impermanence: simplify /etc/ssh/host_keys setup

2022-12-30 03:34:59 +00:00 · 2022-12-30 03:34:59 +00:00 · 0a6d88dfc1
parent 50dfd482cf
commit 0a6d88dfc1
3 changed files with 22 additions and 25 deletions
--- a/hosts/common/machine-id.nix
+++ b/hosts/common/machine-id.nix
@ -10,7 +10,7 @@
  # so for now, generate something unique from the host ssh key.
  # TODO: move this into modules?
  system.activationScripts.machine-id = {
-    deps = [ "persist-ssh-host-keys" ];
+    deps = [ "etc" ];
    text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
  };
 }
--- a/hosts/common/ssh.nix
+++ b/hosts/common/ssh.nix
@ -1,25 +1,10 @@
-{ ... }:
+{ config, lib, ... }:
 {
-  # we can't naively `mount /etc/ssh/host_keys` directly, as all of the `etc` activationScript
-  #   (which includes /etc/fstab, and wherein we'd normally insert a nix-store symlink) depends on activationScripts.users.
-  # activationScripts.etc depends on users apparently only because it converts names to uids when mapping file permissions.
-  # in fact, most everything in /etc/ssh seems to use integer uids -- so we *might* be able to just remove the requirement
-  # of etc on users (or duplicate the activation script and run it once before sops).
-  #
-  # finally (possible best):
-  # - TODO: remove the "users" dep on activationScripts.etc, but add a static assertion that all uids/gids are hardcoded (like we do with user gids).
-  #
-  # alternatively
-  # - just tell sops to use the /persist key path (always), and be done with this?
-  # - stash symlinks to /nix/persist inside `environment.etc....`, tell sops to use /etc/static/ssh, and add an activationScript that makes `/etc/static` available early?
-  # - hack the sops manifest file using during setupSecretsForUsers to use a fully-qualified ssh key pat
-  system.activationScripts.persist-ssh-host-keys.text = ''
-    mkdir -p /etc/ssh
-    ln -sf /nix/persist/etc/ssh/host_keys /etc/ssh/
-  '';
+  environment.etc."ssh/host_keys".source = "/nix/persist/etc/ssh/host_keys";

  services.openssh.hostKeys = [
    { type = "rsa"; bits = 4096; path = "/etc/ssh/host_keys/ssh_host_rsa_key"; }
    { type = "ed25519"; path = "/etc/ssh/host_keys/ssh_host_ed25519_key"; }
  ];
+
 }
--- a/modules/impermanence/default.nix
+++ b/modules/impermanence/default.nix
@ -300,14 +300,26 @@ in
      }
    )

-    ({
-      # secret decoding depends on /etc/ssh keys, which may be persisted
-      system.activationScripts.setupSecrets.deps = [ "persist-ssh-host-keys" ];
+    (lib.mkIf secrets-for-users {
+      # secret decoding depends on /etc/ssh keys, so make sure those are present.
      system.activationScripts.setupSecretsForUsers = lib.mkIf secrets-for-users {
-        deps = [ "persist-ssh-host-keys" ];
+        deps = [ "etc" ];
      };
-      # populated by ssh.nix, which persists /etc/ssh/host_keys
-      system.activationScripts.persist-ssh-host-keys.text = lib.mkDefault "";
+      system.activationScripts.etc.deps = lib.mkForce [];
+      assertions = builtins.concatLists (builtins.attrValues (
+        builtins.mapAttrs
+          (path: value: [
+            {
+              assertion = (builtins.substring 0 1 value.user) == "+";
+              message = "non-numeric user for /etc/${path}: ${value.user} prevents early /etc linking";
+            }
+            {
+              assertion = (builtins.substring 0 1 value.group) == "+";
+              message = "non-numeric group for /etc/${path}: ${value.group} prevents early /etc linking";
+            }
+          ])
+          config.environment.etc
+      ));
    })
  ]);
 }