de-persist /etc/machine-id, and generate it from the ssh key instead
note that /etc/machine-id now contains a different value than before, meaning `journalctl` will not show logs from before the time of this change.
This commit is contained in:
parent
b3b45ec0f2
commit
7c38c1dbe9
|
@ -41,7 +41,7 @@ in
|
|||
sane.image.extraDirectories = [ "/nix/persist/var/log" ];
|
||||
environment.persistence."/nix/persist" = {
|
||||
directories = (map-home-dirs cfg.home-dirs) ++ (map-sys-dirs [
|
||||
# TODO: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
|
||||
# NB: this `0700` here clobbers the perms for /persist/etc, breaking boot on freshly-deployed devices
|
||||
# { mode = "0700"; directory = "/etc/NetworkManager/system-connections"; }
|
||||
# "/etc/nixos"
|
||||
# "/etc/ssh" # persist only the specific files we want, instead
|
||||
|
@ -71,7 +71,15 @@ in
|
|||
#
|
||||
# servo additions:
|
||||
] ++ cfg.service-dirs);
|
||||
files = [ "/etc/machine-id" ];
|
||||
# /etc/machine-id is a globally unique identifier used for:
|
||||
# - systemd-networkd: DHCP lease renewal (instead of keying by the MAC address)
|
||||
# - systemd-journald: to filter logs by host
|
||||
# - chromium (potentially to track re-installations)
|
||||
# - gdbus; system services that might upgrade to AF_LOCAL if both services can confirm they're on the same machine
|
||||
# of these, systemd-networkd is the only legitimate case to persist the machine-id.
|
||||
# depersisting it should be "safe"; edge-cases like systemd-networkd can be directed to use some other ID if necessary.
|
||||
# nixos-impermanence shows binding the host ssh priv key to this; i could probably hash the host key into /etc/machine-id if necessary.
|
||||
# files = [ "/etc/machine-id" ];
|
||||
};
|
||||
|
||||
# secret decoding depends on /etc/ssh keys, which may be persisted
|
||||
|
|
|
@ -7,6 +7,7 @@
|
|||
./home-manager
|
||||
./home-packages.nix
|
||||
./net.nix
|
||||
./machine-id.nix
|
||||
./secrets.nix
|
||||
./ssh.nix
|
||||
./system-packages.nix
|
||||
|
|
11
modules/universal/machine-id.nix
Normal file
11
modules/universal/machine-id.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{ ... }:
|
||||
{
|
||||
# we wan't an /etc/machine-id which is consistent across boot so that `journalctl` will actually show us
|
||||
# logs from previous boots.
|
||||
# maybe there's a config option for this (since persistent machine-id is bad for reasons listed in impermanence.nix),
|
||||
# but for now generate it from ssh keys.
|
||||
system.activationScripts.machine-id = {
|
||||
deps = [ "persist-ssh-host-keys" ];
|
||||
text = "sha256sum /etc/ssh/host_keys/ssh_host_ed25519_key | cut -c 1-32 > /etc/machine-id";
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user