de-persist /etc/machine-id, and generate it from the ssh key instead

note that /etc/machine-id now contains a different value than before, meaning `journalctl` will not show logs from before the time of this change.
2022-10-30 21:02:41 -07:00 · 2022-10-30 21:02:41 -07:00 · 7c38c1dbe9
commit 7c38c1dbe9
parent b3b45ec0f2
3 changed files with 22 additions and 2 deletions
--- a/modules/impermanence.nix
+++ b/modules/impermanence.nix
@ -41,7 +41,7 @@ in
    sane.image.extraDirectories = [ "/nix/persist/var/log" ];
    environment.persistence."/nix/persist" = {
      directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
-        # TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
+        # NB: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
        # { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
        # "/etc/nixos"
        # "/etc/ssh"  # persist only the specific files we want, instead
@ -71,7 +71,15 @@ in
        #
        # servo additions:
      ] ++ cfg.service-dirs);
-      files = [ "/etc/machine-id" ];
+      # /etc/machine-id is a globally unique identifier used for:
+      # - systemd-networkd: DHCP lease renewal (instead of keying by the MAC address)
+      # - systemd-journald: to filter logs by host
+      # - chromium (potentially to track re-installations)
+      # - gdbus; system services that might upgrade to AF_LOCAL if both services can confirm they're on the same machine
+      # of these, systemd-networkd is the only legitimate case to persist the machine-id.
+      # depersisting it should be "safe"; edge-cases like systemd-networkd can be directed to use some other ID if necessary.
+      # nixos-impermanence shows binding the host ssh priv key to this; i could probably hash the host key into /etc/machine-id if necessary.
+      # files = [ "/etc/machine-id" ];
    };

    # secret decoding depends on /etc/ssh keys, which may be persisted
--- a/modules/universal/default.nix
+++ b/modules/universal/default.nix
@ -7,6 +7,7 @@
    ./home-manager
    ./home-packages.nix
    ./net.nix
+    ./machine-id.nix
    ./secrets.nix
    ./ssh.nix
    ./system-packages.nix
--- a/modules/universal/machine-id.nix
+++ b/modules/universal/machine-id.nix
@ -0,0 +1,11 @@
+{ ... }:
+{
+  # we wan't an /etc/machine-id which is consistent across boot so that `journalctl` will actually show us
+  # logs from previous boots.
+  # maybe there's a config option for this (since persistent machine-id is bad for reasons listed in impermanence.nix),
+  # but for now generate it from ssh keys.
+  system.activationScripts.machine-id = {
+    deps = [ "persist-ssh-host-keys" ];
+    text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
+  };
+}