diff --git a/SwarselSystems.org b/SwarselSystems.org index 562651c..b31437d 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -6271,7 +6271,6 @@ A breakdown of the flags being set: additions = final: _: import "${self}/pkgs/config" { inherit self config lib; pkgs = final; - nixosConfig = config; homeConfig = config.home-manager.users.${config.swarselsystems.mainUser}; }; in @@ -9044,6 +9043,11 @@ lspci -k -d 14c3:0616 "/persist/${hostKeyPathBase}" else "${hostKeyPathBase}"; + + # this key is only used only for ssh to stage 1 in initial provisioning (in nix store) + generatedHostKey = pkgs.runCommand "initrd-hostkey" { } '' + ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f $out + ''; in { options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config"; @@ -9054,15 +9058,15 @@ lspci -k -d 14c3:0616 config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) { - system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { - deps = [ "ensureInitrdHostkey" ]; - }; - system.activationScripts.ensureInitrdHostkey = lib.mkIf (config.swarselprofiles.server || minimal) { + # as soon as we hit a stable system, we will use a persisted key + # @future me: dont mkIf this to minimal, we need to create this as soon as possible + system.activationScripts.ensureInitrdHostkey = { text = '' [[ -e ${hostKeyPath} ]] || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${hostKeyPath} ''; deps = [ - "etc" + "users" + "createPersistentStorageDirs" ]; }; @@ -9075,7 +9079,7 @@ lspci -k -d 14c3:0616 "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; initrd = { - secrets."${hostKeyPathBase}" = lib.mkIf (!minimal) hostKeyPathBase; + secrets."/tmp${hostKeyPathBase}" = if minimal then (lib.mkForce generatedHostKey) else (lib.mkForce hostKeyPath); # need to mkForce this or it behaves stateful availableKernelModules = config.swarselsystems.networkKernelModules; network = { enable = true; @@ -9087,11 +9091,8 @@ lspci -k -d 14c3:0616 ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/yubikey.pub"}'' ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/magicant.pub"}'' ]; - hostKeys = [ hostKeyPathBase ]; + hostKeys = [ "/tmp${hostKeyPathBase}" ]; # use a tmp file otherwise persist mount will be unhappy }; - # postCommands = '' - # echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile - # ''; }; systemd = { initrdBin = with pkgs; [ @@ -16107,9 +16108,9 @@ It is very convenient to have SSH aliases in place for machines that I use. This serverAliveCountMax = 3; hashKnownHosts = false; userKnownHostsFile = "~/.ssh/known_hosts"; - controlMaster = "auto"; + controlMaster = "no"; controlPath = "~/.ssh/master-%r@%n:%p"; - controlPersist = "5m"; + controlPersist = "no"; }; } // confLib.getConfig.repo.secrets.common.ssh.hosts; }; @@ -23575,10 +23576,10 @@ This program sets up a new NixOS host remotely. It also takes care of secret man mkdir -p "$FLAKE"/hosts/nixos/"$target_arch"/"$target_hostname" $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix # ------------------------ - # green "Generating hostkey for ssh initrd" - # $ssh_root_cmd "mkdir -p $temp/etc/secrets/initrd /etc/secrets/initrd" - # $ssh_root_cmd "ssh-keygen -t ed25519 -N '' -f $temp/etc/secrets/initrd/ssh_host_ed25519_key" - # $ssh_root_cmd "cp $temp/etc/secrets/initrd/ssh_host_ed25519_key /etc/secrets/initrd/ssh_host_ed25519_key" + green "Generating hostkey for ssh initrd" + $ssh_root_cmd "mkdir -p $temp/etc/secrets/initrd /etc/secrets/initrd" + $ssh_root_cmd "ssh-keygen -t ed25519 -N '' -f $temp/etc/secrets/initrd/ssh_host_ed25519_key" + $ssh_root_cmd "cp $temp/etc/secrets/initrd/ssh_host_ed25519_key /etc/secrets/initrd/ssh_host_ed25519_key" # ------------------------ green "Deploying minimal NixOS installation on $target_destination" @@ -24733,12 +24734,12 @@ This script allows for quick git replace of a string. :END: #+begin_src nix-ts :tangle pkgs/config/default.nix - { self, homeConfig, lib, pkgs, nixosConfig ? null, ... }: + { self, homeConfig, lib, pkgs, config, ... }: let mkPackages = names: pkgs: builtins.listToAttrs (map (name: { inherit name; - value = pkgs.callPackage "${self}/pkgs/config/${name}" { inherit self name homeConfig nixosConfig; }; + value = pkgs.callPackage "${self}/pkgs/config/${name}" { inherit self name homeConfig config; }; }) names); packageNames = lib.swarselsystems.readNix "pkgs/config"; @@ -24775,11 +24776,11 @@ This script allows for quick git replace of a string. This script quickly lists all nix generatinos on the system #+begin_src nix-ts :tangle pkgs/config/swarsel-gens/default.nix - { name, writeShellApplication, nixosConfig, ... }: + { name, writeShellApplication, config, ... }: writeShellApplication { inherit name; - runtimeInputs = [ nixosConfig.nix.package ]; + runtimeInputs = [ config.nix.package ]; text = '' sudo nix-env --list-generations --profile /nix/var/nix/profiles/system ''; @@ -24793,11 +24794,11 @@ This script quickly lists all nix generatinos on the system This script quickly switches to another nix generation. #+begin_src nix-ts :tangle pkgs/config/swarsel-switch/default.nix - { name, writeShellApplication, nixosConfig, ... }: + { name, writeShellApplication, config, ... }: writeShellApplication { inherit name; - runtimeInputs = [ nixosConfig.nix.package ]; + runtimeInputs = [ config.nix.package ]; text = '' sudo nix-env --switch-generation "$1" -p /nix/var/nix/profiles/system && sudo /nix/var/nix/profiles/system/bin/switch-to-configuration switch ''; diff --git a/files/scripts/swarsel-bootstrap.sh b/files/scripts/swarsel-bootstrap.sh index 8b87e98..4030312 100644 --- a/files/scripts/swarsel-bootstrap.sh +++ b/files/scripts/swarsel-bootstrap.sh @@ -245,10 +245,10 @@ $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt" mkdir -p "$FLAKE"/hosts/nixos/"$target_arch"/"$target_hostname" $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix # ------------------------ -# green "Generating hostkey for ssh initrd" -# $ssh_root_cmd "mkdir -p $temp/etc/secrets/initrd /etc/secrets/initrd" -# $ssh_root_cmd "ssh-keygen -t ed25519 -N '' -f $temp/etc/secrets/initrd/ssh_host_ed25519_key" -# $ssh_root_cmd "cp $temp/etc/secrets/initrd/ssh_host_ed25519_key /etc/secrets/initrd/ssh_host_ed25519_key" +green "Generating hostkey for ssh initrd" +$ssh_root_cmd "mkdir -p $temp/etc/secrets/initrd /etc/secrets/initrd" +$ssh_root_cmd "ssh-keygen -t ed25519 -N '' -f $temp/etc/secrets/initrd/ssh_host_ed25519_key" +$ssh_root_cmd "cp $temp/etc/secrets/initrd/ssh_host_ed25519_key /etc/secrets/initrd/ssh_host_ed25519_key" # ------------------------ green "Deploying minimal NixOS installation on $target_destination" diff --git a/modules/home/common/ssh.nix b/modules/home/common/ssh.nix index ef38ab1..c4fc482 100644 --- a/modules/home/common/ssh.nix +++ b/modules/home/common/ssh.nix @@ -18,9 +18,9 @@ serverAliveCountMax = 3; hashKnownHosts = false; userKnownHostsFile = "~/.ssh/known_hosts"; - controlMaster = "auto"; + controlMaster = "no"; controlPath = "~/.ssh/master-%r@%n:%p"; - controlPersist = "5m"; + controlPersist = "no"; }; } // confLib.getConfig.repo.secrets.common.ssh.hosts; }; diff --git a/modules/nixos/common/settings.nix b/modules/nixos/common/settings.nix index 989aa2a..2ab4bbe 100644 --- a/modules/nixos/common/settings.nix +++ b/modules/nixos/common/settings.nix @@ -127,7 +127,6 @@ in additions = final: _: import "${self}/pkgs/config" { inherit self config lib; pkgs = final; - nixosConfig = config; homeConfig = config.home-manager.users.${config.swarselsystems.mainUser}; }; in diff --git a/modules/nixos/server/disk-encrypt.nix b/modules/nixos/server/disk-encrypt.nix index 26a4a57..ad3557d 100644 --- a/modules/nixos/server/disk-encrypt.nix +++ b/modules/nixos/server/disk-encrypt.nix @@ -10,6 +10,11 @@ let "/persist/${hostKeyPathBase}" else "${hostKeyPathBase}"; + + # this key is only used only for ssh to stage 1 in initial provisioning (in nix store) + generatedHostKey = pkgs.runCommand "initrd-hostkey" { } '' + ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f $out + ''; in { options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config"; @@ -20,15 +25,15 @@ in config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) { - system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { - deps = [ "ensureInitrdHostkey" ]; - }; - system.activationScripts.ensureInitrdHostkey = lib.mkIf (config.swarselprofiles.server || minimal) { + # as soon as we hit a stable system, we will use a persisted key + # @future me: dont mkIf this to minimal, we need to create this as soon as possible + system.activationScripts.ensureInitrdHostkey = { text = '' [[ -e ${hostKeyPath} ]] || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${hostKeyPath} ''; deps = [ - "etc" + "users" + "createPersistentStorageDirs" ]; }; @@ -41,7 +46,7 @@ in "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; initrd = { - secrets."${hostKeyPathBase}" = lib.mkIf (!minimal) hostKeyPathBase; + secrets."/tmp${hostKeyPathBase}" = if minimal then (lib.mkForce generatedHostKey) else (lib.mkForce hostKeyPath); # need to mkForce this or it behaves stateful availableKernelModules = config.swarselsystems.networkKernelModules; network = { enable = true; @@ -53,11 +58,8 @@ in ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/yubikey.pub"}'' ''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/magicant.pub"}'' ]; - hostKeys = [ hostKeyPathBase ]; + hostKeys = [ "/tmp${hostKeyPathBase}" ]; # use a tmp file otherwise persist mount will be unhappy }; - # postCommands = '' - # echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile - # ''; }; systemd = { initrdBin = with pkgs; [ diff --git a/pkgs/config/default.nix b/pkgs/config/default.nix index 62a9be1..09de7fb 100644 --- a/pkgs/config/default.nix +++ b/pkgs/config/default.nix @@ -1,9 +1,9 @@ -{ self, homeConfig, lib, pkgs, nixosConfig ? null, ... }: +{ self, homeConfig, lib, pkgs, config, ... }: let mkPackages = names: pkgs: builtins.listToAttrs (map (name: { inherit name; - value = pkgs.callPackage "${self}/pkgs/config/${name}" { inherit self name homeConfig nixosConfig; }; + value = pkgs.callPackage "${self}/pkgs/config/${name}" { inherit self name homeConfig config; }; }) names); packageNames = lib.swarselsystems.readNix "pkgs/config"; diff --git a/pkgs/config/swarsel-gens/default.nix b/pkgs/config/swarsel-gens/default.nix index 54cded1..ca8e33b 100644 --- a/pkgs/config/swarsel-gens/default.nix +++ b/pkgs/config/swarsel-gens/default.nix @@ -1,8 +1,8 @@ -{ name, writeShellApplication, nixosConfig, ... }: +{ name, writeShellApplication, config, ... }: writeShellApplication { inherit name; - runtimeInputs = [ nixosConfig.nix.package ]; + runtimeInputs = [ config.nix.package ]; text = '' sudo nix-env --list-generations --profile /nix/var/nix/profiles/system ''; diff --git a/pkgs/config/swarsel-switch/default.nix b/pkgs/config/swarsel-switch/default.nix index 6e19f54..bf2939b 100644 --- a/pkgs/config/swarsel-switch/default.nix +++ b/pkgs/config/swarsel-switch/default.nix @@ -1,8 +1,8 @@ -{ name, writeShellApplication, nixosConfig, ... }: +{ name, writeShellApplication, config, ... }: writeShellApplication { inherit name; - runtimeInputs = [ nixosConfig.nix.package ]; + runtimeInputs = [ config.nix.package ]; text = '' sudo nix-env --switch-generation "$1" -p /nix/var/nix/profiles/system && sudo /nix/var/nix/profiles/system/bin/switch-to-configuration switch '';