diff options
| author | Soispha <soispha@vhack.eu> | 2023-07-08 16:58:23 +0200 |
|---|---|---|
| committer | Soispha <soispha@vhack.eu> | 2023-07-08 16:58:23 +0200 |
| commit | 5bb8cb35c5d084a34cbf80f76502a567c55175ec (patch) | |
| tree | 34e77475bfb91bccfff52e49da69226654e9af7b | |
| parent | Fix(system/services/keycloak): Use agenix to store passwd (diff) | |
| download | nixos-server-5bb8cb35c5d084a34cbf80f76502a567c55175ec.tar.gz nixos-server-5bb8cb35c5d084a34cbf80f76502a567c55175ec.zip | |
Fix(system/secrets): Ensure that ssh host key is available in stage 2
The `/var/lib/sshd` directory is only mounted _after_ the stage 2 init, thus also after the system activation. Agenix, which runs in the system activation needs the hostkey however to decrypt the secrets needed for some units (as of right now only keycloak). Alas the only way I see to achieve that is to store the ssh hostkey directly on /srv, which is mounted before (it's marked as 'neededForBoot' after all) the stage 2 init. It should be possible to achieve this with impermanence however, as `/var/log` is mounted in the stage 1 init; The problem is that I have no idea _why_ only this is the only directory mounted and nothing else.
| -rw-r--r-- | system/impermanence/mods/openssh.nix | 11 | ||||
| -rw-r--r-- | system/services/openssh/default.nix | 6 |
2 files changed, 16 insertions, 1 deletions
diff --git a/system/impermanence/mods/openssh.nix b/system/impermanence/mods/openssh.nix index 656f96e..0373a83 100644 --- a/system/impermanence/mods/openssh.nix +++ b/system/impermanence/mods/openssh.nix @@ -1,4 +1,14 @@ {...}: { + /* + FIXME: + This results in a boot error, as the `/var/lib/sshd` directory is only mounted _after_ the stage 2 init and with it the system activation. + Agenix needs the sshd hostkey however to decrypt the secrets and such we have to ensure that this directory is mounted _before_ the system activation. + Alas the only way I see to achieve that is to store the ssh hostkey directly on /srv, which is mounted before (it's marked as 'neededForBoot' after all). + + It should be possible to achieve this with impermanence however, as `/var/log` is mounted in the stage 1 init; The problem is that I have no idea _why_ only + this is mounted and nothing else. + + environment.persistence."/srv".directories = [ { directory = "/var/lib/sshd"; @@ -7,4 +17,5 @@ mode = "0755"; } ]; + */ } diff --git a/system/services/openssh/default.nix b/system/services/openssh/default.nix index 8b28cbd..46b7ffd 100644 --- a/system/services/openssh/default.nix +++ b/system/services/openssh/default.nix @@ -4,7 +4,11 @@ settings.PasswordAuthentication = false; hostKeys = [ { - path = "/var/lib/sshd/ssh_host_ed25519_key"; + # See the explanation for this in /system/impermanence/mods/openssh.nix + # path = "/var/lib/sshd/ssh_host_ed25519_key"; + + # FIXME: Remove this workaround + path = "/srv/var/lib/sshd/ssh_host_ed25519_key"; rounds = 1000; type = "ed25519"; } |