diff --git a/config/hardware/lambda.nix b/config/hardware/lambda.nix index 3e924bb..6d125df 100644 --- a/config/hardware/lambda.nix +++ b/config/hardware/lambda.nix @@ -68,8 +68,6 @@ in { nix.maxJobs = lib.mkDefault 12; networking = { - hostId = substring 0 8 (fileContents /etc/machine-id); - macvlans = { intif0 = { interface = "enp3s0f1"; diff --git a/config/hardware/limina.nix b/config/hardware/limina.nix index 4830684..3b3dbf3 100644 --- a/config/hardware/limina.nix +++ b/config/hardware/limina.nix @@ -62,8 +62,6 @@ with lib; { hardware.bluetooth.enable = false; networking = { - hostId = substring 0 8 (fileContents /state/etc/machine-id); - macvlans = { intif0 = { interface = "enp2s0"; diff --git a/config/hardware/plato.nix b/config/hardware/plato.nix index eae363f..16b0f02 100644 --- a/config/hardware/plato.nix +++ b/config/hardware/plato.nix @@ -59,8 +59,6 @@ with lib; { hardware.bluetooth.enable = false; networking = { - hostId = substring 0 8 (fileContents /etc/machine-id); - macvlans = { intif0 = { interface = "enp1s0"; diff --git a/config/hardware/system3.nix b/config/hardware/system3.nix index e2928d9..1432f6a 100644 --- a/config/hardware/system3.nix +++ b/config/hardware/system3.nix @@ -106,8 +106,6 @@ in { }; networking = { - hostId = substring 0 8 (fileContents /state/etc/machine-id); - useDHCP = false; macvlans = { diff --git a/config/host-config/lambda.nix b/config/host-config/lambda.nix index cebe035..578e2d5 100644 --- a/config/host-config/lambda.nix +++ b/config/host-config/lambda.nix @@ -88,7 +88,6 @@ in { mode = "0444"; }; nixos.source = "/etc/nixos-live"; - "machine-id".source = "${state-dir}/host/machine-id"; "host-config.nix".source = "/state/host/host-config.nix"; adjtime.source = "/state/host/adjtime"; NIXOS.source = "/state/host/NIXOS"; diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix index c81c90a..d25b30d 100644 --- a/config/host-config/limina.nix +++ b/config/host-config/limina.nix @@ -137,7 +137,6 @@ in { nixos.source = "/state/nixos"; adjtime.source = "/state/etc/adjtime"; NIXOS.source = "/state/etc/NIXOS"; - machine-id.source = "/state/etc/machine-id"; "host-config.nix".source = "/state/etc/host-config.nix"; ## This should be handled by nixops deploy # "krb5.keytab" = { diff --git a/config/host-config/plato.nix b/config/host-config/plato.nix index 8b12ffe..df45c51 100644 --- a/config/host-config/plato.nix +++ b/config/host-config/plato.nix @@ -41,7 +41,6 @@ in { nixos.source = "/state/nixos"; adjtime.source = "/state/etc/adjtime"; NIXOS.source = "/state/etc/NIXOS"; - machine-id.source = "/state/etc/machine-id"; "host-config.nix".source = "/state/etc/host-config.nix"; }; diff --git a/config/host-config/socrates.nix b/config/host-config/socrates.nix index e3af163..928720a 100644 --- a/config/host-config/socrates.nix +++ b/config/host-config/socrates.nix @@ -39,7 +39,6 @@ in { nixos.source = "/state/nixos"; adjtime.source = "/state/etc/adjtime"; NIXOS.source = "/state/etc/NIXOS"; - machine-id.source = "/state/etc/machine-id"; "host-config.nix".source = "/state/etc/host-config.nix"; }; diff --git a/config/host-config/system3.nix b/config/host-config/system3.nix index dc45d73..5230c8e 100644 --- a/config/host-config/system3.nix +++ b/config/host-config/system3.nix @@ -55,7 +55,6 @@ in { mode = "0444"; }; nixos.source = "/etc/nixos-live"; - "machine-id".source = "${state-dir}/host/machine-id"; "host-config.nix".source = "${state-dir}/host/host-config.nix"; adjtime.source = "${state-dir}/host/adjtime"; NIXOS.source = "${state-dir}/host/NIXOS"; diff --git a/config/hosts/clunk.nix b/config/hosts/clunk.nix index bc2c133..ed46b77 100644 --- a/config/hosts/clunk.nix +++ b/config/hosts/clunk.nix @@ -1,19 +1,19 @@ { description = "rus.selby.ca gateway box."; docker-server = true; - ssh-fingerprints = [ - "1 1 0e23d2156b1f9fca8552a0105c125aed76e51728" - "1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5" - "4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4" - "4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696" - ]; + # ssh-fingerprints = [ + # "1 1 0e23d2156b1f9fca8552a0105c125aed76e51728" + # "1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5" + # "4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4" + # "4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696" + # ]; rp = "niten"; admin-email = "niten@fudo.org"; domain = "rus.selby.ca"; site = "russell"; profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5"; + # ssh-pubkeys = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5"; arch = "x86_64-linux"; nixos-system = true; } diff --git a/config/hosts/downstairs-desktop.nix b/config/hosts/downstairs-desktop.nix index 381c445..e202199 100644 --- a/config/hosts/downstairs-desktop.nix +++ b/config/hosts/downstairs-desktop.nix @@ -13,8 +13,9 @@ domain = "rus.selby.ca"; site = "russell"; profile = "desktop"; - ssh-pubkey = - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas="; + # ssh-pubkeys = [ + # "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas=" + # ]; arch = "x86_64-linux"; nixos-system = false; } diff --git a/config/hosts/france.nix b/config/hosts/france.nix index f05b3ee..c0cf51a 100644 --- a/config/hosts/france.nix +++ b/config/hosts/france.nix @@ -1,19 +1,19 @@ { description = "Primary fudo.org server."; docker-server = true; - ssh-fingerprints = [ - "1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94" - "1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80" - "4 1 c95a198f504a589fc62893a95424b12f0b24732d" - "4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96" - ]; + # ssh-fingerprints = [ + # "1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94" + # "1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80" + # "4 1 c95a198f504a589fc62893a95424b12f0b24732d" + # "4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96" + # ]; rp = "admin"; admin-email = "admin@fudo.org"; domain = "fudo.org"; site = "portage"; profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn"; + # ssh-pubkey = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn"; arch = "x86_64-linux"; # Just to stop this evaluating for now nixos-system = false; diff --git a/config/hosts/lambda.nix b/config/hosts/lambda.nix index 323dfbb..e866bcb 100644 --- a/config/hosts/lambda.nix +++ b/config/hosts/lambda.nix @@ -1,20 +1,21 @@ { description = "sea.fudo.org experiment server."; docker-server = true; - ssh-fingerprints = [ - "1 1 01c67478e2cc7a386a2468adb9d4627a53d69af5" - "1 2 750bc70f88a6c774077f20603a143b9f07436d9d074af78875850ae4df8971eb" - "4 1 fdb3da40dc48540a3f5644e360db9225a584f64e" - "4 2 310115023c1f98ae88ac94eb38dd529352f3036048d72c87e87c0ab53f186438" - ]; + # ssh-fingerprints = [ + # "1 1 01c67478e2cc7a386a2468adb9d4627a53d69af5" + # "1 2 750bc70f88a6c774077f20603a143b9f07436d9d074af78875850ae4df8971eb" + # "4 1 fdb3da40dc48540a3f5644e360db9225a584f64e" + # "4 2 310115023c1f98ae88ac94eb38dd529352f3036048d72c87e87c0ab53f186438" + # ]; rp = "niten"; admin-email = "niten@fudo.org"; domain = "sea.fudo.org"; site = "seattle"; profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPB5JY6jnHCRLxjqWKYkK8Xpmfyq2nA+0noPazYGd9a+"; + # ssh-pubkey = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPB5JY6jnHCRLxjqWKYkK8Xpmfyq2nA+0noPazYGd9a+"; enable-gui = false; arch = "x86_64-linux"; nixos-system = true; + machine-id = "c031cda2e88a4cedb3b22f41f9042646"; } diff --git a/config/hosts/limina.nix b/config/hosts/limina.nix index f02dbf7..2d8a81f 100644 --- a/config/hosts/limina.nix +++ b/config/hosts/limina.nix @@ -1,19 +1,20 @@ { description = "Seattle Gateway Server."; - ssh-fingerprints = [ - "1 1 36cbb85f83e84a4052777cf9b3cfb0f7947f3e4e" - "1 2 041c59238f599f7a3a4ec39151f5bc79fdcf917ec7ef2c400ed19a8d148fbeeb" - "4 1 07318d35f52203d337d4f457acc6d00ebf0e1aad" - "4 2 c58ef49cb6e150995ae0bd5dd502a0fc18289caf1438fb0bc9821455c8d1f41f" - ]; + # ssh-fingerprints = [ + # "1 1 36cbb85f83e84a4052777cf9b3cfb0f7947f3e4e" + # "1 2 041c59238f599f7a3a4ec39151f5bc79fdcf917ec7ef2c400ed19a8d148fbeeb" + # "4 1 07318d35f52203d337d4f457acc6d00ebf0e1aad" + # "4 2 c58ef49cb6e150995ae0bd5dd502a0fc18289caf1438fb0bc9821455c8d1f41f" + # ]; rp = "niten"; admin-email = "niten@fudo.org"; domain = "sea.fudo.org"; site = "seattle"; profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI"; + # ssh-pubkey = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI"; tmp-on-tmpfs = false; arch = "x86_64-linux"; nixos-system = true; + machine-id = "0a1d961dbcc04037ab7938f15801c765"; } diff --git a/config/hosts/nostromo.nix b/config/hosts/nostromo.nix index be8e5f8..9725ab6 100644 --- a/config/hosts/nostromo.nix +++ b/config/hosts/nostromo.nix @@ -1,19 +1,20 @@ { description = "sea.fudo.org primary server."; docker-server = true; - ssh-fingerprints = [ - "1 1 075ee0ae86debffa6fd61436984b39e4699c93c6" - "1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e" - "4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42" - "4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5" - ]; + # ssh-fingerprints = [ + # "1 1 075ee0ae86debffa6fd61436984b39e4699c93c6" + # "1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e" + # "4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42" + # "4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5" + # ]; rp = "niten"; admin-email = "niten@fudo.org"; domain = "sea.fudo.org"; site = "seattle"; profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb"; + # ssh-pubkey = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb"; arch = "x86_64-linux"; nixos-system = true; + machine-id = "709076ea18254f8f9097c4e54dde5ab3"; } diff --git a/config/hosts/plato.nix b/config/hosts/plato.nix index a8cef82..3f5c4a0 100644 --- a/config/hosts/plato.nix +++ b/config/hosts/plato.nix @@ -1,22 +1,23 @@ { description = "Niten's toy server."; - ssh-fingerprints = [ - "4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9" - "4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c" - "1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e" - "1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3" - ]; + # ssh-fingerprints = [ + # "4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9" + # "4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c" + # "1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e" + # "1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3" + # ]; rp = "niten"; admin-email = "niten@fudo.org"; domain = "sea.fudo.org"; site = "seattle"; profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b"; - build-pubkeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs=" - ]; + # ssh-pubkey = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b"; + # build-pubkeys = [ + # "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs=" + # ]; tmp-on-tmpfs = false; arch = "x86_64-linux"; nixos-system = true; + machine-id = "988f39a3b6ab454e9d7dad65bfe36bbe"; } diff --git a/config/hosts/procul.nix b/config/hosts/procul.nix index 3fa96ed..2905813 100644 --- a/config/hosts/procul.nix +++ b/config/hosts/procul.nix @@ -1,19 +1,19 @@ { description = "informis.land server."; docker-server = true; - ssh-fingerprints = [ - "1 1 d089902f60751b3d35b5329bf7b906df254d5fa7" - "1 2 8deebf42bbc40881a327f561bffd5d7bd328a4fc94d4e4ce8c502a9c6cbdfb92" - "4 1 2a8e086d3589ce50b58c55bc35638af8da23988e" - "4 2 55a9f7c0addf08bb24c62ced954574db6e95eff38ee56d6a2cff312d20eb910e" - ]; + # ssh-fingerprints = [ + # "1 1 d089902f60751b3d35b5329bf7b906df254d5fa7" + # "1 2 8deebf42bbc40881a327f561bffd5d7bd328a4fc94d4e4ce8c502a9c6cbdfb92" + # "4 1 2a8e086d3589ce50b58c55bc35638af8da23988e" + # "4 2 55a9f7c0addf08bb24c62ced954574db6e95eff38ee56d6a2cff312d20eb910e" + # ]; rp = "niten"; admin-email = "niten@fudo.org"; domain = "informis.land"; site = "joes-datacenter-0"; profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEsvl1mTSWJJrqXbYrc8wYdlOiW5gNg4Nzf2QCxB6XW"; + # ssh-pubkey = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEsvl1mTSWJJrqXbYrc8wYdlOiW5gNg4Nzf2QCxB6XW"; tmp-on-tmpfs = false; enable-gui = false; arch = "x86_64-linux"; diff --git a/config/hosts/socrates.nix b/config/hosts/socrates.nix index 754d449..30c89f9 100644 --- a/config/hosts/socrates.nix +++ b/config/hosts/socrates.nix @@ -1,19 +1,20 @@ { description = "sea.fudo.org deploy server."; - ssh-fingerprints = [ - "1 1 4055c1d922ec858e703856dd76237f09219261e5" - "1 2 0f7bfa92fa0435785782b68ca4c9b71786d67df60804ea4b4c42ebb37d061659" - "4 1 5dc2b674554df5e042171b4045fcfe31f03ad01a" - "4 2 9bcf664a191e31bf53aa4728828480babdab5377da39a002324303c719b16a55" - ]; + # ssh-fingerprints = [ + # "1 1 4055c1d922ec858e703856dd76237f09219261e5" + # "1 2 0f7bfa92fa0435785782b68ca4c9b71786d67df60804ea4b4c42ebb37d061659" + # "4 1 5dc2b674554df5e042171b4045fcfe31f03ad01a" + # "4 2 9bcf664a191e31bf53aa4728828480babdab5377da39a002324303c719b16a55" + # ]; rp = "niten"; admin-email = "niten@fudo.org"; domain = "sea.fudo.org"; site = "seattle"; profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TqqumZwSDLkg8cTpR734zM+nuqEp1ufaQPoFdqCab"; + # ssh-pubkey = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4TqqumZwSDLkg8cTpR734zM+nuqEp1ufaQPoFdqCab"; tmp-on-tmpfs = false; arch = "x86_64-linux"; nixos-system = true; + machine-id = "edc4baa9cc1c401dba1bf870725b4bf0"; } diff --git a/config/hosts/spark.nix b/config/hosts/spark.nix index c0aab5e..f4085dd 100644 --- a/config/hosts/spark.nix +++ b/config/hosts/spark.nix @@ -1,20 +1,21 @@ { description = "Niten's backup desktop."; - ssh-fingerprints = [ - "1 1 d26812dee9b26a19a52c38d2b346442979093142" - "1 2 981db46fdd0ad1639651c700a527602425237c1d4999265372ed92e093a965b3" - "4 1 67fa0a36e51fd4a5ed2b71ff9817cb9a372d0a63" - "4 2 c17d46061d722e1e6c878341b8e3c0bf87ea6e0e1426c54a989107dfb604d81b" - ]; + # ssh-fingerprints = [ + # "1 1 d26812dee9b26a19a52c38d2b346442979093142" + # "1 2 981db46fdd0ad1639651c700a527602425237c1d4999265372ed92e093a965b3" + # "4 1 67fa0a36e51fd4a5ed2b71ff9817cb9a372d0a63" + # "4 2 c17d46061d722e1e6c878341b8e3c0bf87ea6e0e1426c54a989107dfb604d81b" + # ]; rp = "niten"; admin-email = "niten@fudo.org"; enable-gui = true; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa"; + # ssh-pubkey = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa"; profile = "desktop"; domain = "sea.fudo.org"; site = "seattle"; android-dev = true; arch = "x86_64-linux"; nixos-system = true; + machine-id = "63dbd567d55a468482aa15d8aa9097f6"; } diff --git a/config/hosts/system3.nix b/config/hosts/system3.nix index e8d86cd..a261d1c 100644 --- a/config/hosts/system3.nix +++ b/config/hosts/system3.nix @@ -1,20 +1,21 @@ { description = "Niten's gaming desktop."; - ssh-fingerprints = [ - "1 1 c1bec5217880c0567f23414663d59804cf5c0fe4" - "1 2 bb4e479f14591dc230141e0d87b1a0fd1bdee52ad369a83188714100476c26f6" - "4 1 c1c2c74c3e2bb214f59b51a6a02452fe2e1658ea" - "4 2 897793ada12accb15231732a4c6e4ea34f1cd88d13ee9f3fc0b74a40d588b36c" - ]; + # ssh-fingerprints = [ + # "1 1 c1bec5217880c0567f23414663d59804cf5c0fe4" + # "1 2 bb4e479f14591dc230141e0d87b1a0fd1bdee52ad369a83188714100476c26f6" + # "4 1 c1c2c74c3e2bb214f59b51a6a02452fe2e1658ea" + # "4 2 897793ada12accb15231732a4c6e4ea34f1cd88d13ee9f3fc0b74a40d588b36c" + # ]; rp = "niten"; admin-email = "niten@fudo.org"; enable-gui = true; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEb/+VMOdBavfZxZOto/qa7Xy0T1nJdd7X52nPJdfB1k"; + # ssh-pubkey = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEb/+VMOdBavfZxZOto/qa7Xy0T1nJdd7X52nPJdfB1k"; profile = "desktop"; domain = "sea.fudo.org"; site = "seattle"; android-dev = true; arch = "x86_64-linux"; nixos-system = true; + machine-id = "39ebe622cf40413b950d832105e0bb2e"; } diff --git a/config/hosts/zbox.nix b/config/hosts/zbox.nix index 95c69d2..ad02a5c 100644 --- a/config/hosts/zbox.nix +++ b/config/hosts/zbox.nix @@ -1,20 +1,21 @@ { description = "Niten's primary desktop."; - ssh-fingerprints = [ - "1 1 3aff8c913615c81512be3a42fc83daeb90d94a3d" - "1 2 39c7500f08022963f3f2db4f3ebb7aad08c92d0cc937984ba86c4eba204ed493" - "4 1 862842d99f5afb33db4f073d2f3d1154c6417110" - "4 2 373536d3d59f2354b1bfc25c02120c86e9b3af574b6c1984210d9e9c1d5244e3" - ]; + # ssh-fingerprints = [ + # "1 1 3aff8c913615c81512be3a42fc83daeb90d94a3d" + # "1 2 39c7500f08022963f3f2db4f3ebb7aad08c92d0cc937984ba86c4eba204ed493" + # "4 1 862842d99f5afb33db4f073d2f3d1154c6417110" + # "4 2 373536d3d59f2354b1bfc25c02120c86e9b3af574b6c1984210d9e9c1d5244e3" + # ]; rp = "niten"; admin-email = "niten@fudo.org"; enable-gui = true; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8"; + # ssh-pubkey = + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8"; profile = "desktop"; domain = "sea.fudo.org"; site = "seattle"; android-dev = true; arch = "x86_64-linux"; nixos-system = true; + machine-id = "e5f456e3183a4dc186181a70bc3af2d1"; } diff --git a/flake.lock b/flake.lock index 2683b79..b8394e0 100644 --- a/flake.lock +++ b/flake.lock @@ -46,7 +46,7 @@ "ssh-keypairs": "ssh-keypairs" }, "locked": { - "narHash": "sha256-fCEml2rFMgJboI7EN0QQLsAYSKdKegnu23IwRK5GBdE=", + "narHash": "sha256-5lkN+UzOEgzUIDhX8tRdWyqO6aqDCzTK0DvCJ2AgUSw=", "path": "/state/secrets", "type": "path" }, diff --git a/initialize.nix b/initialize.nix index 8dc6590..bda8311 100644 --- a/initialize.nix +++ b/initialize.nix @@ -19,9 +19,9 @@ in { ]; config = { - fudo.local-network.timestamp = build-timestamp; - - instance = { hostname = hostname; }; + instance = { + inherit hostname build-timestamp; + }; nixpkgs.pkgs = pkgs; diff --git a/lib/fudo/distributed-builds.nix b/lib/fudo/distributed-builds.nix index 84d7004..631ece8 100644 --- a/lib/fudo/distributed-builds.nix +++ b/lib/fudo/distributed-builds.nix @@ -2,7 +2,9 @@ with lib; let - sys = callPackage ../system.nix {}; + sys = import ../system.nix { inherit config lib; }; + + hostname = config.instance.hostname; site-cfg = config.fudo.sites.${sys.local-site}; @@ -13,9 +15,9 @@ let enable-distributed-builds = site-cfg.enable-distributed-builds && has-build-servers && build-keypair != null; - local-build-cfg = - mkIf (hasKey site-cfg.build-servers hostname) - site-cfg.build-servers.hostname; + local-build-cfg = if (hasAttr hostname site-cfg.build-servers) then + site-cfg.build-servers.${hostname} + else null; in { config = { @@ -39,8 +41,8 @@ in { ${local-build-cfg.build-user} = { isSystemUser = true; openssh.authorizedKeys.keyFiles = - foldr (a: b: a ++ b) [] - mapAttrsToList (host: hostOpts: hostOpts.build-pubkeys) sys.local-hosts; + concatLists + (mapAttrsToList (host: hostOpts: hostOpts.build-pubkeys) sys.local-hosts); }; }; }; diff --git a/lib/fudo/dns.nix b/lib/fudo/dns.nix index 133d909..4e4f53e 100644 --- a/lib/fudo/dns.nix +++ b/lib/fudo/dns.nix @@ -139,7 +139,7 @@ in { $TTL 12h @ IN SOA ns1.${dom}. hostmaster.${dom}. ( - ${toString builtins.currentTime} + ${toString config.instance.build-timestamp} 30m 2m 3w diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index c36d4ef..3bc03b3 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -4,8 +4,28 @@ with lib; let mapOptional = f: val: if (val != null) then (f val) else null; + masterKeyOpts = { ... }: { + options = with types; { + key-path = mkOption { + type = str; + description = "Path of the host master key file, used to decrypt secrets."; + }; + + public-key = mkOption { + type = str; + description = "Public key used during deployment to decrypt secrets for the host."; + }; + }; + }; + hostOpts = { hostname, ... }: { options = with types; { + master-key = mkOption { + type = nullOr (submodule masterKeyOpts); + description = "Public key for the host master key, used by the host to decrypt secrets."; + default = null; + }; + domain = mkOption { type = str; description = @@ -109,9 +129,9 @@ let }; ssh-pubkeys = mkOption { - type = listOf str; + type = listOf path; description = - "SSH keys of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key."; + "SSH key files of the host."; default = []; }; @@ -150,6 +170,12 @@ let description = "System architecture of the system."; }; + machine-id = mkOption { + type = nullOr str; + description = "Machine id of the system. See: man machine-id."; + default = null; + }; + android-dev = mkEnableOption "Enable ADB on the host."; }; }; @@ -187,23 +213,35 @@ in { enable = (length host-cfg.external-interfaces) > 0; allowedTCPPorts = [ 22 ]; }; + + hostId = mkIf (host-cfg.machine-id != null) + (substring 0 8 host-cfg.machine-id); }; # NixOS generates a stupid hosts file, just force it - environment.etc.hosts = let - host-entries = mapAttrsToList - (ip: hostnames: "${ip} ${concatStringsSep " " hostnames}") - config.fudo.system.hostfile-entries; - in mkForce { - text = '' + environment.etc = { + hosts = let + host-entries = mapAttrsToList + (ip: hostnames: "${ip} ${concatStringsSep " " hostnames}") + config.fudo.system.hostfile-entries; + in mkForce { + text = '' 127.0.0.1 ${hostname}.${domain-name} ${hostname} localhost 127.0.0.2 ${hostname} localhost ::1 ${hostname}.${domain-name} ${hostname} localhost ${concatStringsSep "\n" host-entries} ''; - user = "root"; - group = "root"; - mode = "0444"; + user = "root"; + group = "root"; + mode = "0444"; + }; + + machine-id = mkIf (host-cfg.machine-id != null) { + text = host-cfg.machine-id; + user = "root"; + group = "root"; + mode = "0444"; + }; }; # fudo.hosts.${hostname}.build-pubkeys = @@ -269,31 +307,29 @@ in { members = system.local-admins; }; - programs.ssh.knownHosts = let - keyed-hosts = - filterAttrs (host: opts: opts.ssh-pubkey != null) config.fudo.hosts; + # programs.ssh.knownHosts = let + # keyed-hosts = + # filterAttrs (host: opts: opts.ssh-pubkeys != []) config.fudo.hosts; - traceOut = obj: builtins.trace obj obj; + # crossProduct = f: list0: list1: + # concatMap (el0: map (el1: f el0 el1) list1) list0; - crossProduct = f: list0: list1: - concatMap (el0: map (el1: f el0 el1) list1) list0; + # getHostnames = hostOpts: + # [ hostOpts.hostname ] + # ++ (crossProduct (host: domain: "${host}.${domain}") + # ([ hostOpts.hostname ] ++ hostOpts.aliases) + # ([ hostOpts.domain ] ++ hostOpts.extra-domains)); - getHostnames = hostOpts: - [ hostOpts.hostname ] - ++ (crossProduct (host: domain: "${host}.${domain}") - ([ hostOpts.hostname ] ++ hostOpts.aliases) - ([ hostOpts.domain ] ++ hostOpts.extra-domains)); + # getHostEntryPairs = host: + # map (hostname: nameValuePair hostname { publicKey = host.ssh-pubkey; }) + # (getHostnames host); - getHostEntryPairs = host: - map (hostname: nameValuePair hostname { publicKey = host.ssh-pubkey; }) - (getHostnames host); + # hostAttrsToList = hostAttrs: + # mapAttrsToList (hostname: opts: { hostname = hostname; } // opts) + # hostAttrs; - hostAttrsToList = hostAttrs: - mapAttrsToList (hostname: opts: { hostname = hostname; } // opts) - hostAttrs; - - getKnownHosts = hosts: - concatMap getHostEntryPairs (hostAttrsToList hosts); - in listToAttrs (getKnownHosts keyed-hosts); + # getKnownHosts = hosts: + # concatMap getHostEntryPairs (hostAttrsToList hosts); + # in listToAttrs (getKnownHosts keyed-hosts); }; } diff --git a/lib/fudo/local-network.nix b/lib/fudo/local-network.nix index 2c58b01..9913b76 100644 --- a/lib/fudo/local-network.nix +++ b/lib/fudo/local-network.nix @@ -83,11 +83,6 @@ in { description = "Definition of network to be served by local server."; default = { }; }; - - timestamp = mkOption { - type = int; - description = "Timestamp of build, to be used as a serial."; - }; }; config = mkIf cfg.enable { @@ -149,7 +144,7 @@ in { $TTL 1h @ IN SOA ns1.${cfg.domain}. hostmaster.${cfg.domain}. ( - ${toString cfg.timestamp} + ${toString config.instance.build-timestamp} 1800 900 604800 @@ -206,7 +201,7 @@ in { name = cfg.domain; file = pkgs.writeText "${cfg.domain}-zone" '' @ IN SOA ns1.${cfg.domain}. hostmaster.${cfg.domain}. ( - ${toString cfg.timestamp} + ${toString config.instance.build-timestamp} 5m 2m 6w diff --git a/lib/fudo/secrets.nix b/lib/fudo/secrets.nix index befc479..32db550 100644 --- a/lib/fudo/secrets.nix +++ b/lib/fudo/secrets.nix @@ -4,32 +4,33 @@ with lib; let cfg = config.fudo.secrets; - encrypt-on-disk = { secret-name, target-host, source-file }: + encrypt-on-disk = { secret-name, target-host, target-pubkey, source-file }: pkgs.stdenv.mkDerivation { name = "${target-host}-${secret-name}-secret"; phases = "installPhase"; buildInputs = [ pkgs.age ]; - installPhase = let key = config.fudo.hosts.${target-host}.ssh-pubkey; - in '' - age -a -r "${key}" -o $out ${source-file} + installPhase = '' + age -a -r "${target-pubkey}" -o $out ${source-file} ''; }; decrypt-script = { secret-name, source-file, target-host, target-file - , decrypt-key, user, group, permissions }: + , host-master-key, user, group, permissions }: pkgs.writeShellScript "decrypt-fudo-secret-${target-host}-${secret-name}.sh" '' rm -rf ${target-file} - age -d -i ${decrypt-key} -o ${target-file} ${ - encrypt-on-disk { inherit secret-name source-file target-host; } + age -d -i ${host-master-key.key-path} -o ${target-file} ${ + encrypt-on-disk { + inherit secret-name source-file target-host; + target-pubkey = host-master-key.public-key; + } } chown ${user}:${group} ${target-file} chmod ${permissions} ${target-file} ''; secret-service = target-host: secret-name: - { source-file, target-file, user, group, permissions, key-type ? "ed25519" - }: { + { source-file, target-file, user, group, permissions }: { description = "decrypt secret ${secret-name} for ${target-host}."; wantedBy = [ "multi-user.target" ]; serviceConfig = { @@ -42,11 +43,9 @@ let fi ''; ExecStart = let - decrypt-keys = - filter (key: key.type == key-type) config.services.openssh.hostKeys; - decrypt-key = head (map (key: key.path) decrypt-keys); + host-master-key = config.fudo.hosts.${target-host}.master-key; in decrypt-script { - inherit secret-name source-file target-host target-file decrypt-key + inherit secret-name source-file target-host target-file host-master-key user group permissions; }; }; @@ -56,7 +55,7 @@ let secretOpts = { ... }: { options = with types; { source-file = mkOption { - type = path; # CAREFUL: this will copy the file to nixstore...I think? + type = path; # CAREFUL: this will copy the file to nixstore...keep on deploy host description = "File from which to load the secret."; }; diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix index 9629008..d9bc377 100644 --- a/lib/fudo/sites.nix +++ b/lib/fudo/sites.nix @@ -129,12 +129,6 @@ let }; }; - build-user = mkOption { - type = str; - description = "User as which to run builds."; - default = "nix-site-builder"; - }; - local-networks = mkOption { type = listOf str; description = "List of networks to consider local at this site."; @@ -163,7 +157,7 @@ let }; }; - buildServerOpts = { ... }: { + buildServerOpts = { hostname, ... }: { options = with types; { port = mkOption { type = port; @@ -199,7 +193,7 @@ let build-user = mkOption { type = str; description = "User as which to run distributed builds."; - default = "site-builder"; + default = "nix-site-builder"; }; }; }; @@ -212,17 +206,17 @@ in { }; config = { - users.users = { - ${site-cfg.build-user} = mkIf - (any (build-host: build-host == config.instance.hostname) - (attrNames site-cfg.build-servers)) { - isSystemUser = true; - openssh.authorizedKeys.keys = - concatMap (hostOpts: hostOpts.build-pubkeys) - (attrValues site-hosts); - shell = pkgs.bash; - }; - }; + # users.users = { + # ${site-cfg.build-user} = mkIf + # (any (build-host: build-host == config.instance.hostname) + # (attrNames site-cfg.build-servers)) { + # isSystemUser = true; + # openssh.authorizedKeys.keys = + # concatMap (hostOpts: hostOpts.build-pubkeys) + # (attrValues site-hosts); + # shell = pkgs.bash; + # }; + # }; networking.firewall.allowedTCPPorts = mkIf site-cfg.enable-ssh-backdoor [ site-cfg.dropbear-ssh-port ]; diff --git a/lib/fudo/ssh.nix b/lib/fudo/ssh.nix index fddf8a6..0c07824 100644 --- a/lib/fudo/ssh.nix +++ b/lib/fudo/ssh.nix @@ -14,15 +14,16 @@ let dns-sshfp-records = host: keypair: let filename = sshfp-filename host keypair; - in mkDerivation { + in pkgs.stdenv.mkDerivation { + name = "${host}-sshfp-record"; + + phases = [ "installPhase" ]; + buildInputs = with pkgs; [ openssh ]; - buildPhase = '' - ssh-keygen -r REMOVEME -f ${keypair.public-key} | sed 's/^REMOVEME IN SSHFP //' > ${filename} - ''; - installPhase = '' - mv ${filename} $out/${filename} + mkdir $out + ssh-keygen -r REMOVEME -f "${keypair.public-key}" | sed 's/^REMOVEME IN SSHFP //' > $out/${filename} ''; }; @@ -42,7 +43,7 @@ in { ssh-pubkeys = map (keypair: keypair.public-key) keypairs; ssh-fingerprints = map (keypair: let - fingerprint-derivation = dns-sshfp-records hostname keypair.public-key; + fingerprint-derivation = dns-sshfp-records hostname keypair; filename = sshfp-filename hostname keypair; in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs; }) config.fudo.secrets.files.host-ssh-keypairs; @@ -55,13 +56,24 @@ in { type = keypair.key-type; }) host-keypairs; - programs.ssh.knownHosts = mapAttrs (hostname: keypairs: { - publicKeyFile = keypairs.public-key; - hostNames = let - host-cfg = config.fudo.hosts.${hostname}; - domains = [host-cfg.domain] ++ host-cfg.extra-domains; - in [ hostname ] ++ - (map (domain: "${hostname}.${domain}") domains); - }); + programs.ssh.knownHosts = let + + keyed-hosts = + filterAttrs (h: o: o.ssh-pubkeys != []) + config.fudo.hosts; + + crossProduct = f: list0: list1: + concatMap (el0: map (el1: f el0 el1) list1) list0; + + all-hostnames = opts: + [ opts.hostname ] ++ + (crossProduct (host: domain: "${host}.${domain}") + ([ opts.hostname ] ++ opts.aliases) + ([ opts.domain ] ++ opts.extra-domains)); + + in mapAttrs (hostname: hostOpts: { + publicKeyFile = builtins.head hostOpts.ssh-pubkeys; + hostNames = all-hostnames host-cfg; + }) keyed-hosts; }; } diff --git a/lib/instance.nix b/lib/instance.nix index 1aa504d..bc56f8b 100644 --- a/lib/instance.nix +++ b/lib/instance.nix @@ -2,12 +2,15 @@ with lib; { - options.instance = { + options.instance = with types; { hostname = mkOption { - type = types.str; - description = '' - Hostname of this specific host (without domain). - ''; + type = str; + description = "Hostname of this specific host (without domain)."; + }; + + build-timestamp = mkOption { + type = int; + description = "Timestamp associated with the build. Used for e.g. DNS serials."; }; }; }