From 8dc36a7f49596782f991f98612f29bc0bbd3056f Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Thu, 25 Jul 2024 20:39:21 +1000 Subject: [PATCH] modules/nixos/common: add initrd ssh --- modules/nixos/common/security.nix | 10 +++++++++ secrets.yaml | 7 +++--- tasks.py | 36 +++++++++++++++++++------------ 3 files changed, 36 insertions(+), 17 deletions(-) diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix index 809e8343e..1df01838a 100644 --- a/modules/nixos/common/security.nix +++ b/modules/nixos/common/security.nix @@ -1,3 +1,4 @@ +{ inputs, lib, ... }: { # Make sure that the firewall is enabled, even if it's the default. networking.firewall.enable = true; @@ -5,6 +6,15 @@ # allow to access emergency shell with a password boot.initrd.systemd.emergencyAccess = "$6$he2fblfl/H7I.kvz$WbSCMXu8ztmqfj5jG4czqvu/rkMHxufxqHgy1urzXFSN.jZB4QiW5lOjR08vk8pZTyim3TT1wFkMaNE9zZ3sc1"; + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + authorizedKeyFiles = lib.filesystem.listFilesRecursive "${inputs.self}/users/keys"; + hostKeys = [ "/etc/ssh/initrd_host_ed25519_key" ]; + }; + }; + services.openssh = { hostKeys = [ { diff --git a/secrets.yaml b/secrets.yaml index 4ed4d3444..0a225deba 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -8,6 +8,7 @@ accounts: - name: ENC[AES256_GCM,data:BGA/HMgie64=,iv:c+utmChiZA73GRS4uzZDyfdU+DZaDpB3WljC2uye8o0=,tag:lr1w5TWr05lpfBNLK0Swxw==,type:str] totpsecret: ENC[AES256_GCM,data:Q5aJq9sLmW/0oMIgy4FErA==,iv:cFhVj/QV4tMjvB/Y8ExOSSLArvjxCV8+39YtMaADK04=,tag:aPJFH7WhaBYAW7eYsGzGYg==,type:str] emergency_access_password: ENC[AES256_GCM,data:ELpkrEQjFQwDicz3WeJoivrZBAWeAKkfFg==,iv:rzbKvnS5IBjUCCT2NAHINZs60F0jrRPJvZ1wnBa6xkI=,tag:hWax9+gTRhuhtIikP/jO/Q==,type:str] +initrd_host_ed25519_key: ENC[AES256_GCM,data:+v/HTgLVacjrlVjqLMuuymtCIdEpQgZLF1vzFGVKITt+Gu42TG02OrRfXlxrr4jh5DMCavwKF270hSz3ecejpzSlETTjKRlSh+0aP49Rkut6/EFduuTzm/+QEqI504xm/pAllXvpsOVAT4/UTbJ5ezirbVZES4Szs/xbyEqCFD/KfyRM86ksqxdAHjR3+Mt1wqSvgV2zcD8x3L540toi0WoRmb77DYAqYo/BcPnBmbo8C2SdWon4iYRwtBtq/u050rQQOHeHXx0c+K5oV9X28Vdgih/VHLk0XopXlYUz+fC26R5l0tKpBZmaEs5w4Ai62R81lxTCk4xj9VgKtAHdwp84+7TVrUzHveHGQv4MC/PCyCDtyDbKafFyuI77lGwZ5FD1F8GGp9zqPkzGUYdujNXJuk8RjVJbn1j0sBErEteeW9w6Wit6wM+Ze18fgdf1r5rCHliwOLBMve0XqgXdQB7uScAq3mfTvU/OhE0ytPg9N8uu+AP1LQMViQXwgwKcrreE3ZaLoYDiBr0px2gwmHOv4n7Z7qU58/+FhOJbDMfL45U=,iv:Og2wky2h3c6VGoXa2Q8RDwOpAqLY3xYl2XR1HZ6omT8=,tag:yOjtBw56Nb/+ueuG6x6bgA==,type:str] ssh_host_ed25519_key: build01: ENC[AES256_GCM,data:5rG0+Iw8uVKXTrT5A/uvbz9MJZHPyTBPKIxSbMIgvwEVHDsCENDihxL5C00PisZ4dgMIW1WQIvD3zLtJ5RxedY832K9dwO36lWH2uHZW96qlObnTqMpi0vtsZQ1FQVUtNWPj146uz7QyasisFu6CFFMBBbx6y5ZAipfJ+bsth7YliCMPL+1bM84b8a40m3k9gI4xpYH9txrq1+yvTLau25rNsmAq4oHDGKEZqRoN2WflBZLP0DL3zQ/8uPODUjOmyFpKnbDeKsDQ3RuFcPaLZOGEBruayYldxiv215pdFgw72TbvtLXc726y7bUTOvsOiLfVMdfiXZCRPzVbjGB+NLtiyz9hlCa5WdJrQmLceqC/v5zy1TbV0azlZCDNopw1yznLn8fPA8KIYJUGw+PkdKPDFKRn+F78+5QG4wpYFK9qZ/vaukvpuZrUdboFIU/qFdjplrGhniYfbh7enIGhnd2Y+qLC92IG0SQPVpI2fQNx7h3MD2V9w2spk8hZ4QGWsA4JU0fJ9mKY4w6eElGLggzT15vuCrrJx4zbThSfyVYHmlE=,iv:ksSPKFNHdy646BU2x0fr6ey+kif1jpPhlsQ5Kmxjqd4=,tag:2SL/1x4/9LoNqfHPMk8H8Q==,type:str] build02: ENC[AES256_GCM,data:kwc1rs7xbKod7+vV9yDNqAZMmTqencDe6LTMqxihNLuvGny1atjJ/4cf2vnWEyPar4AvqLtawbIexowbpgyzIiJBKskw0voUgUan0TMH7dsjeZtcdnBSsGWDlcBSjq8bK+yfNMWxwaq7FB9eTJkhN41UhQwqXIVpitEJg0LQcz7+BeQnYhCMnMOc+AG78zIZK+lbzAikejFJUV1A0/kmEl9VirBTpGqxhsiPUSCpAq9c3mE16f31YF9bUn9Dr/4gLW42xxbt/+6psDstKlKgfldzC+izCCCfL1qKcKz7RtyLX37O1MkQqLWvC5I5XRt81tKPOgmtjtGSM0iYmx9zy6FKGJlWqHGNb5K+g1NugWuKMzkBQNoWIypS/yHUY9R3eLa6JJM+tfE/Hvw4Q6/4HGBePMauULd/sgTC8D6o+6023a9ZdC6vdwAWzgWzhbG8uN8vjRR9JKy8/tzgzWJsR4PvPFw9ka0HbRMjigmMxZ817Z6iB2BcO2xmJvD5hP2YpPKCNLQzUznq0vh1s91C,iv:cQERNZJUQ0TJW0pbEzJF6O+1Idkt2e+I06+Kjygr4lk=,tag:2X4KhuEd/0153sCT7qeyqQ==,type:str] @@ -112,8 +113,8 @@ sops: MkcvL1JyVFBJV0Y5RFFCMGN1OUFXdU0Kdx1wy6ZOOTg1a6VKaq52SMBvC26lMsW/ oMP+hmXc2WtoqZp+jZ9rrXz6cZW6/dO7CPqxl3aUEKg6BkXIwgyKeg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-05T23:10:24Z" - mac: ENC[AES256_GCM,data:eU+Fviv9czFkz+fGXQZSh7RlMGNhrWb+4NX7uBljU9F/gyRrMGdMmqlCHEG9spJV3ytnXHE8ByLMcnojLC9Gou3pbCjN7+X/1KP82KS05xKh6P1x4S3/uSyYl5YYSzuDxVHiT4NuCCwx5vyRUO33YLP68SZdFlFCGp0/SUgdd80=,iv:Pr/BHMNiqj88jkOMDYKtqnSnoBGSxNqEzGwNSQuPmr0=,tag:vR+XXYWnRzEIQOPHpNTndw==,type:str] + lastmodified: "2025-02-01T21:49:38Z" + mac: ENC[AES256_GCM,data:ma8JFAf22BJvviL9d58aQ4T2Dv6M20w1cA+8bX/KHsCJKDOdIM8Od/qWxsJWFHh7ttgAU0R/HxcgD8ji3Rxv46jiWKIYNTby7QvwARSmai9LbxlLhYq2tgi73DoKpV9Mu/VEt7NHzuZR+0dQiKyNSWfa/nKfcFku7Oly1Z6oVfI=,iv:zS7uJEm/dRFcN9k2HOtO6cjAOlurqBdhqPN1P+V9h44=,tag:p5KgPGPSL5nd1sOdkzFEzA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.9.4 diff --git a/tasks.py b/tasks.py index bba431431..4397f2ca5 100644 --- a/tasks.py +++ b/tasks.py @@ -144,20 +144,28 @@ def opener(path: str, flags: int) -> Union[str, int]: t = Path(tmpdir) t.mkdir(parents=True, exist_ok=True) t.chmod(0o755) - host_key = t / "etc/ssh/ssh_host_ed25519_key" - host_key.parent.mkdir(parents=True, exist_ok=True) - with open(host_key, "w", opener=opener) as fh: - subprocess.run( - [ - "sops", - "--extract", - f'["ssh_host_ed25519_key"]["{flake_attr}"]', - "--decrypt", - f"{ROOT}/secrets.yaml", - ], - check=True, - stdout=fh, - ) + + def decrypt(path: str, secret: str) -> None: + file = t / path + file.parent.mkdir(parents=True, exist_ok=True) + with open(file, "w", opener=opener) as fh: + subprocess.run( + [ + "sops", + "--extract", + secret, + "--decrypt", + f"{ROOT}/secrets.yaml", + ], + check=True, + stdout=fh, + ) + + decrypt( + "etc/ssh/ssh_host_ed25519_key", + f'["ssh_host_ed25519_key"]["{flake_attr}"]', + ) + decrypt("etc/ssh/initrd_host_ed25519_key", '["initrd_host_ed25519_key"]') @task