From 51546ec7fd306b1c621c7ccb25959b6777a1f2a8 Mon Sep 17 00:00:00 2001 From: niten Date: Fri, 15 Oct 2021 12:57:48 -0700 Subject: [PATCH] Fiiiine, I'll just use a local fuckin file. --- config/hosts/lambda.nix | 2 +- config/hosts/limina.nix | 2 +- config/hosts/nostromo.nix | 2 +- config/hosts/plato.nix | 2 +- config/hosts/socrates.nix | 8 +++- config/hosts/spark.nix | 2 +- config/hosts/system3.nix | 2 +- config/hosts/zbox.nix | 2 +- lib/fudo/initrd-network.nix | 75 +++++++++++++++---------------------- lib/fudo/secrets.nix | 6 +-- lib/types/host.nix | 38 ++++++++++--------- 11 files changed, 67 insertions(+), 74 deletions(-) diff --git a/config/hosts/lambda.nix b/config/hosts/lambda.nix index 6ebf1a2..265afea 100644 --- a/config/hosts/lambda.nix +++ b/config/hosts/lambda.nix @@ -22,5 +22,5 @@ arch = "x86_64-linux"; nixos-system = true; machine-id = "c031cda2e88a4cedb3b22f41f9042646"; - initrd-ip = "10.0.5.11"; + # initrd-ip = "10.0.5.11"; } diff --git a/config/hosts/limina.nix b/config/hosts/limina.nix index a37f078..950662f 100644 --- a/config/hosts/limina.nix +++ b/config/hosts/limina.nix @@ -21,5 +21,5 @@ public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA44EqP6HHjIPBFuxKvi2oZc1sNU+N4pNMtlS89KWuDm"; key-path = "/state/master-key/key"; }; - initrd-ip = "10.0.5.1"; + # initrd-ip = "10.0.5.1"; } diff --git a/config/hosts/nostromo.nix b/config/hosts/nostromo.nix index 2dd9d1e..fb1cda0 100644 --- a/config/hosts/nostromo.nix +++ b/config/hosts/nostromo.nix @@ -21,5 +21,5 @@ public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODtNR4b43ZJgyGo9Hc+CmC4+bzgxbsVYI9fhDqjyRSo"; key-path = "/state/master-key/key"; }; - initrd-ip = "10.0.5.10"; + # initrd-ip = "10.0.5.10"; } diff --git a/config/hosts/plato.nix b/config/hosts/plato.nix index 6b5d9ff..e6c0ded 100644 --- a/config/hosts/plato.nix +++ b/config/hosts/plato.nix @@ -24,5 +24,5 @@ public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgAzn6gyG1ze7L1WLU84poPGcoUntqfvgn+/s3bxhR2"; key-path = "/state/master-key/key"; }; - initrd-ip = "10.0.5.11"; + # initrd-ip = "10.0.5.11"; } diff --git a/config/hosts/socrates.nix b/config/hosts/socrates.nix index 8577343..49374f0 100644 --- a/config/hosts/socrates.nix +++ b/config/hosts/socrates.nix @@ -21,5 +21,11 @@ public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmJJFbAV8P1V1LSZr56GJ5ul3LBgdapbh+MK3ixTsxf"; key-path = "/state/master-key/key"; }; - initrd-ip = "10.0.5.10"; + initrd-network = { + ip = "10.0.5.10"; + keypair = { + public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLsxECiR4kqvUutMFkOTkIC8nsKK++aQ7HYiWjLdKdb"; + private-key-file = "/state/ssh/initrd/ssh_ed25519_key"; + }; + }; } diff --git a/config/hosts/spark.nix b/config/hosts/spark.nix index df17627..395202b 100644 --- a/config/hosts/spark.nix +++ b/config/hosts/spark.nix @@ -22,5 +22,5 @@ public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGs8MfR3d6f1Llqk5dn/ypODUT1Oi4SQGof/YvOPNf14"; key-path = "/state/master-key/key"; }; - initrd-ip = "10.0.5.108"; + # initrd-ip = "10.0.5.108"; } diff --git a/config/hosts/system3.nix b/config/hosts/system3.nix index 8eb00b4..f11363d 100644 --- a/config/hosts/system3.nix +++ b/config/hosts/system3.nix @@ -22,5 +22,5 @@ public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaF5T7Pb613C31BJVj74WYx4Pytj/lmH+PqjkqoNNkQ"; key-path = "/state/master-key/key"; }; - initrd-ip = "10.0.5.111"; + # initrd-ip = "10.0.5.111"; } diff --git a/config/hosts/zbox.nix b/config/hosts/zbox.nix index 3486ed2..e0066e5 100644 --- a/config/hosts/zbox.nix +++ b/config/hosts/zbox.nix @@ -22,5 +22,5 @@ public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDsn68vDKV4jnBuICSDX/2Gpnshbrz0r9t4lXIke1vqh"; key-path = "/state/master-key/key"; }; - initrd-ip = "10.0.5.110"; + # initrd-ip = "10.0.5.110"; } diff --git a/lib/fudo/initrd-network.nix b/lib/fudo/initrd-network.nix index 6de2e4b..457b675 100644 --- a/lib/fudo/initrd-network.nix +++ b/lib/fudo/initrd-network.nix @@ -3,49 +3,29 @@ with lib; let hostname = config.instance.hostname; - host-cfg = config.fudo.hosts.${hostname}; - ip = host-cfg.initrd-ip; + initrd-cfg = config.fudo.hosts.${hostname}.initrd-network; - key-type = "ed25519"; - - key-filename = "ssh_host_${key-type}_key"; - - gen-host-keys = hostname: pkgs.stdenv.mkDerivation { - name = "${hostname}-initrd-ssh-keys"; + gen-sshfp-records = hostname: pubkey: let + pubkey-file = wirteTextFile { + name = "${hostname}-initrd-ssh-pubkey"; + text = pubkey; + }; + in pkgs.stdenv.mkDerivation { + name = "${hostname}-initrd-ssh-firngerprint"; phases = [ "installPhase" ]; - buildInputs = with pkgs; [ openssh ]; - installPhase = '' mkdir $out - ssh-keygen -q -t ${key-type} -N "" -f $out/ssh_host_${key-type}_key + ssh-keygen -r REMOVEME -f "${pubkey-file}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${hostname}-initrd-ssh-pubkey.sshfp ''; }; - gen-sshfp-records = host: key-pkg: pkgs.stdenv.mkDerivation { - name = "${hostname}-initrd-ssh-fingerprints"; - - phases = [ "installPhase" ]; - - buildInputs = with pkgs; [ openssh ]; - - installPhase = '' - mkdir $out - ssh-keygen -r REMOVEME -f "${key-pkg}/${key-filename}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${key-filename}.sshfp - ''; - }; - - host-keys = genAttrs (attrNames config.instance.local-hosts) - (hostname: gen-host-keys hostname); - in { - config = mkIf (ip != null) { - boot = let - hostname = config.instance.hostname; - in { + config = mkIf (initrd-cfg != null) { + boot = { kernelParams = [ - "ip=${ip}" +n "ip=${initrd-cfg.ip}" ]; initrd = { network = { @@ -60,7 +40,7 @@ in { port = 22; authorizedKeys = admin-ssh-keys; hostKeys = [ - "/var/run/ssh/${key-filename}" + initrd-cfg.keypair.private-key-file ]; }; }; @@ -68,21 +48,24 @@ in { }; fudo = { - secrets.host-secrets = mapAttrs - (hostname: key-pkg: { - initrd-ssh-host-key = { - source-file = "${key-pkg}/${key-filename}"; - target-file = "/var/run/ssh/${key-filename}"; - user = "root"; - }; - }) - host-keys; + ## Sigh...this doesn't work because the file isn't available soon enough + ## during activation. + # + # secrets.host-secrets = mapAttrs + # (hostname: key-pkg: { + # initrd-ssh-host-key = { + # source-file = "${key-pkg}/${key-filename}"; + # target-file = "/var/run/ssh/${key-filename}"; + # user = "root"; + # }; + # }) + # host-keys; local-network = { network-definition.hosts = mapAttrs' (hostname: hostOpts: nameValuePair "${hostname}-recovery" { - ipv4-address = config.fudo.hosts.${hostname}.initrd-ip; + ipv4-address = hostOpts.initrd-network-config.ip; description = "${hostname} initrd host"; }) config.instance.local-hosts; @@ -90,8 +73,10 @@ in { extra-records = mapAttrs (hostname: key-pkg: let - sshfp-pkg = gen-sshfp-records hostname key-pkg; - sshfps = read-lines "${sshfp-pkg}/${key-filename}.sshfp"; + sshfp-pkg = + gen-sshfp-records + hostname hostOpts.initrd-network-config.keypair.public-key; + sshfps = read-lines "${sshfp-pkg}/${hostname}-initrd-ssh-pubkey.sshfp"; in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps) host-keys; }; diff --git a/lib/fudo/secrets.nix b/lib/fudo/secrets.nix index 32db550..35c80bb 100644 --- a/lib/fudo/secrets.nix +++ b/lib/fudo/secrets.nix @@ -32,7 +32,7 @@ let secret-service = target-host: secret-name: { source-file, target-file, user, group, permissions }: { description = "decrypt secret ${secret-name} for ${target-host}."; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "default.target" ]; serviceConfig = { Type = "oneshot"; ExecStartPre = pkgs.writeShellScript @@ -140,7 +140,7 @@ in { in { services = host-secret-services // { fudo-secrets-watcher = { - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "default.target" ]; description = "Ensure access for group ${cfg.secret-group} to fudo secret paths."; serviceConfig = { @@ -154,7 +154,7 @@ in { }; paths.fudo-secrets-watcher = mkIf ((length cfg.secret-paths) > 0) { - wantedBy = [ "multi-user.target" ]; + wantedBy = [ "default.target" ]; description = "Watch fudo secret paths, and correct perms on changes."; pathConfig = { PathChanged = cfg.secret-paths; diff --git a/lib/types/host.nix b/lib/types/host.nix index a2aa13a..a7c4a93 100644 --- a/lib/types/host.nix +++ b/lib/types/host.nix @@ -177,35 +177,37 @@ rec { android-dev = mkEnableOption "Enable ADB on the host."; - # FIXME: This probably belongs elsewhere... - initrd-ip = mkOption { - type = nullOr str; - description = "IP to assign to the kernel/initrd, to allow access when boot fails."; - default = null; - }; - - initrd-ssh-keypair = let - keypair = { ... }: { + initrd-network = let + keypair-type = { ... }: { options = { public-key = mkOption { type = str; description = "SSH public key."; }; - private-key = mkOption { + private-key-file = mkOption { type = str; - description = "SSH private key."; - }; - - type = mkOption { - type = enum [ "rsa" "ecdsa" "ed25519" ]; - description = "SSH key type."; + description = "Path to SSH private key (on the local host!)."; }; }; }; + + initrd-network-config = { ... }: { + options = { + ip = mkOption { + type = str; + description = "IP to assign to the initrd image, allowing access to host during bootup."; + }; + keypair = mkOption { + type = keypair-type; + description = "SSH host key pair to use for initrd."; + }; + }; + }; + in mkOption { - type = nullOr (submodule keypair); - description = "SSH Keypair to use for initrd."; + type = nullOr (submodule initrd-network-config); + description = "Configuration parameters to set up initrd SSH network."; default = null; }; };