From cb3c46694e693ca658920746418418efd208ca45 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Mon, 8 Jun 2020 15:52:58 -0400
Subject: [PATCH] Move responsibility for SSH configuration
And test for (kind of) SSH availability
---
nixos/modules/100tb.nix | 10 ----------
nixos/modules/issuer.nix | 5 +++++
nixos/modules/private-storage.nix | 2 ++
nixos/modules/ssh.nix | 25 +++++++++++++++++++++++++
nixos/modules/tests/private-storage.nix | 6 ++++++
5 files changed, 38 insertions(+), 10 deletions(-)
create mode 100644 nixos/modules/ssh.nix
diff --git a/nixos/modules/100tb.nix b/nixos/modules/100tb.nix
index ec4bf665..1bcb6ba1 100644
--- a/nixos/modules/100tb.nix
+++ b/nixos/modules/100tb.nix
@@ -69,11 +69,6 @@ let
example = lib.literalExample "wwn-0x5000c500936410b9";
description = "The ID of the disk on which to install grub.";
};
- rootPublicKey = lib.mkOption
- { type = lib.types.str;
- example = lib.literalExample "ssh-ed25519 AAAA... username@host";
- description = "The public key to install for the root user.";
- };
};
in {
# Here we actually define the module's options. They're what we said they
@@ -112,11 +107,6 @@ in {
boot.loader.timeout = 1;
networking.firewall.enable = false;
- services.openssh.enable = true;
-
- users.users.root.openssh.authorizedKeys.keys = [
- cfg.rootPublicKey
- ];
networking.hostId = cfg.hostId;
networking.dhcpcd.enable = false;
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 3e1e90d8..7654bf1f 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -5,6 +5,11 @@
zkapissuer = pspkgs.callPackage ../pkgs/zkapissuer.nix { };
cfg = config.services.private-storage-issuer;
in {
+ imports = [
+ # Give it a good SSH configuration.
+ ../../nixos/modules/ssh.nix
+ ];
+
options = {
services.private-storage-issuer.enable = lib.mkEnableOption "PrivateStorage ZKAP Issuer Service";
services.private-storage-issuer.package = lib.mkOption {
diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index cc73d372..cada491e 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -30,6 +30,8 @@ in
];
imports = [
+ # Give it a good SSH configuration.
+ ./ssh.nix
# Load our tahoe-lafs module. It is configurable in the way I want it to
# be configurable.
./tahoe.nix
diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
new file mode 100644
index 00000000..497efdf7
--- /dev/null
+++ b/nixos/modules/ssh.nix
@@ -0,0 +1,25 @@
+# A NixOS module which configures SSH access to a system.
+{
+ lib,
+ config,
+ ...
+}: {
+ options = {
+ };
+ config =
+ let
+ cfg = config."private-storage".config;
+ in {
+ # An attempt at a properly secure SSH configuration. This is informed by
+ # personal experience as well as various web resources:
+ #
+ # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
+ services.openssh = {
+ enable = true;
+ };
+
+ users.users.root.openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon"
+ ];
+ };
+}
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index 1fe55c13..08a3e0d5 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -165,6 +165,12 @@ import <nixpkgs/nixos/tests/make-test.nix> {
# Start booting all the VMs in parallel to speed up operations down below.
startAll;
+ # The issuer and the storage server should accept SSH connections. This
+ # doesn't prove it is so but if it fails it's a pretty good indication
+ # it isn't so.
+ $storage->waitForOpenPort(22);
+ $issuer->waitForOpenPort(22);
+
# Set up a Tahoe-LAFS introducer.
$introducer->copyFileFromHost(
'${pemFile}',
--
GitLab