From cb3c46694e693ca658920746418418efd208ca45 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Mon, 8 Jun 2020 15:52:58 -0400
Subject: [PATCH] Move responsibility for SSH configuration

And test for (kind of) SSH availability
---
 nixos/modules/100tb.nix                 | 10 ----------
 nixos/modules/issuer.nix                |  5 +++++
 nixos/modules/private-storage.nix       |  2 ++
 nixos/modules/ssh.nix                   | 25 +++++++++++++++++++++++++
 nixos/modules/tests/private-storage.nix |  6 ++++++
 5 files changed, 38 insertions(+), 10 deletions(-)
 create mode 100644 nixos/modules/ssh.nix

diff --git a/nixos/modules/100tb.nix b/nixos/modules/100tb.nix
index ec4bf665..1bcb6ba1 100644
--- a/nixos/modules/100tb.nix
+++ b/nixos/modules/100tb.nix
@@ -69,11 +69,6 @@ let
       example = lib.literalExample "wwn-0x5000c500936410b9";
       description = "The ID of the disk on which to install grub.";
     };
-    rootPublicKey = lib.mkOption
-    { type = lib.types.str;
-      example = lib.literalExample "ssh-ed25519 AAAA... username@host";
-      description = "The public key to install for the root user.";
-    };
   };
 in {
   # Here we actually define the module's options.  They're what we said they
@@ -112,11 +107,6 @@ in {
 
     boot.loader.timeout = 1;
     networking.firewall.enable = false;
-    services.openssh.enable = true;
-
-    users.users.root.openssh.authorizedKeys.keys = [
-      cfg.rootPublicKey
-    ];
 
     networking.hostId = cfg.hostId;
     networking.dhcpcd.enable = false;
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 3e1e90d8..7654bf1f 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -5,6 +5,11 @@
   zkapissuer = pspkgs.callPackage ../pkgs/zkapissuer.nix { };
   cfg = config.services.private-storage-issuer;
 in {
+  imports = [
+    # Give it a good SSH configuration.
+    ../../nixos/modules/ssh.nix
+  ];
+
   options = {
     services.private-storage-issuer.enable = lib.mkEnableOption "PrivateStorage ZKAP Issuer Service";
     services.private-storage-issuer.package = lib.mkOption {
diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index cc73d372..cada491e 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -30,6 +30,8 @@ in
   ];
 
   imports = [
+    # Give it a good SSH configuration.
+    ./ssh.nix
     # Load our tahoe-lafs module.  It is configurable in the way I want it to
     # be configurable.
     ./tahoe.nix
diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
new file mode 100644
index 00000000..497efdf7
--- /dev/null
+++ b/nixos/modules/ssh.nix
@@ -0,0 +1,25 @@
+# A NixOS module which configures SSH access to a system.
+{
+  lib,
+  config,
+  ...
+}: {
+  options = {
+  };
+  config =
+  let
+    cfg = config."private-storage".config;
+  in {
+    # An attempt at a properly secure SSH configuration.  This is informed by
+    # personal experience as well as various web resources:
+    #
+    # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
+    services.openssh = {
+      enable = true;
+    };
+
+    users.users.root.openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon"
+    ];
+  };
+}
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index 1fe55c13..08a3e0d5 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -165,6 +165,12 @@ import <nixpkgs/nixos/tests/make-test.nix> {
       # Start booting all the VMs in parallel to speed up operations down below.
       startAll;
 
+      # The issuer and the storage server should accept SSH connections.  This
+      # doesn't prove it is so but if it fails it's a pretty good indication
+      # it isn't so.
+      $storage->waitForOpenPort(22);
+      $issuer->waitForOpenPort(22);
+
       # Set up a Tahoe-LAFS introducer.
       $introducer->copyFileFromHost(
           '${pemFile}',
-- 
GitLab