-builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/21cf33331027a4f3aa3d9fa6e57170c34ca68fc1.tar.gz"; sha256="055b7k3q7w5n2787pm3khrh9y92ibj5x8f72nb5nvxsrd615qdnq";}
+builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/1085c056376041af71e8f1cf72c1ed4a4db01dc6.tar.gz"; sha256="17sh68825jhjfpn1q02ni8xifrgaszz494irx096f0mmi2k2lkqp";}
enable = true;
version = 2;
copyKernels = true;
- configurationLimit = 3;
+ configurationLimit = 1;
# efiSupport = true;
# In case canTouchEfiVariables doesn't work
#efiInstallAsRemovable = true;
enable = true;
version = 2;
copyKernels = true;
- configurationLimit = 3;
+ configurationLimit = 1;
efiSupport = true;
- # Vecause canTouchEfiVariables doesn't work on this system
+ # Because canTouchEfiVariables doesn't work on this system
efiInstallAsRemovable = true;
devices = [
# Completed in the importing configuration
map import
[ overlays/lib/filesystem.nix
overlays/lib/strings.nix
- overlays/gitweb.nix
overlays/public-inbox.nix
overlays/smartctl-tbw.nix
overlays/swaplist.nix
+++ /dev/null
-self: super:
-{
- gitweb = super.gitweb.override {
- git = super.git.overrideAttrs (attrs: {
- doCheck = false;
- doInstallCheck = false;
- patches = attrs.patches ++ [gitweb/0001-gitweb-fix-UTF-8-encoding-when-using-CGI-Fast.patch];
- });
- };
-}
# a different port for dropbear is useful
# (assuming the same host has also a normal sshd running)
port = 2222;
- # The initrd needs a cleartext key and is built on the host,
- # hence this key needs to be cleartext on the host.
- # Moreover building the initrd means that the key will go into the Nix store,
- # of the host, then of the target on deployment,
- # because GRUB does not support boot.initrd.secrets
- # (only systemd-boot does, but sticking to GRUB is more reassuring).
- # In any case, the initrd is sent to a non-encrypted /boot partition
- # to be able to start unattended, hence the key will be available
- # to anyone who has physically access to the disk where /boot is.
- hostKeys = [
- (pass-to-file "servers/losurdo/ssh/ecdsa.key"
- (../../../sec + "/tmp/losurdo.ecdsa.key"))
- ];
-
authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
};
# This will automatically load the zfs password prompt on login
let
inherit (config.security) pass;
rootKey = "root/key";
+ initrdKey = "initrd/ssh.key";
in
{
imports = [
};
install.ssh-nixos = {
PATH = with pkgs; [gnupg openssh];
- # Decrypt the rootKey passphrase and send it to the target host.
+ # Decrypt the rootKey passphrase and the initrd SSH host key
+ # and send them to the target host.
script = lib.mkBefore ''
gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
+ gpg --decrypt '${pass.store}/${initrdKey}.gpg' |
+ ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /run/${initrdKey}
'';
};
+boot.initrd.network.ssh.hostKeys = [ "/run/${initrdKey}" ];
systemd.services = lib.mapAttrs' (target: secret:
# Start the rootKey service before the other services decrypting secrets.
lib.nameValuePair (lib.removeSuffix ".service" secret.service)
boot.initrd.network = {
enable = true;
ssh = {
- enable = true;
- # To prevent ssh from freaking out because a different host key is used,
- # a different port for dropbear is useful
- # (assuming the same host has also a normal sshd running)
- port = 2222;
- # The initrd needs a cleartext key and is built on the host,
- # hence this key needs to be cleartext on the host.
- # Moreover building the initrd means that the key will go into the Nix store,
- # of the host, then of the target on deployment,
- # because GRUB does not support boot.initrd.secrets
- # (only systemd-boot does, but sticking to GRUB is more reassuring).
- # In any case, the initrd is sent to a non-encrypted /boot partition
- # to be able to start unattended, hence the key will be available
- # to anyone who has physically access to the disk where /boot is.
- # NOTE: dropbearkey -t ecdsa -f /tmp/dropbear-ecdsa.key
- hostKeys = [
- (pass-to-file "servers/mermet/ssh/ecdsa.key"
- (../../../sec + "/tmp/mermet.ecdsa.key"))
- ];
-
- authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
+ enable = true;
+ # To prevent ssh from freaking out because a different host key is used,
+ # a different port for dropbear is useful
+ # (assuming the same host has also a normal sshd running)
+ port = 2222;
+ authorizedKeys = users.users.root.openssh.authorizedKeys.keys;
};
# This will automatically load the zfs password prompt on login
# and kill the other prompt so boot can continue
let
inherit (config.security) pass;
rootKey = "root/key";
+ initrdKey = "initrd/ssh.key";
in
{
imports = [
};
install.ssh-nixos = {
PATH = with pkgs; [gnupg openssh];
- # Decrypt the rootKey passphrase and send it to the target host.
+ # Decrypt the rootKey passphrase and the initrd SSH host key
+ # and send them to the target host.
script = lib.mkBefore ''
gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
+ gpg --decrypt '${pass.store}/${initrdKey}.gpg' |
+ ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /run/${initrdKey}
'';
};
+boot.initrd.network.ssh.hostKeys = [ "/run/${initrdKey}" ];
systemd.services = lib.mapAttrs' (target: secret:
# Start the rootKey service before the other services decrypting secrets.
lib.nameValuePair (lib.removeSuffix ".service" secret.service)
sourcephile / git / sourcephile-nix.git / commitdiff