From 2d1985e42006c121eac4bd915bee3e436ebcd314 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 27 Sep 2015 15:18:54 +0200 Subject: infest: don't init contents of the NixOS channel --- krebs/3modules/build/default.nix | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/build/default.nix b/krebs/3modules/build/default.nix index d6ee5c917..19f14b486 100644 --- a/krebs/3modules/build/default.nix +++ b/krebs/3modules/build/default.nix @@ -67,12 +67,16 @@ let src=$(type -p nixos-install) cat_src() { sed < "$src" "$( - sed < "$src" -n ' - /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= - /^nixpkgs=/= - /^NIX_PATH=/,/^$/{/./=} - ' \ - | sed 's:$:s/^/#krebs#/:' + { sed < "$src" -n ' + /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= + /^nixpkgs=/= + /^NIX_PATH=/,/^$/{/./=} + + # Disable: Copy the NixOS/Nixpkgs sources to the target as + # the initial contents of the NixOS channel. + /^srcs=/,/^ln -sfn /= + ' + } | sed 's:$:s/^/#krebs#/:' )" } -- cgit v1.2.3 From 53f93de02f412005e33fadc50dccde1a6400abe8 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 27 Sep 2015 15:19:59 +0200 Subject: krebs: no extraHosts for hosts w/o aliases --- krebs/3modules/default.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 5fb129747..78834d8d5 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -84,13 +84,16 @@ let mapAttrsToList (hostname: host: mapAttrsToList (netname: net: let - aliases = toString (unique (longs ++ shorts)); + aliases = longs ++ shorts; providers = dns.split-by-provider net.aliases cfg.dns.providers; longs = providers.hosts; - shorts = map (removeSuffix ".${cfg.search-domain}") longs; + shorts = + map (removeSuffix ".${cfg.search-domain}") + (filter (hasSuffix ".${cfg.search-domain}") + longs); in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets + map (addr: "${addr} ${toString aliases}") net.addrs + ) (filterAttrs (name: host: host.aliases != []) host.nets) ) cfg.hosts )); -- cgit v1.2.3 From edd973f7735e7a7e9964f0ac7d75ab4ca20b80d9 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 27 Sep 2015 15:20:55 +0200 Subject: Zhosts ire: update Address --- krebs/Zhosts/ire | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/Zhosts/ire b/krebs/Zhosts/ire index 724158cb0..db4f9808c 100644 --- a/krebs/Zhosts/ire +++ b/krebs/Zhosts/ire @@ -1,4 +1,4 @@ -Address = 198.147.23.143 +Address = 198.147.22.115 Subnet = 10.243.231.66 Subnet = 42:b912:0f42:a82d:0d27:8610:e89b:490c -- cgit v1.2.3 From dc5299a07126e73b2040213cc1610f7368604213 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 27 Sep 2015 15:24:41 +0200 Subject: krebs: add hosts with ssh.pubkey to known hosts --- krebs/3modules/default.nix | 34 ++++++++++++++++++++++++++++++++++ krebs/4lib/types.nix | 34 ++++++++++++++++++++++++++++++++-- 2 files changed, 66 insertions(+), 2 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 78834d8d5..1501a9d49 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -103,6 +103,32 @@ let ([cfg.zone-head-config] ++ combined-hosts) ; combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts ); in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones; + + programs.ssh.knownHosts = + mapAttrs + (name: host: { + hostNames = + concatLists + (mapAttrsToList + (net-name: net: + let + aliases = shorts ++ longs; + longs = net.aliases; + shorts = + map (removeSuffix ".${cfg.search-domain}") + (filter (hasSuffix ".${cfg.search-domain}") + longs); + add-port = a: + if net.ssh.port != null + then "[${a}]:${toString net.ssh.port}" + else a; + in + aliases ++ map add-port net.addrs) + host.nets); + + publicKey = host.ssh.pubkey; + }) + (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts); } ]; @@ -464,6 +490,7 @@ let "cgit.cd.viljetic.de" "cd.krebsco.de" ]; + ssh.port = 11423; }; retiolum = { via = internet; @@ -490,6 +517,7 @@ let ''; }; }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6"; }; mkdir = rec { cores = 1; @@ -522,6 +550,8 @@ let ''; }; }; + ssh.privkey = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw"; }; nomic = { cores = 2; @@ -547,6 +577,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILn7C3LxAs9kUynENdRNgQs4qjrhNDfXzlHTpVJt6e09"; }; rmdir = rec { cores = 1; @@ -579,6 +610,7 @@ let ''; }; }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFGniQyABsMNSFTKAxJgxZlLrWfexUt+vhZ3p2hpBl4J"; }; wu = { cores = 4; @@ -604,6 +636,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa"; }; xu = { cores = 4; @@ -629,6 +662,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID554niVFWomJjuSuQoiCdMUYrCFPpPzQuaoXXYYDxlw"; }; }; users = addNames { diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index dbffdf850..a7df92084 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -1,11 +1,12 @@ { lib, ... }: +with builtins; with lib; with types; types // rec { - host = submodule { + host = submodule ({ config, ... }: { options = { name = mkOption { type = label; @@ -46,8 +47,25 @@ types // rec { TODO define minimum requirements for secure hosts ''; }; + + ssh.pubkey = mkOption { + type = nullOr str; + default = null; + apply = x: + if x != null + then x + else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null; + }; + ssh.privkey = mkOption { + type = either path str; + apply = x: { + path = toString x; + string = x; + }.${typeOf x}; + }; + }; - }; + }); net = submodule ({ config, ... }: { options = { @@ -71,6 +89,18 @@ types // rec { aliases = mkOption { # TODO nonEmptyListOf hostname type = listOf hostname; + default = []; + }; + ssh = mkOption { + type = submodule { + options = { + port = mkOption { + type = nullOr int; + default = null; + }; + }; + }; + default = {}; }; tinc = mkOption { type = let net-config = config; in nullOr (submodule ({ config, ... }: { -- cgit v1.2.3 From 5a0d8f45c173815d3d460453956212c2ad8df3a7 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 27 Sep 2015 15:26:04 +0200 Subject: krebs tv-imp: add ire --- krebs/3modules/default.nix | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 1501a9d49..8e79cd014 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -553,6 +553,33 @@ let ssh.privkey = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw"; }; + ire = { + nets = { + internet = { + addrs4 = ["198.147.22.115"]; + ssh.port = 11423; + }; + retiolum = { + addrs4 = ["10.243.231.66"]; + addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"]; + aliases = [ + "ire.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwofjmP/XBf5pwsJlWklkSzI+Bo0I0B9ONc7/j+zpbmMRkwbWk4X7 + rVLt1cWvTY15ujg2u8l0o6OgEbIkc6rslkD603fv1sEAd0KOv7iKLgRpE9qfSvAt + 6YpiSv+mxEMTpH0g36OmBfOJ10uT+iHDB/FfxmgGJx//jdJADzLjjWC6ID+iGkGU + 1Sf+yHXF7HRmQ29Yak8LYVCJpGC5bQfWIMSL5lujLq4NchY2d+NZDkuvh42Ayr0K + LPflnPBQ3XnKHKtSsnFR2vaP6q+d3Opsq/kzBnAkjL26jEuFK1v7P/HhNhJoPzwu + nKKWj/W/k448ce374k5ycjvKm0c6baAC/wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + ssh.port = 11423; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaMjBJ/BfYlHjyn5CO0xzFNaQ0LPvMP3W9UlOs1OxGY"; + }; nomic = { cores = 2; dc = "tv"; #dc = "gg23"; -- cgit v1.2.3 From 18cfca4fe8d94f11c004fe72289b10c32a89ed68 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 27 Sep 2015 16:15:53 +0200 Subject: krebs: set host key for hosts with ssh.privkey --- krebs/3modules/default.nix | 8 ++++++-- krebs/4lib/types.nix | 26 ++++++++++++++++++++------ 2 files changed, 26 insertions(+), 8 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 8e79cd014..4a9be8676 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -104,7 +104,11 @@ let combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts ); in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones; - programs.ssh.knownHosts = + services.openssh.hostKeys = + let inherit (config.krebs.build.host.ssh) privkey; in + mkIf (privkey != null) (mkForce [privkey]); + + services.openssh.knownHosts = mapAttrs (name: host: { hostNames = @@ -550,7 +554,7 @@ let ''; }; }; - ssh.privkey = ; + ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw"; }; ire = { diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index a7df92084..0aa594fb1 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -57,13 +57,27 @@ types // rec { else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null; }; ssh.privkey = mkOption { - type = either path str; - apply = x: { - path = toString x; - string = x; - }.${typeOf x}; + type = nullOr (submodule { + options = { + bits = mkOption { + type = nullOr (enum ["4096"]); + default = null; + }; + path = mkOption { + type = either path str; + apply = x: { + path = toString x; + string = x; + }.${typeOf x}; + }; + type = mkOption { + type = enum ["rsa" "ed25519"]; + default = "ed25519"; + }; + }; + }); + default = null; }; - }; }); -- cgit v1.2.3 From 48e28c49e06c903c58ac1e1d7eebfba5aab73723 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 27 Sep 2015 16:17:11 +0200 Subject: krebs tv-imp: bump mkdir's addrs4 --- krebs/3modules/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 4a9be8676..e806ee10d 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -529,7 +529,7 @@ let infest.addr = head nets.internet.addrs4; nets = rec { internet = { - addrs4 = ["104.233.84.102"]; + addrs4 = ["104.233.84.173"]; aliases = [ "mkdir.internet" ]; -- cgit v1.2.3 From 0e069d964e89248ee3f0df72c7e6998ae1c204ff Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 27 Sep 2015 16:30:40 +0200 Subject: add krebs.build.scripts.init --- krebs/3modules/build/default.nix | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) (limited to 'krebs') diff --git a/krebs/3modules/build/default.nix b/krebs/3modules/build/default.nix index 19f14b486..993ccb702 100644 --- a/krebs/3modules/build/default.nix +++ b/krebs/3modules/build/default.nix @@ -28,6 +28,46 @@ let type = types.user; }; + options.krebs.build.scripts.init = lib.mkOption { + type = lib.types.str; + default = + let + inherit (config.krebs.build) host; + inherit (host.ssh) privkey; + in + '' + #! /bin/sh + set -efu + + hostname=${host.name} + secrets_dir=${config.krebs.build.source.dir.secrets.path} + key_type=${privkey.type} + key_file=$secrets_dir/ssh.id_$key_type + key_comment=$hostname + + if test -e "$key_file"; then + echo "Warning: privkey already exists: $key_file" >&2 + else + ssh-keygen \ + ${optionalString (privkey.bits != null) + "-b ${toString privkey.bits}"} \ + -C "$key_comment" \ + -t "$key_type" \ + -f "$key_file" \ + -N "" + rm "$key_file.pub" + fi + + pubkey=$(ssh-keygen -y -f "$key_file") + + cat<; + ssh.pubkey = $(echo $pubkey | jq -R .); + EOF + ''; + }; + options.krebs.build.scripts.deploy = lib.mkOption { type = lib.types.str; default = '' -- cgit v1.2.3 From 4946561e0ae254df8068905286204a4da517621d Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 27 Sep 2015 16:55:17 +0200 Subject: krebs.build.scripts.init: don't try to use privkey ^_^ --- krebs/3modules/build/default.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/build/default.nix b/krebs/3modules/build/default.nix index 993ccb702..23bd8c8fd 100644 --- a/krebs/3modules/build/default.nix +++ b/krebs/3modules/build/default.nix @@ -33,7 +33,6 @@ let default = let inherit (config.krebs.build) host; - inherit (host.ssh) privkey; in '' #! /bin/sh @@ -41,7 +40,7 @@ let hostname=${host.name} secrets_dir=${config.krebs.build.source.dir.secrets.path} - key_type=${privkey.type} + key_type=ed25519 key_file=$secrets_dir/ssh.id_$key_type key_comment=$hostname @@ -49,8 +48,6 @@ let echo "Warning: privkey already exists: $key_file" >&2 else ssh-keygen \ - ${optionalString (privkey.bits != null) - "-b ${toString privkey.bits}"} \ -C "$key_comment" \ -t "$key_type" \ -f "$key_file" \ @@ -62,7 +59,6 @@ let cat<; ssh.pubkey = $(echo $pubkey | jq -R .); EOF ''; -- cgit v1.2.3 From 9ff5db3fd6c2d0d54096cebe5f3a7e9a95539268 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 27 Sep 2015 16:56:14 +0200 Subject: tv: cd, rmdir: add ssh.pubkey --- krebs/3modules/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index e806ee10d..2b4a13c42 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -521,6 +521,7 @@ let ''; }; }; + ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6"; }; mkdir = rec { @@ -641,7 +642,8 @@ let ''; }; }; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFGniQyABsMNSFTKAxJgxZlLrWfexUt+vhZ3p2hpBl4J"; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLuhLRmt8M5s2Edwwl9XY0KAAivzmPCEweesH5/KhR4"; }; wu = { cores = 4; -- cgit v1.2.3