From 61bde2d4c40119e1429b60dd49b7f5e7978ac494 Mon Sep 17 00:00:00 2001
From: Tom Prince <tom.prince@private.storage>
Date: Mon, 24 Jan 2022 10:55:40 -0700
Subject: [PATCH] Specify ssh-keys as list of strings, rather than having a
 single string.

Older versions of nixpkgs allowed you to specify multiple keys by having
newline separated keys in your string. However, this worked essentially by
accident, and is now explictly disallowed.

I noticed this because I had configured multiple keys for the local grid.  This
isn't currently impacting my ability to work, but it seems like a worthwhile
improvement anyway. This will be necessary (for example) if/when multiple people are
given root access to our storage nodes.
---
 morph/grid/local/public-keys/users.nix.example | 13 +++++++++----
 morph/grid/production/public-keys/users.nix    |  8 ++++++--
 morph/grid/testing/public-keys/users.nix       |  4 ++--
 nixos/modules/ssh.nix                          |  6 +++---
 nixos/tests/private-storage.nix                |  8 ++++----
 5 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/morph/grid/local/public-keys/users.nix.example b/morph/grid/local/public-keys/users.nix.example
index 10a60be1..4e4794de 100644
--- a/morph/grid/local/public-keys/users.nix.example
+++ b/morph/grid/local/public-keys/users.nix.example
@@ -1,6 +1,11 @@
+let
 # Add your public key. Example:
-# let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
+# key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
 # You can use the following to get key from the local machine.
-# let key = builtins.readFile ~/.ssh/id_ed25519.pub;
-let key = undefined;
-in { "root" = key; "vagrant" = key; }
+# key = builtins.readFile ~/.ssh/id_ed25519.pub;
+  key = undefined;
+  keys = [key]
+in {
+  "root" = keys;
+  "vagrant" = keys;
+}
diff --git a/morph/grid/production/public-keys/users.nix b/morph/grid/production/public-keys/users.nix
index 8b586703..9dcc90ea 100644
--- a/morph/grid/production/public-keys/users.nix
+++ b/morph/grid/production/public-keys/users.nix
@@ -1,2 +1,6 @@
-let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom";
-in { "root" = key; "jcalderone" = key; }
+let
+  jcalderone = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom"];
+in {
+  "root" = jcalderone;
+  "jcalderone" = jcalderone;
+}
diff --git a/morph/grid/testing/public-keys/users.nix b/morph/grid/testing/public-keys/users.nix
index d6a96501..14647efb 100644
--- a/morph/grid/testing/public-keys/users.nix
+++ b/morph/grid/testing/public-keys/users.nix
@@ -1,6 +1,6 @@
 let
-  jcalderone = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon";
-  flo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
+  jcalderone = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon"];
+  flo = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la"];
 in
   {
     "root" = jcalderone;
diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index eb55fbf2..8d5d5766 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -6,7 +6,7 @@
 }: {
   options = {
     services.private-storage.sshUsers = lib.mkOption {
-      type = lib.types.attrsOf lib.types.str;
+      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
       example = { root = "ssh-ed25519 AAA..."; };
       description = ''
         Users to configure on the issuer server and the storage servers and
@@ -44,9 +44,9 @@
     };
 
     users.users =
-      let makeUserConfig = username: sshPublicKey: {
+      let makeUserConfig = username: sshPublicKeys: {
         isNormalUser = username != "root";
-        openssh.authorizedKeys.keys = [ sshPublicKey ];
+        openssh.authorizedKeys.keys = sshPublicKeys;
       };
       in builtins.mapAttrs makeUserConfig cfg.sshUsers;
   };
diff --git a/nixos/tests/private-storage.nix b/nixos/tests/private-storage.nix
index eaff1ed5..80eb67be 100644
--- a/nixos/tests/private-storage.nix
+++ b/nixos/tests/private-storage.nix
@@ -2,12 +2,12 @@
 let
   ourpkgs = pkgs.callPackage ../pkgs { };
 
-  sshPrivateKey = ./probeuser_ed25519;
-  sshPublicKey = ./probeuser_ed25519.pub;
+  sshPrivateKeyFile = ./probeuser_ed25519;
+  sshPublicKeyFile = ./probeuser_ed25519.pub;
 
   sshUsers = {
-    root = (builtins.readFile sshPublicKey);
-    probeuser = (builtins.readFile sshPublicKey);
+    root = [(builtins.readFile sshPublicKeyFile)];
+    probeuser = [(builtins.readFile sshPublicKeyFile)];
   };
 
   # This is a test double of the Stripe API server.  It is extremely simple.
-- 
GitLab