From 61bde2d4c40119e1429b60dd49b7f5e7978ac494 Mon Sep 17 00:00:00 2001 From: Tom Prince <tom.prince@private.storage> Date: Mon, 24 Jan 2022 10:55:40 -0700 Subject: [PATCH] Specify ssh-keys as list of strings, rather than having a single string. Older versions of nixpkgs allowed you to specify multiple keys by having newline separated keys in your string. However, this worked essentially by accident, and is now explictly disallowed. I noticed this because I had configured multiple keys for the local grid. This isn't currently impacting my ability to work, but it seems like a worthwhile improvement anyway. This will be necessary (for example) if/when multiple people are given root access to our storage nodes. --- morph/grid/local/public-keys/users.nix.example | 13 +++++++++---- morph/grid/production/public-keys/users.nix | 8 ++++++-- morph/grid/testing/public-keys/users.nix | 4 ++-- nixos/modules/ssh.nix | 6 +++--- nixos/tests/private-storage.nix | 8 ++++---- 5 files changed, 24 insertions(+), 15 deletions(-) diff --git a/morph/grid/local/public-keys/users.nix.example b/morph/grid/local/public-keys/users.nix.example index 10a60be1..4e4794de 100644 --- a/morph/grid/local/public-keys/users.nix.example +++ b/morph/grid/local/public-keys/users.nix.example @@ -1,6 +1,11 @@ +let # Add your public key. Example: -# let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la"; +# key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la"; # You can use the following to get key from the local machine. -# let key = builtins.readFile ~/.ssh/id_ed25519.pub; -let key = undefined; -in { "root" = key; "vagrant" = key; } +# key = builtins.readFile ~/.ssh/id_ed25519.pub; + key = undefined; + keys = [key] +in { + "root" = keys; + "vagrant" = keys; +} diff --git a/morph/grid/production/public-keys/users.nix b/morph/grid/production/public-keys/users.nix index 8b586703..9dcc90ea 100644 --- a/morph/grid/production/public-keys/users.nix +++ b/morph/grid/production/public-keys/users.nix @@ -1,2 +1,6 @@ -let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom"; -in { "root" = key; "jcalderone" = key; } +let + jcalderone = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom"]; +in { + "root" = jcalderone; + "jcalderone" = jcalderone; +} diff --git a/morph/grid/testing/public-keys/users.nix b/morph/grid/testing/public-keys/users.nix index d6a96501..14647efb 100644 --- a/morph/grid/testing/public-keys/users.nix +++ b/morph/grid/testing/public-keys/users.nix @@ -1,6 +1,6 @@ let - jcalderone = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon"; - flo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la"; + jcalderone = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon"]; + flo = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la"]; in { "root" = jcalderone; diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix index eb55fbf2..8d5d5766 100644 --- a/nixos/modules/ssh.nix +++ b/nixos/modules/ssh.nix @@ -6,7 +6,7 @@ }: { options = { services.private-storage.sshUsers = lib.mkOption { - type = lib.types.attrsOf lib.types.str; + type = lib.types.attrsOf (lib.types.listOf lib.types.str); example = { root = "ssh-ed25519 AAA..."; }; description = '' Users to configure on the issuer server and the storage servers and @@ -44,9 +44,9 @@ }; users.users = - let makeUserConfig = username: sshPublicKey: { + let makeUserConfig = username: sshPublicKeys: { isNormalUser = username != "root"; - openssh.authorizedKeys.keys = [ sshPublicKey ]; + openssh.authorizedKeys.keys = sshPublicKeys; }; in builtins.mapAttrs makeUserConfig cfg.sshUsers; }; diff --git a/nixos/tests/private-storage.nix b/nixos/tests/private-storage.nix index eaff1ed5..80eb67be 100644 --- a/nixos/tests/private-storage.nix +++ b/nixos/tests/private-storage.nix @@ -2,12 +2,12 @@ let ourpkgs = pkgs.callPackage ../pkgs { }; - sshPrivateKey = ./probeuser_ed25519; - sshPublicKey = ./probeuser_ed25519.pub; + sshPrivateKeyFile = ./probeuser_ed25519; + sshPublicKeyFile = ./probeuser_ed25519.pub; sshUsers = { - root = (builtins.readFile sshPublicKey); - probeuser = (builtins.readFile sshPublicKey); + root = [(builtins.readFile sshPublicKeyFile)]; + probeuser = [(builtins.readFile sshPublicKeyFile)]; }; # This is a test double of the Stripe API server. It is extremely simple. -- GitLab