build-private-key-file != null) {
source-file = fudo.secrets.files.build-keypairs.${hostname}.private-key; source-file = build-private-key-file;
target-file = "/var/run/nix-build/host.key"; target-file = "/var/run/nix-build/host.key";
user = "root"; user = "root";
}; };

7
lib/fudo/sites.nix
View File

@ -124,6 +124,7 @@ let
my-build-host = { my-build-host = {
port = 22; port = 22;
systems = [ "i686-linux" "x86_64-linux" ]; systems = [ "i686-linux" "x86_64-linux" ];
build-user = "my-builder";
}; };
}; };
}; };
@ -194,6 +195,12 @@ let
description = "List of features supported by this server."; description = "List of features supported by this server.";
default = [ ]; default = [ ];
}; };
build-user = mkOption {
type = str;
description = "User as which to run distributed builds.";
default = "site-builder";
};
}; };
}; };

25
lib/fudo/ssh.nix
View File

@ -2,9 +2,13 @@
with lib; with lib;
let let
hostname = config.fudo.instance.hostname; hostname = config.instance.hostname;
has-attrs = set: length (attrNames set) > 0; has-attrs = set: length (attrNames set) > 0;
host-keypairs = config.fudo.secrets.files.host-ssh-keypairs.${hostname}; host-keypairs =
if (hasAttr hostname config.fudo.secrets.files.host-ssh-keypairs) then
config.fudo.secrets.files.host-ssh-keypairs.${hostname}
else [];
sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record"; sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record";
@ -25,14 +29,14 @@ let
in { in {
config = { config = {
fudo = { fudo = {
secrets.host-secrets.${hostname} = mkIf (host-keypairs != []) secrets.host-secrets.${hostname} = listToAttrs
map (keypair: { (map
"host-${keypair.key-type}-private-key" = { (keypair: nameValuePair "host-${keypair.key-type}-private-key" {
source-file = keypair.private-key; source-file = keypair.private-key;
target-file = "/var/run/ssh/private/host-${keypair.key-type}-private-key"; target-file = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
user = "root"; user = "root";
}; })
}); host-keypairs);
hosts = mapAttrs (hostname: keypairs: { hosts = mapAttrs (hostname: keypairs: {
ssh-pubkeys = map (keypair: keypair.public-key) keypairs; ssh-pubkeys = map (keypair: keypair.public-key) keypairs;
@ -41,16 +45,15 @@ in {
fingerprint-derivation = dns-sshfp-records hostname keypair.public-key; fingerprint-derivation = dns-sshfp-records hostname keypair.public-key;
filename = sshfp-filename hostname keypair; filename = sshfp-filename hostname keypair;
in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs; in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs;
} config.fudo.secrets.files.host-ssh-keypairs); }) config.fudo.secrets.files.host-ssh-keypairs;
}; };
services.openssh.hostKeys = mkIf (host-keypairs != []) services.openssh.hostKeys = map (keypair: {
(map (keypair: {
path = "/var/run/ssh/private/host-${keypair.key-type}-private-key"; path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
type = keypair.key-type; type = keypair.key-type;
}) host-keypairs); }) host-keypairs;
programs.ssh.knownHosts = mapAttrs (hostname: keypairs: { programs.ssh.knownHosts = mapAttrs (hostname: keypairs: {
publicKeyFile = keypairs.public-key; publicKeyFile = keypairs.public-key;