try to enable tor in initrd for ssh but does not work

This commit is contained in:
Ingolf Wagner 2024-06-09 00:43:19 +02:00
parent 43e28c2d41
commit d910872efb
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
4 changed files with 85 additions and 103 deletions

View file

@ -38,7 +38,6 @@ in
{
imports = [
./known-hosts-bootup.nix
./known-hosts-public.nix
];

View file

@ -1,85 +0,0 @@
{ config, lib, pkgs, private_assets, ... }:
with lib;
let
computers = {
pepe = {
onionId = fileContents "${private_assets}/onion_id_pepe";
# SHA256:aOZbqpgc5CcTNtRAzjuG/0BQZ9MF5c9u/N+UC88y8kI
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5K4UHD8cIcXB33UiOj5vyXJj+4CyyiLFDMwcyad92a";
};
chungus = {
onionId = fileContents "${private_assets}/onion_id_chungus";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJpPfGAiARWgZbID+2IIT9dbo/PqgG/pkFsBaBUKGiu";
};
};
in
{
config = mkIf (config.components.network.sshd.enable) {
services.openssh.knownHosts = {
"robi-init-ssh" = {
hostNames = [
"[robi]:2222"
"[144.76.13.147]:2222"
];
# SHA256:rhvbJ84cPXXezaoJiY7tFsG8CJxI2F/lLKz8q+xUW+g
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKQ7XB6Cs9FJmHkuZ9ihbj76WsK0uJBh882ceyKaaKJ";
};
} // (mapAttrs'
(name:
{ onionId, publicKey, ... }: {
name = "${name}-init-ssh";
value = {
hostNames = [ "[${onionId}]:2222" ];
inherit publicKey;
};
})
computers);
environment.systemPackages =
let
sshTor = mapAttrsToList
(name:
{ onionId, ... }:
pkgs.writers.writeDashBin "ssh-boot-to-${name}-via-tor" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
'')
computers;
passwordTor = mapAttrsToList
(name:
{ onionId, ... }:
pkgs.writers.writeDashBin "unlock-boot-${name}-via-tor" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 '
echo -n "enter password : "
read password
echo "$password" > /crypt-ramfs/passphrase
'
'')
computers;
unlockInit = mapAttrsToList
(name:
{ public_ip, ... }:
pkgs.writers.writeDashBin "unlock-boot-${name}" ''
${pkgs.openssh}/bin/ssh root@${public_ip} -p 2222 '
echo -n "enter password : "
read password
echo "$password" | systemctl default
'
'')
{
orbi = {
public_ip = "95.216.66.212";
};
};
in
sshTor ++ passwordTor ++ unlockInit;
};
}

View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, factsGenerator, clanLib, ... }:
with lib;
with types;
@ -17,19 +17,96 @@ with types;
"lspci -v will tell you which kernel module is used for the ethernet interface";
};
ssh = {
enable = lib.mkOption {
type = lib.types.bool;
default = config.components.nixos.boot.enable;
};
ssh.enable = lib.mkOption {
type = lib.types.bool;
default = config.components.nixos.boot.enable;
};
tor.enable = lib.mkOption {
type = lib.types.bool;
default = config.components.nixos.boot.ssh.enable;
};
};
config = mkMerge [
# todo : not working at the moment, because onion hostnames are secrets
(
let
onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname";
generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" ''
${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
'';
in
{
# add known hosts
services.openssh.knownHosts =
mapAttrs
(_machine: onionId: {
hostNames = [ "[${onionId}]:2222" ];
})
onionIds;
# create unlook tor boot script
environment.systemPackages =
mapAttrsToList generateOnionUnlockScript onionIds;
}
)
# tor part
# --------
(mkIf (config.components.nixos.boot.tor.enable) {
#services.tor = {
# enable = true;
# client.enable = true;
# relay.onionServices.bootup.map = [{ port = 2222; }];
#};
# tor setup
clanCore.facts.services.initrd_tor = factsGenerator.tor { name = "initrd"; };
boot.initrd.secrets = {
"/etc/tor/onion/bootup/tor.priv" = config.clanCore.facts.services.initrd_tor.secret."tor.initrd.priv".path;
"/etc/tor/onion/bootup/hostname" = config.clanCore.facts.services.initrd_tor.secret."tor.initrd.hostname".path;
};
#boot.initrd.extraUtilsCommands = ''
# copy_bin_and_libs ${pkgs.tor}/bin/tor
#'';
# fixme: this thing is not working for some reason.
boot.initrd.systemd.packages = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
boot.initrd.systemd.services.tor = {
path = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
# todo: set wanted by
script =
let
torRc = pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 2222 127.0.0.1:2222
'';
in
''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
ip link set lo up
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc}
'';
};
})
# ssh part
# --------
(mkIf (config.components.nixos.boot.ssh.enable) {

View file

@ -65,14 +65,8 @@
services.printing.enable = false;
#virtualisation.containers.storage.settings = {
# # fixes: Error: 'overlay' is not supported over zfs, a mount_program is required: backing file system is unsupported for this graph driver
# storage.options.mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs";
#};
virtualisation.podman.extraPackages = [ pkgs.zfs ]; # make sure /var/lib/containers/storage is a zfs dataset
#sops.defaultSopsFile = ../../secrets/chungus.yaml;
networking.hostName = "chungus";
hardware.opengl = {
@ -85,9 +79,6 @@
];
};
# just enable lan
#networking.dhcpcd.allowInterfaces = [ "enp0s25" ];
# nix-shell -p speedtest_cli --run speedtest
#configuration.fireqos = {
# enable = false;