|
8 | 8 | let |
9 | 9 | cfg = config.ocf.managed-deployment; |
10 | 10 | deploy-user = "ocf-nix-deploy-user"; |
| 11 | + authorizedKeys = [ |
| 12 | + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGlViRB5HH1bTaS1S7TcqVBSuxKdrbdhL2CmhDqc/t6A" # oliverni |
| 13 | + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILOaJJvOUG08qr3yeeQRB71M30cdPMuO69nsf0CodALa" # jaysa |
| 14 | + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDLsEX5PgyQwdOtdOo0U+yWdpOu9gOsqpQRXo7xKww5FAAAABHNzaDo=" # jaysa hardware token |
| 15 | + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdAe7sPMxaidnqOah3UVrjt41KFHHOYleS1VWGH+ZUc" # storce |
| 16 | + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICW8L5pydSCGwBstSlXWNSQh//wmRB03RmAWaT3u7+8hAAAABHNzaDo=" # sbwilliams primary hardware token |
| 17 | + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIsQXwbC4lVR8qMbduDWHVNvjfqD1m8yYbjdEOGCNVNPAAAABHNzaDo=" # sbwilliams secondary hardware token |
| 18 | + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIe3xdiMA4u6OhEEa8gw1w26G8mBvAC6SXbbgR0sSWO7AAAABHNzaDo=" # michaelzls hardware token 1 |
| 19 | + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICWs4Daof6LfwMw6376xOfuPgBnZNxnPWpoUvcWdlql5AAAABHNzaDo=" # michaelzls hardware token 2 |
| 20 | + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3DDYaYibt/VjeYDR7cO8tZA2iJUhPBh6jFrB1mBxJA" # chamburr |
| 21 | + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDLsEX5PgyQwdOtdOo0U+yWdpOu9gOsqpQRXo7xKww5FAAAABHNzaDo=" # jaysa hardware token |
| 22 | + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK6PlfQq5LYIOHTnPwQvJeiGo3MYDxBRb+KdTqrffxFnAAAABHNzaDo=" # blakeh hardware token |
| 23 | + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPs3+fHihwZSBQVtoXffCtSSmBBDb/0NY+BPDIo+FKh9AAAABHNzaDo=" # blakeh backup hardware token |
| 24 | + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1zLZffea+7TdFSQOhNBmT1hftFwPzAEK2c8siFeS/7AAAABHNzaDo=" # ericgu hardware token |
| 25 | + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKtH02NTIoDXgcD5UJoxWWBu5EhHoYaP6NZQKZSIWmadAAAABHNzaDo=" # ericgu backup hardware token |
| 26 | + ]; |
11 | 27 | in |
12 | 28 | { |
13 | 29 | options.ocf.managed-deployment.enable = lib.mkEnableOption "Enable OCF Colmena / GitHub Actions Managed Deployment"; |
|
18 | 34 | default = true; |
19 | 35 | }; |
20 | 36 |
|
| 37 | + options.ocf.managed-deployment.emergencyRootSSH = lib.mkOption { |
| 38 | + type = lib.types.bool; |
| 39 | + description = "Whether to add the deploy user's authorized keys (except github actions) to root for emergency access"; |
| 40 | + default = true; |
| 41 | + }; |
| 42 | + |
21 | 43 | options.ocf.managed-deployment.mac-address = lib.mkOption { |
22 | 44 | type = lib.types.str; |
23 | 45 | description = "MAC address of the host so that it can be woken up with WoL during deploy"; |
24 | 46 | default = ""; |
25 | 47 | }; |
26 | 48 |
|
27 | | - options.ocf.managed-deployment.staffOnlySsh = lib.mkOption { |
28 | | - type = lib.types.bool; |
29 | | - description = "Restrict SSH access to ocfstaff. Disable for public login servers (as of now, only carp)."; |
30 | | - default = true; |
31 | | - }; |
32 | | - |
33 | | - config = lib.mkIf cfg.enable { |
34 | | - deployment.allowLocalDeployment = true; # for debugging and deploying when github actions deployment breaks |
| 49 | + config = lib.mkIf cfg.enable ( |
| 50 | + lib.mkMerge [ |
| 51 | + { |
| 52 | + deployment.allowLocalDeployment = true; # for debugging and deploying when github actions deployment breaks |
35 | 53 |
|
36 | | - nix.settings.trusted-users = [ deploy-user ]; |
| 54 | + nix.settings.trusted-users = [ deploy-user ]; |
37 | 55 |
|
38 | | - users.groups.${deploy-user} = { }; |
| 56 | + users.groups.${deploy-user} = { }; |
39 | 57 |
|
40 | | - users.users.${deploy-user} = { |
41 | | - isNormalUser = true; |
42 | | - group = deploy-user; |
43 | | - createHome = false; |
44 | | - home = "/var/empty"; |
45 | | - openssh.authorizedKeys.keys = [ |
46 | | - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMuiOUsjVJSi+0WeMHKquQmwoyz/c3N7HhjJwzz21B3" # github-actions |
47 | | - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGlViRB5HH1bTaS1S7TcqVBSuxKdrbdhL2CmhDqc/t6A" # oliverni |
48 | | - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILOaJJvOUG08qr3yeeQRB71M30cdPMuO69nsf0CodALa" # jaysa |
49 | | - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDLsEX5PgyQwdOtdOo0U+yWdpOu9gOsqpQRXo7xKww5FAAAABHNzaDo=" # jaysa hardware token |
50 | | - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdAe7sPMxaidnqOah3UVrjt41KFHHOYleS1VWGH+ZUc" # storce |
51 | | - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICW8L5pydSCGwBstSlXWNSQh//wmRB03RmAWaT3u7+8hAAAABHNzaDo=" # sbwilliams primary hardware token |
52 | | - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIsQXwbC4lVR8qMbduDWHVNvjfqD1m8yYbjdEOGCNVNPAAAABHNzaDo=" # sbwilliams secondary hardware token |
53 | | - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIe3xdiMA4u6OhEEa8gw1w26G8mBvAC6SXbbgR0sSWO7AAAABHNzaDo=" # michaelzls hardware token 1 |
54 | | - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICWs4Daof6LfwMw6376xOfuPgBnZNxnPWpoUvcWdlql5AAAABHNzaDo=" # michaelzls hardware token 2 |
55 | | - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3DDYaYibt/VjeYDR7cO8tZA2iJUhPBh6jFrB1mBxJA" # chamburr |
56 | | - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDLsEX5PgyQwdOtdOo0U+yWdpOu9gOsqpQRXo7xKww5FAAAABHNzaDo=" # jaysa hardware token |
57 | | - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIK6PlfQq5LYIOHTnPwQvJeiGo3MYDxBRb+KdTqrffxFnAAAABHNzaDo=" # blakeh hardware token |
58 | | - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPs3+fHihwZSBQVtoXffCtSSmBBDb/0NY+BPDIo+FKh9AAAABHNzaDo=" # blakeh backup hardware token |
59 | | - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1zLZffea+7TdFSQOhNBmT1hftFwPzAEK2c8siFeS/7AAAABHNzaDo=" # ericgu hardware token |
60 | | - "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKtH02NTIoDXgcD5UJoxWWBu5EhHoYaP6NZQKZSIWmadAAAABHNzaDo=" # ericgu backup hardware token |
61 | | - ]; |
62 | | - }; |
| 58 | + users.users.${deploy-user} = { |
| 59 | + isNormalUser = true; |
| 60 | + group = deploy-user; |
| 61 | + createHome = false; |
| 62 | + home = "/var/empty"; |
| 63 | + openssh.authorizedKeys.keys = [ |
| 64 | + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMuiOUsjVJSi+0WeMHKquQmwoyz/c3N7HhjJwzz21B3" # github-actions |
| 65 | + ] |
| 66 | + ++ authorizedKeys; |
| 67 | + }; |
63 | 68 |
|
64 | | - # note: this breaks colmena exec, which runs the given command with sudo, |
65 | | - # but sudo cant ask for a password without a proper terminal |
66 | | - security.sudo.extraRules = [ |
67 | | - { |
68 | | - users = [ deploy-user ]; |
69 | | - commands = [ |
70 | | - # needed for colmena apply |
71 | | - { |
72 | | - command = "/run/current-system/sw/bin/nix-store --no-gc-warning --realise /nix/store/*"; |
73 | | - options = [ "NOPASSWD" ]; |
74 | | - } |
75 | | - { |
76 | | - command = "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set /nix/store/*"; |
77 | | - options = [ "NOPASSWD" ]; |
78 | | - } |
| 69 | + # note: this breaks colmena exec, which runs the given command with sudo, |
| 70 | + # but sudo cant ask for a password without a proper terminal |
| 71 | + security.sudo.extraRules = [ |
79 | 72 | { |
80 | | - command = "/nix/store/*/bin/switch-to-configuration *"; |
81 | | - options = [ "NOPASSWD" ]; |
82 | | - } |
| 73 | + users = [ deploy-user ]; |
| 74 | + commands = [ |
| 75 | + # needed for colmena apply |
| 76 | + { |
| 77 | + command = "/run/current-system/sw/bin/nix-store --no-gc-warning --realise /nix/store/*"; |
| 78 | + options = [ "NOPASSWD" ]; |
| 79 | + } |
| 80 | + { |
| 81 | + command = "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set /nix/store/*"; |
| 82 | + options = [ "NOPASSWD" ]; |
| 83 | + } |
| 84 | + { |
| 85 | + command = "/nix/store/*/bin/switch-to-configuration *"; |
| 86 | + options = [ "NOPASSWD" ]; |
| 87 | + } |
83 | 88 |
|
84 | | - # extra commands allowed on colmena exec |
85 | | - { |
86 | | - command = "/run/current-system/sw/bin/systemctl *"; |
87 | | - options = [ "NOPASSWD" ]; |
| 89 | + # extra commands allowed on colmena exec |
| 90 | + { |
| 91 | + command = "/run/current-system/sw/bin/systemctl *"; |
| 92 | + options = [ "NOPASSWD" ]; |
| 93 | + } |
| 94 | + ]; |
88 | 95 | } |
89 | 96 | ]; |
| 97 | + |
| 98 | + # add deploy-user to allowed groups if staffOnlySSH is enabled |
| 99 | + services.openssh.settings.AllowGroups = lib.mkIf config.ocf.auth.staffOnlySSH [ |
| 100 | + deploy-user |
| 101 | + ]; |
90 | 102 | } |
91 | | - ]; |
92 | 103 |
|
93 | | - services.openssh.settings.AllowGroups = lib.mkIf cfg.staffOnlySsh [ |
94 | | - "ocfstaff" |
95 | | - "ocfroot" |
96 | | - deploy-user |
97 | | - ]; |
98 | | - }; |
| 104 | + (lib.mkIf cfg.emergencyRootSSH { |
| 105 | + services.openssh.settings.AllowGroups = lib.mkIf config.ocf.auth.staffOnlySSH [ |
| 106 | + "root" |
| 107 | + ]; |
| 108 | + # for when things really go wrong (for example if ldap doesnt work) |
| 109 | + users.users.root.openssh.authorizedKeys.keys = authorizedKeys; |
| 110 | + |
| 111 | + # set sensible defaults (and to create the PubKeyAuthentication attribute) |
| 112 | + # but catch it if it changes and show a warning |
| 113 | + services.openssh.settings = { |
| 114 | + PermitRootLogin = lib.mkDefault "prohibit-password"; |
| 115 | + PubKeyAuthentication = lib.mkDefault true; |
| 116 | + }; |
| 117 | + |
| 118 | + assertions = |
| 119 | + let |
| 120 | + sshcfg = config.services.openssh.settings; |
| 121 | + in |
| 122 | + lib.singleton { |
| 123 | + assertion = (sshcfg.PermitRootLogin == "prohibit-password" && sshcfg.PubKeyAuthentication or true); |
| 124 | + message = "PermitRootLogin must be set to 'prohibit-password' and PubKeyAuthentication must be set to 'yes' when ocf.managed-deployment.emergencyRootSSH is enabled."; |
| 125 | + }; |
| 126 | + }) |
| 127 | + ] |
| 128 | + ); |
99 | 129 | } |
0 commit comments