diff --git a/TODO.md b/TODO.md index f2cfdfb5..f4b08123 100644 --- a/TODO.md +++ b/TODO.md @@ -7,6 +7,9 @@ ## REFACTORING: +- remove modules/data/keys +- simplify ssh keys (hosts/common/ssh.nix ; modules/ssh.nix) + ### sops/secrets - attach secrets to the thing they're used by (sane.programs) - rework secrets to leverage `sane.fs` diff --git a/hosts/common/ids.nix b/hosts/common/ids.nix index e20da3c4..ab7cde4b 100644 --- a/hosts/common/ids.nix +++ b/hosts/common/ids.nix @@ -63,6 +63,8 @@ sane.ids.systemd-oom.uid = 2005; sane.ids.systemd-oom.gid = 2005; sane.ids.wireshark.gid = 2006; + sane.ids.nixremote.uid = 2007; + sane.ids.nixremote.gid = 2007; # found on graphical hosts sane.ids.nm-iodine.uid = 2101; # desko/moby/lappy diff --git a/hosts/common/users/colin.nix b/hosts/common/users/colin.nix index a5b7b686..be3ac834 100644 --- a/hosts/common/users/colin.nix +++ b/hosts/common/users/colin.nix @@ -6,8 +6,6 @@ # sets group to "users" (?) isNormalUser = true; home = "/home/colin"; - createHome = true; - homeMode = "0700"; # i don't get exactly what this is, but nixos defaults to this non-deterministically # in /var/lib/nixos/auto-subuid-map and i don't want that. subUidRanges = [ diff --git a/hosts/common/users/default.nix b/hosts/common/users/default.nix index d254e66b..5e2dc7e7 100644 --- a/hosts/common/users/default.nix +++ b/hosts/common/users/default.nix @@ -4,6 +4,7 @@ imports = [ ./colin.nix ./guest.nix + ./nixremote.nix ./root.nix ]; diff --git a/hosts/common/users/nixremote.nix b/hosts/common/users/nixremote.nix new file mode 100644 index 00000000..7ad815ae --- /dev/null +++ b/hosts/common/users/nixremote.nix @@ -0,0 +1,30 @@ +# docs: +# +# this user exists for any machine on my network to receive build requests from some other machine. +# the build request happens from the origin computer's `root` user, so none of this is protected behind a login password. +# hence, the `nixremote` user's privileges should be as limited as possible. +{ config, ... }: +{ + users.users.nixremote = { + isNormalUser = true; + home = "/home/nixremote"; + group = "nixremote"; + subUidRanges = [ + { startUid=300000; count=1; } + ]; + initialPassword = ""; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote" + ]; + }; + + users.groups.nixremote = {}; + + sane.users.nixremote = { + fs."/".dir.acl = { + # don't allow the user to write anywhere + user = "root"; + group = "root"; + }; + }; +} diff --git a/hosts/common/users/root.nix b/hosts/common/users/root.nix index 8864b813..fcc1463a 100644 --- a/hosts/common/users/root.nix +++ b/hosts/common/users/root.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { sane.persist.sys.byStore.cryptClearOnBoot = [ # when running commands as root, some things may create ~/.cache entries. @@ -7,4 +7,24 @@ # - `/root/.cache/mesa_shader_cache` takes up 1-2 MB on moby { path = "/root"; user = "root"; group = "root"; mode = "0700"; } ]; + + sane.users.root = { + home = "/root"; + fs.".ssh/nixremote".symlink.target = config.sops.secrets."nixremote_ssh_key".path; + fs.".ssh/nixremote.pub".symlink.text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf"; + fs.".ssh/config".symlink.text = '' + # root -> happens for remote builds + # provide the auth, and instruct which remote user to login as: + Host desko + # Prevent using ssh-agent or another keyfile + IdentitiesOnly yes + IdentityFile /root/.ssh/nixremote + User nixremote + Host servo + # Prevent using ssh-agent or another keyfile + IdentitiesOnly yes + IdentityFile /root/.ssh/nixremote + User nixremote + ''; + }; } diff --git a/modules/users.nix b/modules/users.nix index 2f5cb5fa..23a61cd8 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -95,9 +95,10 @@ let }) { fs."/".dir.acl = { - user = name; - group = nixConfig.users.users."${name}".group; - mode = nixConfig.users.users."${name}".homeMode; + user = lib.mkDefault name; + group = lib.mkDefault nixConfig.users.users."${name}".group; + # homeMode defaults to 700; notice: no leading 0 + mode = "0" + nixConfig.users.users."${name}".homeMode; }; fs.".profile".symlink.text = let diff --git a/secrets/common/nixremote_ssh_key.bin b/secrets/common/nixremote_ssh_key.bin new file mode 100644 index 00000000..db33fe19 --- /dev/null +++ b/secrets/common/nixremote_ssh_key.bin @@ -0,0 +1,48 @@ +{ + "data": "ENC[AES256_GCM,data:Z3gAd4fuRSYbj/VqItcrFvQZnmaIfrVKbgbN+c9dlT4T7M7uXOe3HwuVgWL+87kpJ7iox2Y7IV5S3l/PrAtucpLAJsKdB6Kdk+kUhDJS80GG7tWDJUsrGPI37qIlcW0ygFjnVSSU1lXknX+MgrJQAqa1TQOGh/EoonEP+h+h3sd4r033uLkot7q5ytF2dFKytRepuBAs8aaruyES/eBfJigtZ8LSbz6Md/vmPt+TE2m6WzBB+hoQ/y0j0zxmVTGIVdWQa2G9q5q4+mEYEInY8KYl3Vk3PqfDyKeVQkLdFvp2Y30zSrmgzljZ4Cv2of2R8Cf4EPZg02PpRXO+G3PNCFzkyJV9UuBkw25cj/2ptLG/2iT0FQzaHlqAbriR9rnE/f22H/gDM67Rmhk0U7Fx2MOpRk6NUBZJL+qSAoRRi3E8r1PGhWA0Vy3q4K+iPHpA9WSnWhpF0APnVhVasyP7WyxM78ojw89aV60o2pZiQnYAukKS4rrGVAY6VQCIMquB9fkIFEvEaGALTVN8D9Lu,iv:15QuTzvB8/MLOwQ1+pa+BHh2UAMngQStn9AOKvRuOLc=,tag:UqOfydAIirQnGXCJx0EH2w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2QnFzT1FabkJvWVJtbWdH\nWU9nQmp2cUlMNTRWM09HNGtibmNhNTRhT0JNCjNMdm5ScHhlWUN4d0R4cjRNVStz\nd0NLbkJpUHJtY1hYYWdmNjdTcWEwZk0KLS0tIDFmejRkQ2kzbGczc215QTluS1kv\ncHJtTHZZTmFIaDUvZHQ0UkVmNUlmVVkKoDh96fosdZ0W3FmnTkubzn648sSE0bPl\n+6V7njBcitIulPtv7vJS+RRe6CTI0hCATLw4wK08wj6y/QXUbeoI9Q==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeEV4SEhsd2ZTUUtpMDVR\nNXVJYjBIYXlZNFJId3Q5aitmRk5jRExsMkVzCnRoMkQ0VUQ0RmEwWnpSSWd5cUdQ\nZ1dQS1BNM1Z5SW5MS3hvcVcweEdjZ0UKLS0tIElORFRxMWdKZUo3SzhxcHZFdW5D\nemxrYUxUUTQwRkJCSzZuSjd3SVgweHMKNyPLaqWCs6z5CkKin+pOezTQNuoiIqvx\nW5YyrphVL7q08LQLdATSRNRcaImxP0P0N8fhSVw2rvklYKRzTJOa4A==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqT0lQTFVoV3FWenZhbkJ0\nNTlqUS9yV3JpU3VvbVNlSmF5RklFMTQzeHlFClM3K1duVXlkbHkrREQzQmYwYkNj\nU0ZvZEc2YlJxa3hSSFdwM3l3L3EzcnMKLS0tIGdub3d6NjVtaFV1OFhldDRqNnYx\nQ1NsOWxDZEFzZmswTVNmMkU4Qjl5cjAKIzP/HPFcomIOnkRSv6EQOmk2c8onhcxi\nLaG6xIjydye6W8sGRJxatthmRaxA0SsQKROwHj27EiW6GRZodSjKMw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNVR1aWg1N3lnbHNoUlhK\nTjk0QkQ5aFFZMVhXeEtpa2ZQbkU0RkFxTVNjCjJEcjBHVXVLZWRMYVpwTFpMUnNN\naythd3BOdmgvekp0MUZCZmpmblV3UkkKLS0tIFRpZHFRLzhSdjBCN09rSUY5VUNT\nam1vQ3R2VnhUMThCN0dPU0ZlLy80Q28KehP5t4kIwUs9eu+8KWn5SCpvEKVnSHlJ\njR8RhRX7+f6hRP/OvryFxzGFmey3YApdHC3sDhvYjU8qDzs4xj7zAQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVXFRRXNuTVJaUWRyRDIr\nV1FMcWlCUVluNWZZNUJxbU5UNzNsbHRLd1ZVCnlsUEYrWGtWem5DRElGaWxEN3d1\nWVNpT3d6d253RnhDamQ5Mkg0bDBQaWcKLS0tIHBiTDlMQmF4RVhqc2N1bDF5c0p1\nd3FiQjB6ckhJd3pSYVZHNjdhaEZEWnMKWdweoLlZg2CoB3VCjCo2J+injACNNXFp\nMjvWqzfibFetLNtxBpfCZY+7rhDDlT1njUBw1q1Dy1ZaIWOuJPYOwQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVVRFWnVBNVp3Qndyb3p0\naDFnRHUrWlB3akg0WnRuNHNNQWpySFVWUEUwCjRYOWJxRkVEYmpoV2ZSR2RmcGdr\nTk9rN2FJOGIyRWpaMUpFUXJ6YTZmYkkKLS0tIE96djFyeitLM2Z0MjdaUExQS0Fu\nNlRhT21mWHZ4WXBJSDY5MDlKZnhQNTgKzjHbxqT2oiGl5jR1F52CWf4MSICdAJng\ndZwTQbtwUNfwhzxCdQ8a8qWR+mOGsd0WtBlrT3c6Yy83HV+PAePFcQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dTNwNVVmMUpCN1I2M25K\nR2VsY0c0Y0htbE15MktUZEt4bFlHU1BUaVcwCm9BK2EycTZFOEJBZ1VUZVdFZWhl\nY1dORGpXVzZwYml5c0tOUWZDVnEyWkkKLS0tIFdwNFFlVmhtVVZGRytDUWExU3BY\nWXgwbldKREdQUUVWSTRoR1AyNDc2VUEKy+b5IaoHLOha+kgVXlyOf2RuoXGvrMGJ\n1mYms2SLs+3/aUtz+nxGKm5H9aBSIf7wzjam6w9ASFIlQqd2Orpc9A==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaeU5Bdjl6dDFhMXRuL3N1\nMVJ4V0VuQi91ZVZWTW9GbzVJR0FxejMrUEZvCkxxdjFzM3p6cjh1N0NFS3c3NWI3\nOHR0dWpUQ2Q1MzFyU2V6NlN5ajZqc1kKLS0tIGY0bG5BRG9zaVpqdWJZL0FhWS9o\nWi9Tend4c1RUK2QzVCtHalJBQ3l2THcKqUHi7CoHeUqRP/Dr/ZvLT2NgJJV3xC1D\nidZZgCRlrDnbcWnnx16tKyPNk/8pNGdnXbQrlgMMazkZEFqmznRZOg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-11-23T00:57:17Z", + "mac": "ENC[AES256_GCM,data:IFNjLWSXH8H/zD1wBQQucLNdibx2ILurIZKThA+1W2Iv4uTkSem/QDGUInsjckZPec9HQiRwO3VtZhyRZ6W5c9+SZuQvzdx2CIv+lm/Qz6jaEBVxLerkZi4RRhg4Uf2QsIVMTVT77fh82WUNiGcMtawso991vG+3PfnlJh4YSz0=,iv:9v0uB5KpN0QoqEGtGAjjCgAMPjAaM5BiiulxfW7GC9k=,tag:quF2SwyFLpocOyIMN5lmzQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file