Fiiiine, I'll just use a local fuckin file.

2021-10-15 12:57:48 -07:00 · 2021-10-15 12:57:48 -07:00 · 51546ec7fd
commit 51546ec7fd
parent 0330f6ae78
11 changed files with 67 additions and 74 deletions
--- a/config/hosts/lambda.nix
+++ b/config/hosts/lambda.nix
@ -22,5 +22,5 @@
  arch = "x86_64-linux";
  nixos-system = true;
  machine-id = "c031cda2e88a4cedb3b22f41f9042646";
-  initrd-ip = "10.0.5.11";
+  # initrd-ip = "10.0.5.11";
 }
--- a/config/hosts/limina.nix
+++ b/config/hosts/limina.nix
@ -21,5 +21,5 @@
    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA44EqP6HHjIPBFuxKvi2oZc1sNU+N4pNMtlS89KWuDm";
    key-path = "/state/master-key/key";
  };
-  initrd-ip = "10.0.5.1";
+  # initrd-ip = "10.0.5.1";
 }
--- a/config/hosts/nostromo.nix
+++ b/config/hosts/nostromo.nix
@ -21,5 +21,5 @@
    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODtNR4b43ZJgyGo9Hc+CmC4+bzgxbsVYI9fhDqjyRSo";
    key-path = "/state/master-key/key";
  };
-  initrd-ip = "10.0.5.10";
+  # initrd-ip = "10.0.5.10";
 }
--- a/config/hosts/plato.nix
+++ b/config/hosts/plato.nix
@ -24,5 +24,5 @@
    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgAzn6gyG1ze7L1WLU84poPGcoUntqfvgn+/s3bxhR2";
    key-path = "/state/master-key/key";
  };
-  initrd-ip = "10.0.5.11";
+  # initrd-ip = "10.0.5.11";
 }
--- a/config/hosts/socrates.nix
+++ b/config/hosts/socrates.nix
@ -21,5 +21,11 @@
    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmJJFbAV8P1V1LSZr56GJ5ul3LBgdapbh+MK3ixTsxf";
    key-path = "/state/master-key/key";
  };
-  initrd-ip = "10.0.5.10";
+  initrd-network = {
+    ip = "10.0.5.10";
+    keypair = {
+      public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLsxECiR4kqvUutMFkOTkIC8nsKK++aQ7HYiWjLdKdb";
+      private-key-file = "/state/ssh/initrd/ssh_ed25519_key";
+    };
+  };
 }
--- a/config/hosts/spark.nix
+++ b/config/hosts/spark.nix
@ -22,5 +22,5 @@
    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGs8MfR3d6f1Llqk5dn/ypODUT1Oi4SQGof/YvOPNf14";
    key-path = "/state/master-key/key";
  };
-  initrd-ip = "10.0.5.108";
+  # initrd-ip = "10.0.5.108";
 }
--- a/config/hosts/system3.nix
+++ b/config/hosts/system3.nix
@ -22,5 +22,5 @@
    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaF5T7Pb613C31BJVj74WYx4Pytj/lmH+PqjkqoNNkQ";
    key-path = "/state/master-key/key";
  };
-  initrd-ip = "10.0.5.111";
+  # initrd-ip = "10.0.5.111";
 }
--- a/config/hosts/zbox.nix
+++ b/config/hosts/zbox.nix
@ -22,5 +22,5 @@
    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDsn68vDKV4jnBuICSDX/2Gpnshbrz0r9t4lXIke1vqh";
    key-path = "/state/master-key/key";
  };
-  initrd-ip = "10.0.5.110";
+  # initrd-ip = "10.0.5.110";
 }
--- a/lib/fudo/initrd-network.nix
+++ b/lib/fudo/initrd-network.nix
@ -3,49 +3,29 @@
 with lib;
 let
  hostname = config.instance.hostname;
-  host-cfg = config.fudo.hosts.${hostname};
-  ip = host-cfg.initrd-ip;
+  initrd-cfg = config.fudo.hosts.${hostname}.initrd-network;

-  key-type = "ed25519";
-
-  key-filename = "ssh_host_${key-type}_key";
-
-  gen-host-keys = hostname: pkgs.stdenv.mkDerivation {
-    name = "${hostname}-initrd-ssh-keys";
+  gen-sshfp-records = hostname: pubkey: let
+    pubkey-file = wirteTextFile {
+      name = "${hostname}-initrd-ssh-pubkey";
+      text = pubkey;
+    };
+  in pkgs.stdenv.mkDerivation {
+    name = "${hostname}-initrd-ssh-firngerprint";

    phases = [ "installPhase" ];

-    buildInputs = with pkgs; [ openssh ];
-
    installPhase = ''
      mkdir $out
-      ssh-keygen -q -t ${key-type} -N "" -f $out/ssh_host_${key-type}_key
+      ssh-keygen -r REMOVEME -f "${pubkey-file}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${hostname}-initrd-ssh-pubkey.sshfp
    '';
  };

-  gen-sshfp-records = host: key-pkg: pkgs.stdenv.mkDerivation {
-    name = "${hostname}-initrd-ssh-fingerprints";
-
-    phases = [ "installPhase" ];
-
-    buildInputs = with pkgs; [ openssh ];
-
-    installPhase = ''
-      mkdir $out
-      ssh-keygen -r REMOVEME -f "${key-pkg}/${key-filename}" | sed 's/^REMOVEME IN SSHFP //' >> $out/${key-filename}.sshfp
-    '';
-  };
-
-  host-keys = genAttrs (attrNames config.instance.local-hosts)
-    (hostname: gen-host-keys hostname);
-
 in {
-  config = mkIf (ip != null) {
-    boot = let
-      hostname = config.instance.hostname;
-    in {
+  config = mkIf (initrd-cfg != null) {
+    boot = {
      kernelParams = [
-        "ip=${ip}"
+n        "ip=${initrd-cfg.ip}"
      ];
      initrd = {
        network = {
@ -60,7 +40,7 @@ in {
            port = 22;
            authorizedKeys = admin-ssh-keys;
            hostKeys = [
-              "/var/run/ssh/${key-filename}"
+              initrd-cfg.keypair.private-key-file
            ];
          };
        };
@ -68,21 +48,24 @@ in {
    };

    fudo = {
-      secrets.host-secrets = mapAttrs
-        (hostname: key-pkg: {
-          initrd-ssh-host-key = {
-            source-file = "${key-pkg}/${key-filename}";
-            target-file = "/var/run/ssh/${key-filename}";
-            user = "root";
-          };
-        })
-        host-keys;
+      ## Sigh...this doesn't work because the file isn't available soon enough
+      ## during activation.
+      #
+      # secrets.host-secrets = mapAttrs
+      #   (hostname: key-pkg: {
+      #     initrd-ssh-host-key = {
+      #       source-file = "${key-pkg}/${key-filename}";
+      #       target-file = "/var/run/ssh/${key-filename}";
+      #       user = "root";
+      #     };
+      #   })
+      #   host-keys;

      local-network = {
        network-definition.hosts = mapAttrs'
          (hostname: hostOpts: nameValuePair "${hostname}-recovery"
            {
-              ipv4-address = config.fudo.hosts.${hostname}.initrd-ip;
+              ipv4-address = hostOpts.initrd-network-config.ip;
              description = "${hostname} initrd host";
            })
          config.instance.local-hosts;
@ -90,8 +73,10 @@ in {
        extra-records =
          mapAttrs
            (hostname: key-pkg: let
-              sshfp-pkg = gen-sshfp-records hostname key-pkg;
-              sshfps = read-lines "${sshfp-pkg}/${key-filename}.sshfp";
+              sshfp-pkg =
+                gen-sshfp-records
+                  hostname hostOpts.initrd-network-config.keypair.public-key;
+              sshfps = read-lines "${sshfp-pkg}/${hostname}-initrd-ssh-pubkey.sshfp";
            in map (sshfp: "${hostname} IN SSHFP ${sshfp}") sshfps)
            host-keys;
      };
--- a/lib/fudo/secrets.nix
+++ b/lib/fudo/secrets.nix
@ -32,7 +32,7 @@ let
  secret-service = target-host: secret-name:
    { source-file, target-file, user, group, permissions }: {
      description = "decrypt secret ${secret-name} for ${target-host}.";
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = [ "default.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStartPre = pkgs.writeShellScript
@ -140,7 +140,7 @@ in {
    in {
      services = host-secret-services // {
        fudo-secrets-watcher = {
-          wantedBy = [ "multi-user.target" ];
+          wantedBy = [ "default.target" ];
          description =
            "Ensure access for group ${cfg.secret-group} to fudo secret paths.";
          serviceConfig = {
@ -154,7 +154,7 @@ in {
      };

      paths.fudo-secrets-watcher = mkIf ((length cfg.secret-paths) > 0) {
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "default.target" ];
        description = "Watch fudo secret paths, and correct perms on changes.";
        pathConfig = {
          PathChanged = cfg.secret-paths;
--- a/lib/types/host.nix
+++ b/lib/types/host.nix
@ -177,35 +177,37 @@ rec {

      android-dev = mkEnableOption "Enable ADB on the host.";

-      # FIXME: This probably belongs elsewhere...
-      initrd-ip = mkOption {
-        type = nullOr str;
-        description = "IP to assign to the kernel/initrd, to allow access when boot fails.";
-        default = null;
-      };
-
-      initrd-ssh-keypair = let
-        keypair = { ... }: {
+      initrd-network = let
+        keypair-type = { ... }: {
          options = {
            public-key = mkOption {
              type = str;
              description = "SSH public key.";
            };

-            private-key = mkOption {
+            private-key-file = mkOption {
              type = str;
-              description = "SSH private key.";
+              description = "Path to SSH private key (on the local host!).";
+            };
+          };
        };

-            type = mkOption {
-              type = enum [ "rsa" "ecdsa" "ed25519" ];
-              description = "SSH key type.";
+        initrd-network-config = { ... }: {
+          options = {
+            ip = mkOption {
+              type = str;
+              description = "IP to assign to the initrd image, allowing access to host during bootup.";
+            };
+            keypair = mkOption {
+              type = keypair-type;
+              description = "SSH host key pair to use for initrd.";
            };
          };
        };
+
      in mkOption {
-        type = nullOr (submodule keypair);
-        description = "SSH Keypair to use for initrd.";
+        type = nullOr (submodule initrd-network-config);
+        description = "Configuration parameters to set up initrd SSH network.";
        default = null;
      };
    };