From d910872efb60226bee50ae0f403eda21cf5f5d65 Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Sun, 9 Jun 2024 00:43:19 +0200
Subject: [PATCH] try to enable tor in initrd for ssh but does not work

---
 components/network/sshd/default.nix           |  1 -
 .../network/sshd/known-hosts-bootup.nix       | 85 -----------------
 components/nixos/tor-ssh.nix                  | 93 +++++++++++++++++--
 machines/chungus/configuration.nix            |  9 --
 4 files changed, 85 insertions(+), 103 deletions(-)
 delete mode 100644 components/network/sshd/known-hosts-bootup.nix

diff --git a/components/network/sshd/default.nix b/components/network/sshd/default.nix
index a4f9737..95bad56 100644
--- a/components/network/sshd/default.nix
+++ b/components/network/sshd/default.nix
@@ -38,7 +38,6 @@ in
 {
 
   imports = [
-    ./known-hosts-bootup.nix
     ./known-hosts-public.nix
   ];
 
diff --git a/components/network/sshd/known-hosts-bootup.nix b/components/network/sshd/known-hosts-bootup.nix
deleted file mode 100644
index 769d185..0000000
--- a/components/network/sshd/known-hosts-bootup.nix
+++ /dev/null
@@ -1,85 +0,0 @@
-{ config, lib, pkgs, private_assets, ... }:
-with lib;
-let
-
-  computers = {
-    pepe = {
-      onionId = fileContents "${private_assets}/onion_id_pepe";
-      # SHA256:aOZbqpgc5CcTNtRAzjuG/0BQZ9MF5c9u/N+UC88y8kI
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5K4UHD8cIcXB33UiOj5vyXJj+4CyyiLFDMwcyad92a";
-    };
-    chungus = {
-      onionId = fileContents "${private_assets}/onion_id_chungus";
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJpPfGAiARWgZbID+2IIT9dbo/PqgG/pkFsBaBUKGiu";
-    };
-  };
-
-in
-{
-
-  config = mkIf (config.components.network.sshd.enable) {
-
-    services.openssh.knownHosts = {
-      "robi-init-ssh" = {
-        hostNames = [
-          "[robi]:2222"
-          "[144.76.13.147]:2222"
-        ];
-        # SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g
-        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ";
-      };
-    } // (mapAttrs'
-      (name:
-        { onionId, publicKey, ... }: {
-          name = "${name}-init-ssh";
-          value = {
-            hostNames = [ "[${onionId}]:2222" ];
-            inherit publicKey;
-          };
-        })
-      computers);
-
-    environment.systemPackages =
-      let
-
-        sshTor = mapAttrsToList
-          (name:
-            { onionId, ... }:
-            pkgs.writers.writeDashBin "ssh-boot-to-${name}-via-tor" ''
-              ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
-            '')
-          computers;
-
-        passwordTor = mapAttrsToList
-          (name:
-            { onionId, ... }:
-            pkgs.writers.writeDashBin "unlock-boot-${name}-via-tor" ''
-              ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 '
-              echo -n "enter password : "
-              read password
-              echo "$password" > /crypt-ramfs/passphrase
-              '
-            '')
-          computers;
-
-        unlockInit = mapAttrsToList
-          (name:
-            { public_ip, ... }:
-            pkgs.writers.writeDashBin "unlock-boot-${name}" ''
-              ${pkgs.openssh}/bin/ssh root@${public_ip} -p 2222 '
-              echo -n "enter password : "
-              read password
-              echo "$password" | systemctl default
-              '
-            '')
-          {
-            orbi = {
-              public_ip = "95.216.66.212";
-            };
-          };
-
-      in
-      sshTor ++ passwordTor ++ unlockInit;
-
-  };
-}
diff --git a/components/nixos/tor-ssh.nix b/components/nixos/tor-ssh.nix
index d311506..0ba6b0f 100644
--- a/components/nixos/tor-ssh.nix
+++ b/components/nixos/tor-ssh.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, factsGenerator, clanLib, ... }:
 with lib;
 with types;
 
@@ -17,19 +17,96 @@ with types;
         "lspci -v will tell you which kernel module is used for the ethernet interface";
     };
 
-    ssh = {
-
-      enable = lib.mkOption {
-        type = lib.types.bool;
-        default = config.components.nixos.boot.enable;
-      };
-
+    ssh.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = config.components.nixos.boot.enable;
+    };
 
+    tor.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = config.components.nixos.boot.ssh.enable;
     };
   };
 
   config = mkMerge [
 
+    # todo : not working at the moment, because onion hostnames are secrets
+    (
+      let
+        onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname";
+        generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" ''
+          ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
+        '';
+      in
+      {
+        # add known hosts
+        services.openssh.knownHosts =
+          mapAttrs
+            (_machine: onionId: {
+              hostNames = [ "[${onionId}]:2222" ];
+            })
+            onionIds;
+
+        # create unlook tor boot script
+        environment.systemPackages =
+          mapAttrsToList generateOnionUnlockScript onionIds;
+      }
+    )
+
+    # tor part
+    # --------
+    (mkIf (config.components.nixos.boot.tor.enable) {
+
+      #services.tor = {
+      #  enable = true;
+      #  client.enable = true;
+      #  relay.onionServices.bootup.map = [{ port = 2222; }];
+      #};
+
+      # tor setup
+      clanCore.facts.services.initrd_tor = factsGenerator.tor { name = "initrd"; };
+
+      boot.initrd.secrets = {
+        "/etc/tor/onion/bootup/tor.priv" = config.clanCore.facts.services.initrd_tor.secret."tor.initrd.priv".path;
+        "/etc/tor/onion/bootup/hostname" = config.clanCore.facts.services.initrd_tor.secret."tor.initrd.hostname".path;
+      };
+
+      #boot.initrd.extraUtilsCommands = ''
+      #  copy_bin_and_libs ${pkgs.tor}/bin/tor
+      #'';
+
+      # fixme: this thing is not working for some reason.
+      boot.initrd.systemd.packages = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
+      boot.initrd.systemd.services.tor = {
+        path = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
+        # todo: set wanted by
+        script =
+          let
+            torRc = pkgs.writeText "tor.rc" ''
+              DataDirectory /etc/tor
+              SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+              SOCKSPort 127.0.0.1:9063
+              HiddenServiceDir /etc/tor/onion/bootup
+              HiddenServicePort 2222 127.0.0.1:2222
+            '';
+          in
+          ''
+            echo "tor: preparing onion folder"
+            # have to do this otherwise tor does not want to start
+            chmod -R 700 /etc/tor
+
+            echo "make sure localhost is up"
+            ip a a 127.0.0.1/8 dev lo
+            ip link set lo up
+
+            echo "tor: starting tor"
+            tor -f ${torRc} --verify-config
+            tor -f ${torRc}
+          '';
+      };
+    })
+
+
     # ssh part
     # --------
     (mkIf (config.components.nixos.boot.ssh.enable) {
diff --git a/machines/chungus/configuration.nix b/machines/chungus/configuration.nix
index f82494b..7e13a7c 100644
--- a/machines/chungus/configuration.nix
+++ b/machines/chungus/configuration.nix
@@ -65,14 +65,8 @@
 
   services.printing.enable = false;
 
-  #virtualisation.containers.storage.settings = {
-  #  # fixes: Error: 'overlay' is not supported over zfs, a mount_program is required: backing file system is unsupported for this graph driver
-  #  storage.options.mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs";
-  #};
   virtualisation.podman.extraPackages = [ pkgs.zfs ]; # make sure /var/lib/containers/storage is a zfs dataset
 
-  #sops.defaultSopsFile = ../../secrets/chungus.yaml;
-
   networking.hostName = "chungus";
 
   hardware.opengl = {
@@ -85,9 +79,6 @@
     ];
   };
 
-  # just enable lan
-  #networking.dhcpcd.allowInterfaces = [ "enp0s25" ];
-
   # nix-shell -p speedtest_cli --run speedtest
   #configuration.fireqos = {
   #  enable = false;