From cd1d0c7e74ce11eccd995e6b2d2dfe535ff0037e Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Wed, 7 Aug 2024 15:51:41 +0200 Subject: [PATCH] wip ssh component refactoring --- components/nixos/boot/default.nix | 15 ++++++ components/nixos/boot/ssh.nix | 49 +++++++++++++++++++ components/nixos/{ => boot}/tor-ssh.nix | 37 -------------- components/nixos/default.nix | 2 +- flake.nix | 2 + machines/chungus/configuration.nix | 3 +- machines/orbi/configuration.nix | 1 - machines/probe/configuration.nix | 1 - .../probe/facts/ssh.ssh.boot.id_ed25519.pub | 1 - .../probe/hardware-configuration/default.nix | 2 +- .../disko-config-encrypted.nix | 1 + 11 files changed, 70 insertions(+), 44 deletions(-) create mode 100644 components/nixos/boot/default.nix create mode 100644 components/nixos/boot/ssh.nix rename components/nixos/{ => boot}/tor-ssh.nix (72%) delete mode 100644 machines/probe/facts/ssh.ssh.boot.id_ed25519.pub diff --git a/components/nixos/boot/default.nix b/components/nixos/boot/default.nix new file mode 100644 index 0000000..9bf6045 --- /dev/null +++ b/components/nixos/boot/default.nix @@ -0,0 +1,15 @@ +{ lib, config, ... }: +{ + + imports = [ + ./ssh.nix + ]; + + options.components.nixos.boot.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf (config.components.nixos.boot.enable) { }; + +} diff --git a/components/nixos/boot/ssh.nix b/components/nixos/boot/ssh.nix new file mode 100644 index 0000000..dbeb6e0 --- /dev/null +++ b/components/nixos/boot/ssh.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, factsGenerator, clanLib, ... }: +with lib; +with types; + +{ + options.components.nixos.boot.ssh = { + enable = lib.mkOption { + type = lib.types.bool; + default = config.components.nixos.boot.enable; + }; + kernelModules = mkOption { + type = listOf str; + default = [ ]; + description = + "lspci -v will tell you which kernel module is used for the ethernet interface"; + }; + }; + + config = mkIf (config.components.nixos.boot.ssh.enable) { + + # root password + clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; }; + #users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path; # fixme not working for some reason + #users.users.root.initalPassword = "admin"; + + # ssh host key + clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; }; + + # boot + boot.initrd.systemd.enable = true; + boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}"; + + # network + boot.initrd.systemd.network.enable = true; + boot.initrd.availableKernelModules = config.components.nixos.boot.ssh.kernelModules; + + # ssh + boot.initrd.network.enable = true; + boot.initrd.network.ssh = { + enable = true; + authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; + port = 2222; + hostKeys = [ config.clan.core.facts.services."boot.ssh".secret."ssh.boot.id_ed25519".path ]; + }; + + }; + +} + diff --git a/components/nixos/tor-ssh.nix b/components/nixos/boot/tor-ssh.nix similarity index 72% rename from components/nixos/tor-ssh.nix rename to components/nixos/boot/tor-ssh.nix index 9af78bb..586b19f 100644 --- a/components/nixos/tor-ssh.nix +++ b/components/nixos/boot/tor-ssh.nix @@ -10,18 +10,6 @@ with types; default = false; }; - kernelModules = mkOption { - type = listOf str; - default = [ ]; - description = - "lspci -v will tell you which kernel module is used for the ethernet interface"; - }; - - ssh.enable = lib.mkOption { - type = lib.types.bool; - default = config.components.nixos.boot.enable; - }; - tor.enable = lib.mkOption { type = lib.types.bool; default = config.components.nixos.boot.ssh.enable; @@ -107,31 +95,6 @@ with types; }) - # ssh part - # -------- - (mkIf (config.components.nixos.boot.ssh.enable) { - - # boot - boot.initrd.systemd.enable = true; - boot.initrd.systemd.contents."/etc/hostname".text = "unlock.${config.networking.hostName}"; - - # network - boot.initrd.systemd.network.enable = true; - boot.initrd.availableKernelModules = config.components.nixos.boot.kernelModules; - - # ssh - boot.initrd.network.enable = true; - boot.initrd.network.ssh = { - enable = true; - #authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys ; - #authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles; - port = 2222; - hostKeys = map ({ path, ... }: path) config.services.openssh.hostKeys; - }; - - - }) - ]; } diff --git a/components/nixos/default.nix b/components/nixos/default.nix index 7da3461..838850e 100644 --- a/components/nixos/default.nix +++ b/components/nixos/default.nix @@ -2,7 +2,7 @@ { imports = [ ./upgrade-diff.nix - ./tor-ssh.nix + ./boot ]; options.components.nixos.enable = lib.mkOption { diff --git a/flake.nix b/flake.nix index 7ddbfe9..d70d22f 100644 --- a/flake.nix +++ b/flake.nix @@ -477,6 +477,7 @@ probe = clanSetup { name = "probe"; + #host = "167.235.205.150"; host = "95.217.18.54"; modules = [ homeManagerModules @@ -484,6 +485,7 @@ srvos.nixosModules.hardware-hetzner-cloud srvos.nixosModules.server srvos.nixosModules.mixins-terminfo + inputs.clan-core.clanModules.sshd { home-manager.users.mainUser = import ./homes/palo; home-manager.users.root = import ./homes/root; diff --git a/machines/chungus/configuration.nix b/machines/chungus/configuration.nix index 15f8445..fab3704 100644 --- a/machines/chungus/configuration.nix +++ b/machines/chungus/configuration.nix @@ -59,8 +59,7 @@ components.terminal.enable = true; components.nixos.boot.enable = true; - components.nixos.boot.kernelModules = [ "e1000e" ]; - components.nixos.boot.tor.enable = false; + components.nixos.boot.ssh.kernelModules = [ "e1000e" ]; components.monitor.enable = true; components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317"; diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix index 6e26d38..237ce3d 100644 --- a/machines/orbi/configuration.nix +++ b/machines/orbi/configuration.nix @@ -54,7 +54,6 @@ components.network.sshd.sshguard.enable = false; components.nixos.boot.enable = true; - components.nixos.boot.tor.enable = false; components.monitor.enable = true; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; diff --git a/machines/probe/configuration.nix b/machines/probe/configuration.nix index 1020664..5942902 100644 --- a/machines/probe/configuration.nix +++ b/machines/probe/configuration.nix @@ -11,7 +11,6 @@ components.network.enable = true; components.nixos.boot.enable = true; - components.nixos.boot.tor.enable = false; networking.hostName = "probe"; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD" ]; diff --git a/machines/probe/facts/ssh.ssh.boot.id_ed25519.pub b/machines/probe/facts/ssh.ssh.boot.id_ed25519.pub deleted file mode 100644 index b83b315..0000000 --- a/machines/probe/facts/ssh.ssh.boot.id_ed25519.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrcy2I9RXvWzWkNOvdNAhjq92A3gD/ICVlAHFiuQxF3 nixbld@cream \ No newline at end of file diff --git a/machines/probe/hardware-configuration/default.nix b/machines/probe/hardware-configuration/default.nix index 662830b..c1b98cf 100644 --- a/machines/probe/hardware-configuration/default.nix +++ b/machines/probe/hardware-configuration/default.nix @@ -1,7 +1,7 @@ { config, factsGenerator, clanLib, ... }: { imports = [ - ./disko-config-encrypted.nix + ./disko-config-simple.nix ./hardware-configuration.nix ./hetzner.nix # to more me to components ]; diff --git a/machines/probe/hardware-configuration/disko-config-encrypted.nix b/machines/probe/hardware-configuration/disko-config-encrypted.nix index c1c7aca..f9d82ff 100644 --- a/machines/probe/hardware-configuration/disko-config-encrypted.nix +++ b/machines/probe/hardware-configuration/disko-config-encrypted.nix @@ -29,6 +29,7 @@ content = { type = "luks"; name = "root"; + settings.allowDiscards = true; content = { type = "filesystem"; format = "ext4";