From 4f0c44f3ddde574c9b7ed7dabd121bb486b8d539 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 8 Nov 2024 16:14:16 +0100 Subject: [PATCH 1/9] sshd: add host ssh cert support --- clanModules/sshd/README.md | 12 +++++- clanModules/sshd/default.nix | 27 ++---------- clanModules/sshd/roles/client.nix | 11 +++++ clanModules/sshd/roles/server.nix | 68 +++++++++++++++++++++++++++++++ clanModules/sshd/shared.nix | 43 +++++++++++++++++++ 5 files changed, 137 insertions(+), 24 deletions(-) create mode 100644 clanModules/sshd/roles/client.nix create mode 100644 clanModules/sshd/roles/server.nix create mode 100644 clanModules/sshd/shared.nix diff --git a/clanModules/sshd/README.md b/clanModules/sshd/README.md index 34e6ab287..b72182680 100644 --- a/clanModules/sshd/README.md +++ b/clanModules/sshd/README.md @@ -1,3 +1,13 @@ --- -description = "Enables secure remote access to the machine over ssh" +description = "Enables secure remote access to the machine over ssh." +categories = ["System"] +features = [ "inventory" ] --- + +This module will setup the opensshd service. +It will generate a host key for each machine + + +## Roles + +### diff --git a/clanModules/sshd/default.nix b/clanModules/sshd/default.nix index d68fce4fe..ab24e1e49 100644 --- a/clanModules/sshd/default.nix +++ b/clanModules/sshd/default.nix @@ -1,25 +1,6 @@ -{ config, pkgs, ... }: +# Dont import this file +# It is only here for backwards compatibility. +# Dont author new modules with this file. { - services.openssh.enable = true; - services.openssh.settings.PasswordAuthentication = false; - - services.openssh.hostKeys = [ - { - path = config.clan.core.facts.services.openssh.secret."ssh.id_ed25519".path; - type = "ed25519"; - } - ]; - - clan.core.facts.services.openssh = { - secret."ssh.id_ed25519" = { }; - public."ssh.id_ed25519.pub" = { }; - generator.path = [ - pkgs.coreutils - pkgs.openssh - ]; - generator.script = '' - ssh-keygen -t ed25519 -N "" -f $secrets/ssh.id_ed25519 - mv $secrets/ssh.id_ed25519.pub $facts/ssh.id_ed25519.pub - ''; - }; + imports = [ ./roles/server.nix ]; } diff --git a/clanModules/sshd/roles/client.nix b/clanModules/sshd/roles/client.nix new file mode 100644 index 000000000..777363f14 --- /dev/null +++ b/clanModules/sshd/roles/client.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + imports = [ + ../shared.nix + ]; + programs.ssh.knownHosts.ssh-ca = lib.mkIf (config.clan.sshd.certificate.searchDomains != [ ]) { + certAuthority = true; + extraHostNames = builtins.map (domain: "*.${domain}") config.clan.sshd.certificate.searchDomains; + publicKey = config.clan.core.vars.generators.openssh-ca.files."id_ed25519.pub".value; + }; +} diff --git a/clanModules/sshd/roles/server.nix b/clanModules/sshd/roles/server.nix new file mode 100644 index 000000000..6edf9c43c --- /dev/null +++ b/clanModules/sshd/roles/server.nix @@ -0,0 +1,68 @@ +{ + config, + pkgs, + lib, + ... +}: +let + stringSet = list: builtins.attrNames (builtins.groupBy lib.id list); + + signArgs = builtins.concatStringsSep " " ( + builtins.map (domain: "-n ${lib.escapeShellArg "${config.clan.core.machineName}.${domain}"}") ( + stringSet config.clan.sshd.certificate.searchDomains + ) + ); + cfg = config.clan.sshd; +in +{ + imports = [ ../shared.nix ]; + config = { + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + + settings.HostCertificate = lib.mkIf ( + cfg.certificate.searchDomains != [ ] + ) config.clan.core.vars.generators.openssh-cert.files."ssh.id_ed25519-cert.pub".path; + + hostKeys = [ + { + path = config.clan.core.vars.generators.openssh.files."ssh.id_ed25519".path; + type = "ed25519"; + } + ]; + }; + clan.core.vars.generators.openssh = { + files."ssh.id_ed25519" = { }; + files."ssh.id_ed25519.pub".secret = false; + migrateFact = "openssh"; + runtimeInputs = [ + pkgs.coreutils + pkgs.openssh + ]; + script = '' + ssh-keygen -t ed25519 -N "" -f $out/ssh.id_ed25519 + ''; + }; + + clan.core.vars.generators.openssh-cert = lib.mkIf (cfg.certificate.searchDomains != [ ]) { + files."ssh.id_ed25519-cert.pub".secret = false; + dependencies = [ + "openssh" + "openssh-ca" + ]; + runtimeInputs = [ + pkgs.openssh + pkgs.jq + ]; + script = '' + ssh-keygen \ + -s $in/openssh-ca/id_ed25519 \ + -I ${config.clan.core.machineName} \ + ${builtins.toString signArgs} \ + $in/openssh/ssh.id_ed25519.pub + mv $in/openssh/ssh.id_ed25519-cert.pub $out/ssh.id_ed25519-cert.pub + ''; + }; + }; +} diff --git a/clanModules/sshd/shared.nix b/clanModules/sshd/shared.nix new file mode 100644 index 000000000..768a54988 --- /dev/null +++ b/clanModules/sshd/shared.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + options = { + clan.sshd.certificate = { + # TODO: allow per-server domains that we than collect in the inventory + #domains = lib.mkOption { + # type = lib.types.listOf lib.types.str; + # default = [ ]; + # example = [ "git.mydomain.com" ]; + # description = "List of domains to include in the certificate. This option will not prepend the machine name in front of each domain."; + #}; + searchDomains = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "mydomain.com" ]; + description = "List of domains to include in the certificate. This option will prepend the machine name in front of each domain before adding it to the certificate."; + }; + }; + }; + config = { + clan.core.vars.generators.openssh-ca = + lib.mkIf (config.clan.sshd.certificate.searchDomains != [ ]) + { + share = true; + files.id_ed25519.deploy = false; + files."id_ed25519.pub" = { + deploy = false; + secret = false; + }; + runtimeInputs = [ + pkgs.openssh + ]; + script = '' + ssh-keygen -t ed25519 -N "" -f $out/id_ed25519 + ''; + }; + }; +} From b3b72e54cd1ff7bc30127299e05941d3749e5a2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 13 Nov 2024 13:54:52 +0100 Subject: [PATCH 2/9] remove ssh.id_ed25519 from facts test we have moved this to vars now. --- pkgs/clan-cli/tests/helpers/validator.py | 23 ------------------- pkgs/clan-cli/tests/test_secrets_generate.py | 8 +------ .../tests/test_secrets_password_store.py | 7 ------ 3 files changed, 1 insertion(+), 37 deletions(-) diff --git a/pkgs/clan-cli/tests/helpers/validator.py b/pkgs/clan-cli/tests/helpers/validator.py index fefb2e413..18140120a 100644 --- a/pkgs/clan-cli/tests/helpers/validator.py +++ b/pkgs/clan-cli/tests/helpers/validator.py @@ -1,5 +1,4 @@ import subprocess -import tempfile class Error(Exception): @@ -20,25 +19,3 @@ def is_valid_age_key(secret_key: str) -> bool: return True msg = f"Invalid age key: {secret_key}" raise Error(msg) - - -def is_valid_ssh_key(secret_key: str, ssh_pub: str) -> bool: - # create tempfile and write secret_key to it - with tempfile.NamedTemporaryFile() as temp: - temp.write(secret_key.encode("utf-8")) - temp.flush() - # Run the ssh-keygen command with the -y flag to check the key format - result = subprocess.run( - ["ssh-keygen", "-y", "-f", temp.name], - capture_output=True, - text=True, - check=False, - ) - - if result.returncode == 0: - if result.stdout != ssh_pub: - msg = f"Expected '{ssh_pub}' got '{result.stdout}' for ssh key: {secret_key}" - raise Error(msg) - return True - msg = f"Invalid ssh key: {secret_key}" - raise Error(msg) diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py index 98e092ccb..51dd64465 100644 --- a/pkgs/clan-cli/tests/test_secrets_generate.py +++ b/pkgs/clan-cli/tests/test_secrets_generate.py @@ -9,7 +9,7 @@ from clan_cli.machines.machines import Machine from clan_cli.secrets.folders import sops_secrets_folder from fixtures_flakes import FlakeForTest from helpers import cli -from helpers.validator import is_valid_age_key, is_valid_ssh_key +from helpers.validator import is_valid_age_key if TYPE_CHECKING: from age_keys import KeyPair @@ -85,7 +85,6 @@ def test_generate_secret( assert store2.exists("", "password-hash") assert store2.exists("", "user-password") assert store2.exists("", "user-password-hash") - assert store2.exists("", "ssh.id_ed25519") assert store2.exists("", "age.key") assert store2.exists("", "zerotier-identity-secret") @@ -97,11 +96,6 @@ def test_generate_secret( assert age_secret.isprintable() assert is_valid_age_key(age_secret) - # Assert that the ssh key is valid - ssh_secret = store2.get("", "ssh.id_ed25519").decode() - ssh_pub = machine_get_fact(test_flake_with_core.path, "vm2", "ssh.id_ed25519.pub") - assert is_valid_ssh_key(ssh_secret, ssh_pub) - # Assert that root-password is valid pwd_secret = store2.get("", "password").decode() assert pwd_secret.isprintable() diff --git a/pkgs/clan-cli/tests/test_secrets_password_store.py b/pkgs/clan-cli/tests/test_secrets_password_store.py index b187735f3..19054bf37 100644 --- a/pkgs/clan-cli/tests/test_secrets_password_store.py +++ b/pkgs/clan-cli/tests/test_secrets_password_store.py @@ -10,7 +10,6 @@ from clan_cli.nix import nix_shell from clan_cli.ssh import HostGroup from fixtures_flakes import ClanFlake from helpers import cli -from helpers.validator import is_valid_ssh_key @pytest.mark.impure @@ -90,14 +89,8 @@ def test_upload_secret( assert store.exists("", "password-hash") assert store.exists("", "user-password") assert store.exists("", "user-password-hash") - assert store.exists("", "ssh.id_ed25519") assert store.exists("", "zerotier-identity-secret") - # Assert that the ssh key is valid - ssh_secret = store.get("", "ssh.id_ed25519").decode() - ssh_pub = machine_get_fact(flake.path, "vm1", "ssh.id_ed25519.pub") - assert is_valid_ssh_key(ssh_secret, ssh_pub) - # Assert that root-password is valid pwd_secret = store.get("", "password").decode() assert pwd_secret.isprintable() From 9c6e04fa3f5181ce311bd12c925531e7cd4b4e42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 14 Nov 2024 13:17:50 +0100 Subject: [PATCH 3/9] vars: introduce ensure_machine_has_access method for sops this should help avoiding overriding existing shared secrets by not triggering vars regeneration if a machine has no access. wip --- pkgs/clan-cli/clan_cli/vars/generate.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/clan-cli/clan_cli/vars/generate.py b/pkgs/clan-cli/clan_cli/vars/generate.py index e20de0c7a..a0a7c5965 100644 --- a/pkgs/clan-cli/clan_cli/vars/generate.py +++ b/pkgs/clan-cli/clan_cli/vars/generate.py @@ -297,6 +297,10 @@ def _check_can_migrate( if machine.secret_vars_store.exists( generator_name, fname, vars_generator["share"] ): + if vars_generator["deploy"]: + machine.secret_vars_store.ensure_machine_has_access( + generator_name, fname, vars_generator["share"] + ) return False else: if machine.public_vars_store.exists( From 3730960078b62b5f58213602fd8f2955840f57fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 14 Nov 2024 17:29:08 +0100 Subject: [PATCH 4/9] tests: set stateVersion --- checks/lib/test-base.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/checks/lib/test-base.nix b/checks/lib/test-base.nix index 0aef4cac8..74570c3df 100644 --- a/checks/lib/test-base.nix +++ b/checks/lib/test-base.nix @@ -13,6 +13,7 @@ in ]; documentation.enable = lib.mkDefault false; nix.settings.min-free = 0; + system.stateVersion = lib.version; }; # to accept external dependencies such as disko From 5d057594e5a06d71727241fb43b3ef9f6f6c0020 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 14 Nov 2024 17:29:19 +0100 Subject: [PATCH 5/9] vars/test-backup: set ssh key --- .../per-machine/test-backup/ssh.id_ed25519.pub/value | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename machines/test-backup/facts/ssh.id_ed25519.pub => vars/per-machine/test-backup/ssh.id_ed25519.pub/value (100%) diff --git a/machines/test-backup/facts/ssh.id_ed25519.pub b/vars/per-machine/test-backup/ssh.id_ed25519.pub/value similarity index 100% rename from machines/test-backup/facts/ssh.id_ed25519.pub rename to vars/per-machine/test-backup/ssh.id_ed25519.pub/value From a4e03a85eb17111c1ee8f3950c0119031b6b9732 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 14 Nov 2024 17:33:04 +0100 Subject: [PATCH 6/9] vars: don't print stack trace if generator fails --- pkgs/clan-cli/clan_cli/vars/generate.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/clan-cli/clan_cli/vars/generate.py b/pkgs/clan-cli/clan_cli/vars/generate.py index a0a7c5965..9d1604247 100644 --- a/pkgs/clan-cli/clan_cli/vars/generate.py +++ b/pkgs/clan-cli/clan_cli/vars/generate.py @@ -404,7 +404,7 @@ def generate_vars( ) machine.flush_caches() except Exception as exc: - log.exception(f"Failed to generate facts for {machine.name}") + log.error(f"Failed to generate facts for {machine.name}: {exc}") # noqa errors += [exc] if len(errors) > 0: msg = f"Failed to generate facts for {len(errors)} hosts. Check the logs above" From 2a5c735c9017cd7bc0442ecb75c776224e3f6886 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 14 Nov 2024 17:33:57 +0100 Subject: [PATCH 7/9] Update vars via generator openssh for machine test-backup --- checks/backups/flake-module.nix | 13 +++++++++- sops/machines/test-backup/key.json | 4 ++++ sops/secrets/test-backup-age.key/secret | 20 ++++++++++++++++ .../openssh/ssh.id_ed25519.pub/value | 1 + .../ssh.id_ed25519/machines/test-backup | 1 + .../test-backup/openssh/ssh.id_ed25519/secret | 24 +++++++++++++++++++ .../test-backup/ssh.id_ed25519.pub/value | 1 - 7 files changed, 62 insertions(+), 2 deletions(-) create mode 100755 sops/machines/test-backup/key.json create mode 100644 sops/secrets/test-backup-age.key/secret create mode 100644 vars/per-machine/test-backup/openssh/ssh.id_ed25519.pub/value create mode 120000 vars/per-machine/test-backup/openssh/ssh.id_ed25519/machines/test-backup create mode 100644 vars/per-machine/test-backup/openssh/ssh.id_ed25519/secret delete mode 100644 vars/per-machine/test-backup/ssh.id_ed25519.pub/value diff --git a/checks/backups/flake-module.nix b/checks/backups/flake-module.nix index a48a3bd21..1476dc1d7 100644 --- a/checks/backups/flake-module.nix +++ b/checks/backups/flake-module.nix @@ -24,7 +24,6 @@ imports = [ self.clanModules.borgbackup self.clanModules.localbackup - self.clanModules.sshd ]; clan.core.networking.targetHost = "machine"; networking.hostName = "machine"; @@ -36,6 +35,16 @@ machine.publicKey = builtins.readFile ../lib/ssh/pubkey; }; + services.openssh = { + enable = true; + hostKeys = [ + { + path = "/root/.ssh/id_ed25519"; + type = "ed25519"; + } + ]; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ ../lib/ssh/pubkey ]; systemd.tmpfiles.settings."vmsecrets" = { @@ -69,6 +78,8 @@ }; }; clan.core.facts.secretStore = "vm"; + # TODO: set this backend as well, once we have implemented it. + #clan.core.vars.settings.secretStore = "vm"; environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ]; environment.etc.install-closure.source = "${closureInfo}/store-paths"; diff --git a/sops/machines/test-backup/key.json b/sops/machines/test-backup/key.json new file mode 100755 index 000000000..a58accffa --- /dev/null +++ b/sops/machines/test-backup/key.json @@ -0,0 +1,4 @@ +{ + "publickey": "age1ez6xlcxl5k2uekcjvsu5wjca29f0j3lml0kq8fnvnkugvnj4pyjsyzuc93", + "type": "age" +} \ No newline at end of file diff --git a/sops/secrets/test-backup-age.key/secret b/sops/secrets/test-backup-age.key/secret new file mode 100644 index 000000000..b57f62f6a --- /dev/null +++ b/sops/secrets/test-backup-age.key/secret @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:4Rx8J1mQjaJTmpN5ZBWWKBdObgjd4qjuEWkmXHHWeBUPi0nvYL00vFmdu2LeJYEmZaEP4urEGe9TlACB8JoC6ahI9iuXCWnzzA4=,iv:wOWFcNDU8+ur8sZRxlMr+TlzZmbsvE5o/FfXnINBmag=,tag:jHf+rpnSca9T0ntN93wSaw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpNE9nbmpoanhERGxuVUFL\ndnFPaVI1eXNqNENjeHVNV0Z0Rmx6NDJXNWtFCjdlOXhiU3hTRWRWVjJGMXpUTGtE\naUd5VUNUc2RML29ZSkJYWEd0VnJOc1UKLS0tIG9FdlNsMk5ETmRzaGEzRmN4allC\ncUMzd2N3dW03N0VvWit1eE9OVVRFcWsKzocpuGOlf3kYxbUDvVHP7G27G5n8vWFg\n5Jjf4qaW+ioXpqD0moHVVygbXXB6zkfrJraMaC9Sccdl8eLJNWuE0g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-11-14T16:33:56Z", + "mac": "ENC[AES256_GCM,data:7G6svIuQrI2O5JZ3thNH6om8n3sdoTukfRQqOZ5/x28/BuVyfybsPP2So5MPlT4/OGPvhBGVWhHZ9W201zXOrzAI5T+bR2uX6VDeISRMscniVehnuAwipwCSqkBYO+FfvGjMSh8/kyF20PJR/Ta28qTcO7FKph2BgcOjhl1A0dM=,iv:BpqQT+rRk5mdCLY0dMoKyevhkJZ/dczeQPVSn+qzA9I=,tag:/gxOqChMYz4M65Z1SIcMsg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/vars/per-machine/test-backup/openssh/ssh.id_ed25519.pub/value b/vars/per-machine/test-backup/openssh/ssh.id_ed25519.pub/value new file mode 100644 index 000000000..5fbd460d6 --- /dev/null +++ b/vars/per-machine/test-backup/openssh/ssh.id_ed25519.pub/value @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnWhu8zt/mD+TlIKr8Req4c+BCgqYuDOcZfmzj6kflF nixbld@turingmachine diff --git a/vars/per-machine/test-backup/openssh/ssh.id_ed25519/machines/test-backup b/vars/per-machine/test-backup/openssh/ssh.id_ed25519/machines/test-backup new file mode 120000 index 000000000..152c24e38 --- /dev/null +++ b/vars/per-machine/test-backup/openssh/ssh.id_ed25519/machines/test-backup @@ -0,0 +1 @@ +../../../../../../sops/machines/test-backup \ No newline at end of file diff --git a/vars/per-machine/test-backup/openssh/ssh.id_ed25519/secret b/vars/per-machine/test-backup/openssh/ssh.id_ed25519/secret new file mode 100644 index 000000000..74f17e533 --- /dev/null +++ b/vars/per-machine/test-backup/openssh/ssh.id_ed25519/secret @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:KYuyTnrrzYUFWh+mXiy2puoW4BftckADAroO4FzpH6OJ9Hd9wUEj0iGcOqkb/VDmwaJxw5L7rqBHNNiKFXRNPsybTUUUQHFx35TWpS+sX16Y9F3vXF/LS+7B7R+EioFD2WViPOFvUM/8SJwF87gtCs8r8P46YQhpfS01GgGlFiPyOB0S6l/2RzGn4oJyseZIR+rF7SGDigIvFYyHzkufIKnTyaA3dkS+wLwZZLDmkzv9iNeHMqSecUOPlvqPgfizvjV8exNjVlypXAhX2fePHZhC+DOLdUrFy0aLfY+tejfJNKwwcc3krNwT94c0cSNvgylYVPyoU308eAzaDZufjSmZhc+kYPSO8bwemoX6eBnDy7vd3UzAQ/VfmPKoBuL8KzjSk02wUC5/Q8su1Xk397O12SS3GhGm3BAzMOf/QgqZK7eQsyOX2iBefoZTQ4rIED/szp2++KU1BFppXpvK1sdvcLg3g9v5pKvTgMGh25rJe/LI+jYFlPMdGgv1tY1GI504SM8B8l8a/9Ti1b7apO6QrUeT3Q/0jpJu,iv:YWZDzxpnrkTOmDJ/+0iO55dtbvX+UjqGctDduF3c1Sk=,tag:Q7e/9+0ClQn5bCGxoW+lOQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQY1AzdmJGWitIYWlEUVM2\nTkRNeVZRYXg5SXRqdlRSOG9NaE8wNTZrU1FBCkRPOGE0bEZsMHdCSUdXQVE1UmVT\nMk9ZSHNZY0FXRG5WQVFaLzY3Ry9GeVEKLS0tIENHM09SWUJqMFJZbjBzdmp4eXlo\nNGJ2QWZaR1NiKzNVQXRVUnJSc2JycG8K9czRLJeCJp8vmPUY339x8Lvux3WDbrdJ\nbp7ynECENrgyP+5CdxopUQMGWptdjTYVho3nKv5NL+rjUZkfagV8HA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1ez6xlcxl5k2uekcjvsu5wjca29f0j3lml0kq8fnvnkugvnj4pyjsyzuc93", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4QVRianYxZ01QWEFSckdl\nd0taZlBWbTlkZHVmd2RXdmxYUjV3K3hHNzBJClMyQktNNWYrQTZkY09GL2dmYkRp\nOGl4WG85OHgxUWdDZVV3R1lDdjRZK2MKLS0tIHN3Ykk0OXA2c0o0a0RkTTZoZHZU\nTWJac09PM1J6clk2bDZxQVFyc29KbG8KZjHj109+FTmldFcdbLEGwSULWt3fLDXf\nYkeWVRa0rB2OtDxLrE6eq4QC1uGZ7KyCwAVqcMyriRMkje3121FBTQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-11-14T16:33:58Z", + "mac": "ENC[AES256_GCM,data:vWP3TwsjWwWg+gByhdcGVRR08jnH+AS8cOiuNic8AN2ozGZMP0C6mc5EER44wZiGeBWPdoTjqv9tQld4Gc5sWKuZ6QziNIqV/4WBwLwOTRmpVkJNpivJpCTdVyzQKv43xVk/e/ED8wTG6X9M83IGhMX6tUw9XxbCuJiZw61N/6Q=,iv:PTiwi9l16uKGQtNWXovA0Gjzg45O+T75BPT35gOzZLM=,tag:3AXwu/Va7yMsYlpd9Ss6hw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/vars/per-machine/test-backup/ssh.id_ed25519.pub/value b/vars/per-machine/test-backup/ssh.id_ed25519.pub/value deleted file mode 100644 index a23c24019..000000000 --- a/vars/per-machine/test-backup/ssh.id_ed25519.pub/value +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILns3iEVA7MaN+K8qVRFywVOjBZsGyfRuBl26nGL/tXe nixbld@turingmachine From d4967e9d4ec36c47d59c62c05587109cb74a2801 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 14 Nov 2024 17:39:52 +0100 Subject: [PATCH 8/9] backup: remove unused variable --- checks/backups/flake-module.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/backups/flake-module.nix b/checks/backups/flake-module.nix index 1476dc1d7..2707b5322 100644 --- a/checks/backups/flake-module.nix +++ b/checks/backups/flake-module.nix @@ -133,7 +133,7 @@ }; }; perSystem = - { nodes, pkgs, ... }: + { pkgs, ... }: { checks = pkgs.lib.mkIf (pkgs.stdenv.isLinux) { test-backups = (import ../lib/test-base.nix) { From 8f1e393bc4fd6fa73bf9b0bcf2f08e1048bf816f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 14 Nov 2024 17:52:02 +0100 Subject: [PATCH 9/9] also deploy host ca to server --- clanModules/sshd/roles/client.nix | 5 ----- clanModules/sshd/shared.nix | 6 ++++++ 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/clanModules/sshd/roles/client.nix b/clanModules/sshd/roles/client.nix index 777363f14..bdd61dbe9 100644 --- a/clanModules/sshd/roles/client.nix +++ b/clanModules/sshd/roles/client.nix @@ -3,9 +3,4 @@ imports = [ ../shared.nix ]; - programs.ssh.knownHosts.ssh-ca = lib.mkIf (config.clan.sshd.certificate.searchDomains != [ ]) { - certAuthority = true; - extraHostNames = builtins.map (domain: "*.${domain}") config.clan.sshd.certificate.searchDomains; - publicKey = config.clan.core.vars.generators.openssh-ca.files."id_ed25519.pub".value; - }; } diff --git a/clanModules/sshd/shared.nix b/clanModules/sshd/shared.nix index 768a54988..713ae1c7f 100644 --- a/clanModules/sshd/shared.nix +++ b/clanModules/sshd/shared.nix @@ -39,5 +39,11 @@ ssh-keygen -t ed25519 -N "" -f $out/id_ed25519 ''; }; + + programs.ssh.knownHosts.ssh-ca = lib.mkIf (config.clan.sshd.certificate.searchDomains != [ ]) { + certAuthority = true; + extraHostNames = builtins.map (domain: "*.${domain}") config.clan.sshd.certificate.searchDomains; + publicKey = config.clan.core.vars.generators.openssh-ca.files."id_ed25519.pub".value; + }; }; }