nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fiiiine, I'll just use a local fuckin file.

Browse Source
This commit is contained in:
niten 2021-10-15 12:57:48 -07:00
parent 0330f6ae78
commit 51546ec7fd
11 changed files with 67 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/hosts/lambda.nix
View File

@ -22,5 +22,5 @@
arch = "x86_64-linux"; arch = "x86_64-linux";
nixos-system = true; nixos-system = true;
machine-id = "c031cda2e88a4cedb3b22f41f9042646"; machine-id = "c031cda2e88a4cedb3b22f41f9042646";
initrd-ip = "10.0.5.11"; # initrd-ip = "10.0.5.11";
} }

2
config/hosts/limina.nix
View File

@ -21,5 +21,5 @@
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA44EqP6HHjIPBFuxKvi2oZc1sNU+N4pNMtlS89KWuDm"; public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA44EqP6HHjIPBFuxKvi2oZc1sNU+N4pNMtlS89KWuDm";
key-path = "/state/master-key/key"; key-path = "/state/master-key/key";
}; };
initrd-ip = "10.0.5.1"; # initrd-ip = "10.0.5.1";
} }

2
config/hosts/nostromo.nix
View File

@ -21,5 +21,5 @@
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODtNR4b43ZJgyGo9Hc+CmC4+bzgxbsVYI9fhDqjyRSo"; public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODtNR4b43ZJgyGo9Hc+CmC4+bzgxbsVYI9fhDqjyRSo";
key-path = "/state/master-key/key"; key-path = "/state/master-key/key";
}; };
initrd-ip = "10.0.5.10"; # initrd-ip = "10.0.5.10";
} }

2
config/hosts/plato.nix
View File

@ -24,5 +24,5 @@
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgAzn6gyG1ze7L1WLU84poPGcoUntqfvgn+/s3bxhR2"; public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgAzn6gyG1ze7L1WLU84poPGcoUntqfvgn+/s3bxhR2";
key-path = "/state/master-key/key"; key-path = "/state/master-key/key";
}; };
initrd-ip = "10.0.5.11"; # initrd-ip = "10.0.5.11";
} }

8
config/hosts/socrates.nix
View File

@ -21,5 +21,11 @@
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmJJFbAV8P1V1LSZr56GJ5ul3LBgdapbh+MK3ixTsxf"; public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmJJFbAV8P1V1LSZr56GJ5ul3LBgdapbh+MK3ixTsxf";
key-path = "/state/master-key/key"; key-path = "/state/master-key/key";
}; };
initrd-ip = "10.0.5.10"; initrd-network = {
ip = "10.0.5.10";
keypair = {
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLsxECiR4kqvUutMFkOTkIC8nsKK++aQ7HYiWjLdKdb";
private-key-file = "/state/ssh/initrd/ssh_ed25519_key";
};
};
} }

2
config/hosts/spark.nix
View File

@ -22,5 +22,5 @@
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGs8MfR3d6f1Llqk5dn/ypODUT1Oi4SQGof/YvOPNf14"; public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGs8MfR3d6f1Llqk5dn/ypODUT1Oi4SQGof/YvOPNf14";
key-path = "/state/master-key/key"; key-path = "/state/master-key/key";
}; };
initrd-ip = "10.0.5.108"; # initrd-ip = "10.0.5.108";
} }

2
config/hosts/system3.nix
View File

@ -22,5 +22,5 @@
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaF5T7Pb613C31BJVj74WYx4Pytj/lmH+PqjkqoNNkQ"; public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaF5T7Pb613C31BJVj74WYx4Pytj/lmH+PqjkqoNNkQ";
key-path = "/state/master-key/key"; key-path = "/state/master-key/key";
}; };
initrd-ip = "10.0.5.111"; # initrd-ip = "10.0.5.111";
} }

2
config/hosts/zbox.nix
View File

@ -22,5 +22,5 @@
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDsn68vDKV4jnBuICSDX/2Gpnshbrz0r9t4lXIke1vqh"; public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDsn68vDKV4jnBuICSDX/2Gpnshbrz0r9t4lXIke1vqh";
key-path = "/state/master-key/key"; key-path = "/state/master-key/key";
}; };
initrd-ip = "10.0.5.110"; # initrd-ip = "10.0.5.110";
} }

75
lib/fudo/initrd-network.nix
View File

@ -3,49 +3,29 @@
with lib; with lib;
let let
hostname = config.instance.hostname; hostname = config.instance.hostname;
host-cfg = config.fudo.hosts.${hostname}; initrd-cfg = config.fudo.hosts.${hostname}.initrd-network;
ip = host-cfg.initrd-ip;
key-type = "ed25519"; gen-sshfp-records = hostname: pubkey: let
pubkey-file = wirteTextFile {
key-filename = "ssh_host_${key-type}_key"; name = "${hostname}-initrd-ssh-pubkey";
text = pubkey;
gen-host-keys = hostname: pkgs.stdenv.mkDerivation { };
name = "${hostname}-initrd-ssh-keys"; in pkgs.stdenv.mkDerivation {
name = "${hostname}-initrd-ssh-firngerprint";
phases = [ "installPhase" ]; phases = [ "installPhase" ];
buildInputs = with pkgs; [ openssh ];
installPhase = '' installPhase = ''
mkdir $out mkdir $out
ssh-keygen -q -t ${key-type} -N "" -f $out/ssh_host_${key-type}_key ssh-keygen -r REMOVEME -f "${pubkey-file}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${hostname}-initrd-ssh-pubkey.sshfp
''; '';
}; };
gen-sshfp-records = host: key-pkg: pkgs.stdenv.mkDerivation {
name = "${hostname}-initrd-ssh-fingerprints";
phases = [ "installPhase" ];
buildInputs = with pkgs; [ openssh ];
installPhase = ''
mkdir $out
ssh-keygen -r REMOVEME -f "${key-pkg}/${key-filename}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${key-filename}.sshfp
'';
};
host-keys = genAttrs (attrNames config.instance.local-hosts)
(hostname: gen-host-keys hostname);
in { in {
config = mkIf (ip != null) { config = mkIf (initrd-cfg != null) {
boot = let boot = {
hostname = config.instance.hostname;
in {
kernelParams = [ kernelParams = [
"ip=${ip}" n "ip=${initrd-cfg.ip}"
]; ];
initrd = { initrd = {
network = { network = {
@ -60,7 +40,7 @@ in {
port = 22; port = 22;
authorizedKeys = admin-ssh-keys; authorizedKeys = admin-ssh-keys;
hostKeys = [ hostKeys = [
"/var/run/ssh/${key-filename}" initrd-cfg.keypair.private-key-file
]; ];
}; };
}; };
@ -68,21 +48,24 @@ in {
}; };
fudo = { fudo = {
secrets.host-secrets = mapAttrs ## Sigh...this doesn't work because the file isn't available soon enough
(hostname: key-pkg: { ## during activation.
initrd-ssh-host-key = { #
source-file = "${key-pkg}/${key-filename}"; # secrets.host-secrets = mapAttrs
target-file = "/var/run/ssh/${key-filename}"; # (hostname: key-pkg: {
user = "root"; # initrd-ssh-host-key = {
}; # source-file = "${key-pkg}/${key-filename}";
}) # target-file = "/var/run/ssh/${key-filename}";
host-keys; # user = "root";
# };
# })
# host-keys;
local-network = { local-network = {
network-definition.hosts = mapAttrs' network-definition.hosts = mapAttrs'
(hostname: hostOpts: nameValuePair "${hostname}-recovery" (hostname: hostOpts: nameValuePair "${hostname}-recovery"
{ {
ipv4-address = config.fudo.hosts.${hostname}.initrd-ip; ipv4-address = hostOpts.initrd-network-config.ip;
description = "${hostname} initrd host"; description = "${hostname} initrd host";
}) })
config.instance.local-hosts; config.instance.local-hosts;
@ -90,8 +73,10 @@ in {
extra-records = extra-records =
mapAttrs mapAttrs
(hostname: key-pkg: let (hostname: key-pkg: let
sshfp-pkg = gen-sshfp-records hostname key-pkg; sshfp-pkg =
sshfps = read-lines "${sshfp-pkg}/${key-filename}.sshfp"; gen-sshfp-records
hostname hostOpts.initrd-network-config.keypair.public-key;
sshfps = read-lines "${sshfp-pkg}/${hostname}-initrd-ssh-pubkey.sshfp";
in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps) in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps)
host-keys; host-keys;
}; };

6
lib/fudo/secrets.nix
View File

@ -32,7 +32,7 @@ let
secret-service = target-host: secret-name: secret-service = target-host: secret-name:
{ source-file, target-file, user, group, permissions }: { { source-file, target-file, user, group, permissions }: {
description = "decrypt secret ${secret-name} for ${target-host}."; description = "decrypt secret ${secret-name} for ${target-host}.";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "default.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStartPre = pkgs.writeShellScript ExecStartPre = pkgs.writeShellScript
@ -140,7 +140,7 @@ in {
in { in {
services = host-secret-services // { services = host-secret-services // {
fudo-secrets-watcher = { fudo-secrets-watcher = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "default.target" ];
description = description =
"Ensure access for group ${cfg.secret-group} to fudo secret paths."; "Ensure access for group ${cfg.secret-group} to fudo secret paths.";
serviceConfig = { serviceConfig = {
@ -154,7 +154,7 @@ in {
}; };
paths.fudo-secrets-watcher = mkIf ((length cfg.secret-paths) > 0) { paths.fudo-secrets-watcher = mkIf ((length cfg.secret-paths) > 0) {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "default.target" ];
description = "Watch fudo secret paths, and correct perms on changes."; description = "Watch fudo secret paths, and correct perms on changes.";
pathConfig = { pathConfig = {
PathChanged = cfg.secret-paths; PathChanged = cfg.secret-paths;

38
lib/types/host.nix
View File

@ -177,35 +177,37 @@ rec {
android-dev = mkEnableOption "Enable ADB on the host."; android-dev = mkEnableOption "Enable ADB on the host.";
# FIXME: This probably belongs elsewhere... initrd-network = let
initrd-ip = mkOption { keypair-type = { ... }: {
type = nullOr str;
description = "IP to assign to the kernel/initrd, to allow access when boot fails.";
default = null;
};
initrd-ssh-keypair = let
keypair = { ... }: {
options = { options = {
public-key = mkOption { public-key = mkOption {
type = str; type = str;
description = "SSH public key."; description = "SSH public key.";
}; };
private-key = mkOption { private-key-file = mkOption {
type = str; type = str;
description = "SSH private key."; description = "Path to SSH private key (on the local host!).";
};
type = mkOption {
type = enum [ "rsa" "ecdsa" "ed25519" ];
description = "SSH key type.";
}; };
}; };
}; };
initrd-network-config = { ... }: {
options = {
ip = mkOption {
type = str;
description = "IP to assign to the initrd image, allowing access to host during bootup.";
};
keypair = mkOption {
type = keypair-type;
description = "SSH host key pair to use for initrd.";
};
};
};
in mkOption { in mkOption {
type = nullOr (submodule keypair); type = nullOr (submodule initrd-network-config);
description = "SSH Keypair to use for initrd."; description = "Configuration parameters to set up initrd SSH network.";
default = null; default = null;
}; };
}; };