impermanence: simplify /etc/ssh/host_keys setup
This commit is contained in:
parent
50dfd482cf
commit
0a6d88dfc1
|
@ -10,7 +10,7 @@
|
|||
# so for now, generate something unique from the host ssh key.
|
||||
# TODO: move this into modules?
|
||||
system.activationScripts.machine-id = {
|
||||
deps = [ "persist-ssh-host-keys" ];
|
||||
deps = [ "etc" ];
|
||||
text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,25 +1,10 @@
|
|||
{ ... }:
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
# we can't naively `mount /etc/ssh/host_keys` directly, as all of the `etc` activationScript
|
||||
# (which includes /etc/fstab, and wherein we'd normally insert a nix-store symlink) depends on activationScripts.users.
|
||||
# activationScripts.etc depends on users apparently only because it converts names to uids when mapping file permissions.
|
||||
# in fact, most everything in /etc/ssh seems to use integer uids -- so we *might* be able to just remove the requirement
|
||||
# of etc on users (or duplicate the activation script and run it once before sops).
|
||||
#
|
||||
# finally (possible best):
|
||||
# - TODO: remove the "users" dep on activationScripts.etc, but add a static assertion that all uids/gids are hardcoded (like we do with user gids).
|
||||
#
|
||||
# alternatively
|
||||
# - just tell sops to use the /persist key path (always), and be done with this?
|
||||
# - stash symlinks to /nix/persist inside `environment.etc....`, tell sops to use /etc/static/ssh, and add an activationScript that makes `/etc/static` available early?
|
||||
# - hack the sops manifest file using during setupSecretsForUsers to use a fully-qualified ssh key pat
|
||||
system.activationScripts.persist-ssh-host-keys.text = ''
|
||||
mkdir -p /etc/ssh
|
||||
ln -sf /nix/persist/etc/ssh/host_keys /etc/ssh/
|
||||
'';
|
||||
environment.etc."ssh/host_keys".source = "/nix/persist/etc/ssh/host_keys";
|
||||
|
||||
services.openssh.hostKeys = [
|
||||
{ type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
|
||||
{ type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
|
||||
];
|
||||
|
||||
}
|
||||
|
|
|
@ -300,14 +300,26 @@ in
|
|||
}
|
||||
)
|
||||
|
||||
({
|
||||
# secret decoding depends on /etc/ssh keys, which may be persisted
|
||||
system.activationScripts.setupSecrets.deps = [ "persist-ssh-host-keys" ];
|
||||
(lib.mkIf secrets-for-users {
|
||||
# secret decoding depends on /etc/ssh keys, so make sure those are present.
|
||||
system.activationScripts.setupSecretsForUsers = lib.mkIf secrets-for-users {
|
||||
deps = [ "persist-ssh-host-keys" ];
|
||||
deps = [ "etc" ];
|
||||
};
|
||||
# populated by ssh.nix, which persists /etc/ssh/host_keys
|
||||
system.activationScripts.persist-ssh-host-keys.text = lib.mkDefault "";
|
||||
system.activationScripts.etc.deps = lib.mkForce [];
|
||||
assertions = builtins.concatLists (builtins.attrValues (
|
||||
builtins.mapAttrs
|
||||
(path: value: [
|
||||
{
|
||||
assertion = (builtins.substring 0 1 value.user) == "+";
|
||||
message = "non-numeric user for /etc/${path}: ${value.user} prevents early /etc linking";
|
||||
}
|
||||
{
|
||||
assertion = (builtins.substring 0 1 value.group) == "+";
|
||||
message = "non-numeric group for /etc/${path}: ${value.group} prevents early /etc linking";
|
||||
}
|
||||
])
|
||||
config.environment.etc
|
||||
));
|
||||
})
|
||||
]);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue