From cb3c46694e693ca658920746418418efd208ca45 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone <exarkun@twistedmatrix.com> Date: Mon, 8 Jun 2020 15:52:58 -0400 Subject: [PATCH] Move responsibility for SSH configuration And test for (kind of) SSH availability --- nixos/modules/100tb.nix | 10 ---------- nixos/modules/issuer.nix | 5 +++++ nixos/modules/private-storage.nix | 2 ++ nixos/modules/ssh.nix | 25 +++++++++++++++++++++++++ nixos/modules/tests/private-storage.nix | 6 ++++++ 5 files changed, 38 insertions(+), 10 deletions(-) create mode 100644 nixos/modules/ssh.nix diff --git a/nixos/modules/100tb.nix b/nixos/modules/100tb.nix index ec4bf665..1bcb6ba1 100644 --- a/nixos/modules/100tb.nix +++ b/nixos/modules/100tb.nix @@ -69,11 +69,6 @@ let example = lib.literalExample "wwn-0x5000c500936410b9"; description = "The ID of the disk on which to install grub."; }; - rootPublicKey = lib.mkOption - { type = lib.types.str; - example = lib.literalExample "ssh-ed25519 AAAA... username@host"; - description = "The public key to install for the root user."; - }; }; in { # Here we actually define the module's options. They're what we said they @@ -112,11 +107,6 @@ in { boot.loader.timeout = 1; networking.firewall.enable = false; - services.openssh.enable = true; - - users.users.root.openssh.authorizedKeys.keys = [ - cfg.rootPublicKey - ]; networking.hostId = cfg.hostId; networking.dhcpcd.enable = false; diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix index 3e1e90d8..7654bf1f 100644 --- a/nixos/modules/issuer.nix +++ b/nixos/modules/issuer.nix @@ -5,6 +5,11 @@ zkapissuer = pspkgs.callPackage ../pkgs/zkapissuer.nix { }; cfg = config.services.private-storage-issuer; in { + imports = [ + # Give it a good SSH configuration. + ../../nixos/modules/ssh.nix + ]; + options = { services.private-storage-issuer.enable = lib.mkEnableOption "PrivateStorage ZKAP Issuer Service"; services.private-storage-issuer.package = lib.mkOption { diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix index cc73d372..cada491e 100644 --- a/nixos/modules/private-storage.nix +++ b/nixos/modules/private-storage.nix @@ -30,6 +30,8 @@ in ]; imports = [ + # Give it a good SSH configuration. + ./ssh.nix # Load our tahoe-lafs module. It is configurable in the way I want it to # be configurable. ./tahoe.nix diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix new file mode 100644 index 00000000..497efdf7 --- /dev/null +++ b/nixos/modules/ssh.nix @@ -0,0 +1,25 @@ +# A NixOS module which configures SSH access to a system. +{ + lib, + config, + ... +}: { + options = { + }; + config = + let + cfg = config."private-storage".config; + in { + # An attempt at a properly secure SSH configuration. This is informed by + # personal experience as well as various web resources: + # + # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html + services.openssh = { + enable = true; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon" + ]; + }; +} diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix index 1fe55c13..08a3e0d5 100644 --- a/nixos/modules/tests/private-storage.nix +++ b/nixos/modules/tests/private-storage.nix @@ -165,6 +165,12 @@ import <nixpkgs/nixos/tests/make-test.nix> { # Start booting all the VMs in parallel to speed up operations down below. startAll; + # The issuer and the storage server should accept SSH connections. This + # doesn't prove it is so but if it fails it's a pretty good indication + # it isn't so. + $storage->waitForOpenPort(22); + $issuer->waitForOpenPort(22); + # Set up a Tahoe-LAFS introducer. $introducer->copyFileFromHost( '${pemFile}', -- GitLab