commit 0698a1cf04392a24f740b4b5e16c5bd33642b6df · pyrox.dev/nixpkgs

+54 -10

nixos/modules/system/boot/initrd-ssh.nix

···

       5
       5
        
       let

     

       6
       6
        
       

     

       7
       7
        
         cfg = config.boot.initrd.network.ssh;

     

       8
       8
       +
         shell = if cfg.shell == null then "/bin/ash" else cfg.shell;

     

       9
       9
       +
         inherit (config.programs.ssh) package;

     

       10
       10
       +
       

     

       11
       11
       +
         enabled = let initrd = config.boot.initrd; in (initrd.network.enable || initrd.systemd.network.enable) && cfg.enable;

     

       8
       12
        
       

     

       9
       13
        
       in

     

       10
       14
        
       

     
···

       33
       37
        
           };

     

       34
       38
        
       

     

       35
       39
        
           shell = mkOption {

     

       36
       36
       -
             type = types.str;

     

       37
       37
       -
             default = "/bin/ash";

     

       40
       40
       +
             type = types.nullOr types.str;

     

       41
       41
       +
             default = null;

     

       42
       42
       +
             defaultText = ''"/bin/ash"'';

     

       38
       43
        
             description = lib.mdDoc ''

     

       39
       44
        
               Login shell of the remote user. Can be used to limit actions user can do.

     

       40
       45
        
             '';

     
···

       119
       124
        
           sshdCfg = config.services.openssh;

     

       120
       125
        
       

     

       121
       126
        
           sshdConfig = ''

     

       127
       127
       +
             UsePAM no

     

       122
       128
        
             Port ${toString cfg.port}

     

       123
       129
        
       

     

       124
       130
        
             PasswordAuthentication no

     

       131
       131
       +
             AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u

     

       125
       132
        
             ChallengeResponseAuthentication no

     

       126
       133
        
       

     

       127
       134
        
             ${flip concatMapStrings cfg.hostKeys (path: ''

     
···

       142
       149
        
       

     

       143
       150
        
             ${cfg.extraConfig}

     

       144
       151
        
           '';

     

       145
       145
       -
         in mkIf (config.boot.initrd.network.enable && cfg.enable) {

     

       152
       152
       +
         in mkIf enabled {

     

       146
       153
        
           assertions = [

     

       147
       154
        
             {

     

       148
       155
        
               assertion = cfg.authorizedKeys != [];

     
···

       157
       164
        
                 for instructions.

     

       158
       165
        
               '';

     

       159
       166
        
             }

     

       167
       167
       +
       

     

       168
       168
       +
             {

     

       169
       169
       +
               assertion = config.boot.initrd.systemd.enable -> cfg.shell == null;

     

       170
       170
       +
               message = "systemd stage 1 does not support boot.initrd.network.ssh.shell";

     

       171
       171
       +
             }

     

       160
       172
        
           ];

     

       161
       173
        
       

     

       162
       162
       -
           boot.initrd.extraUtilsCommands = ''

     

       163
       163
       -
             copy_bin_and_libs ${pkgs.openssh}/bin/sshd

     

       174
       174
       +
           boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) ''

     

       175
       175
       +
             copy_bin_and_libs ${package}/bin/sshd

     

       164
       176
        
             cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib

     

       165
       177
        
           '';

     

       166
       178
        
       

     

       167
       167
       -
           boot.initrd.extraUtilsCommandsTest = ''

     

       179
       179
       +
           boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) ''

     

       168
       180
        
             # sshd requires a host key to check config, so we pass in the test's

     

       169
       181
        
             tmpkey="$(mktemp initrd-ssh-testkey.XXXXXXXXXX)"

     

       170
       182
        
             cp "${../../../tests/initrd-network-ssh/ssh_host_ed25519_key}" "$tmpkey"

     
···

       176
       188
        
             rm "$tmpkey"

     

       177
       189
        
           '';

     

       178
       190
        
       

     

       179
       179
       -
           boot.initrd.network.postCommands = ''

     

       180
       180
       -
             echo '${cfg.shell}' > /etc/shells

     

       181
       181
       -
             echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd

     

       191
       191
       +
           boot.initrd.network.postCommands = mkIf (!config.boot.initrd.systemd.enable) ''

     

       192
       192
       +
             echo '${shell}' > /etc/shells

     

       193
       193
       +
             echo 'root:x:0:0:root:/root:${shell}' > /etc/passwd

     

       182
       194
        
             echo 'sshd:x:1:1:sshd:/var/empty:/bin/nologin' >> /etc/passwd

     

       183
       195
        
             echo 'passwd: files' > /etc/nsswitch.conf

     

       184
       196
        
       

     
···

       204
       216
        
             /bin/sshd -e

     

       205
       217
        
           '';

     

       206
       218
        
       

     

       207
       207
       -
           boot.initrd.postMountCommands = ''

     

       219
       219
       +
           boot.initrd.postMountCommands = mkIf (!config.boot.initrd.systemd.enable) ''

     

       208
       220
        
             # Stop sshd cleanly before stage 2.

     

       209
       221
        
             #

     

       210
       222
        
             # If you want to keep it around to debug post-mount SSH issues,

     
···

       217
       229
        
       

     

       218
       230
        
           boot.initrd.secrets = listToAttrs

     

       219
       231
        
             (map (path: nameValuePair (initrdKeyPath path) path) cfg.hostKeys);

     

       232
       232
       +
       

     

       233
       233
       +
           # Systemd initrd stuff

     

       234
       234
       +
           boot.initrd.systemd = mkIf config.boot.initrd.systemd.enable {

     

       235
       235
       +
             users.sshd = { uid = 1; group = "sshd"; };

     

       236
       236
       +
             groups.sshd = { gid = 1; };

     

       237
       237
       +
       

     

       238
       238
       +
             contents."/etc/ssh/authorized_keys.d/root".text =

     

       239
       239
       +
               concatStringsSep "\n" config.boot.initrd.network.ssh.authorizedKeys;

     

       240
       240
       +
             contents."/etc/ssh/sshd_config".text = sshdConfig;

     

       241
       241
       +
             storePaths = ["${package}/bin/sshd"];

     

       242
       242
       +
       

     

       243
       243
       +
             services.sshd = {

     

       244
       244
       +
               description = "SSH Daemon";

     

       245
       245
       +
               wantedBy = ["initrd.target"];

     

       246
       246
       +
               after = ["network.target" "initrd-nixos-copy-secrets.service"];

     

       247
       247
       +
       

     

       248
       248
       +
               # Keys from Nix store are world-readable, which sshd doesn't

     

       249
       249
       +
               # like. If this were a real nix store and not the initrd, we

     

       250
       250
       +
               # neither would nor could do this

     

       251
       251
       +
               preStart = flip concatMapStrings cfg.hostKeys (path: ''

     

       252
       252
       +
                 /bin/chmod 0600 "${initrdKeyPath path}"

     

       253
       253
       +
               '');

     

       254
       254
       +
               unitConfig.DefaultDependencies = false;

     

       255
       255
       +
               serviceConfig = {

     

       256
       256
       +
                 ExecStart = "${package}/bin/sshd -D -f /etc/ssh/sshd_config";

     

       257
       257
       +
                 Type = "simple";

     

       258
       258
       +
                 KillMode = "process";

     

       259
       259
       +
                 Restart = "on-failure";

     

       260
       260
       +
               };

     

       261
       261
       +
             };

     

       262
       262
       +
           };

     

       263
       263
       +
       

     

       220
       264
        
         };

     

       221
       265
        
       

     

       222
       266
        
       }

nixos/tests/all-tests.nix

···

       678
       678
        
         systemd-initrd-swraid = handleTest ./systemd-initrd-swraid.nix {};

     

       679
       679
        
         systemd-initrd-vconsole = handleTest ./systemd-initrd-vconsole.nix {};

     

       680
       680
        
         systemd-initrd-networkd = handleTest ./systemd-initrd-networkd.nix {};

     

       681
       681
       +
         systemd-initrd-networkd-ssh = handleTest ./systemd-initrd-networkd-ssh.nix {};

     

       681
       682
        
         systemd-journal = handleTest ./systemd-journal.nix {};

     

       682
       683
        
         systemd-machinectl = handleTest ./systemd-machinectl.nix {};

     

       683
       684
        
         systemd-networkd = handleTest ./systemd-networkd.nix {};

+82

nixos/tests/systemd-initrd-networkd-ssh.nix

···

       1
       1
       +
       import ./make-test-python.nix ({ lib, ... }: {

     

       2
       2
       +
         name = "systemd-initrd-network-ssh";

     

       3
       3
       +
         meta.maintainers = [ lib.maintainers.elvishjerricco ];

     

       4
       4
       +
       

     

       5
       5
       +
         nodes = with lib; {

     

       6
       6
       +
           server = { config, pkgs, ... }: {

     

       7
       7
       +
             environment.systemPackages = [pkgs.cryptsetup];

     

       8
       8
       +
             boot.loader.systemd-boot.enable = true;

     

       9
       9
       +
             boot.loader.timeout = 0;

     

       10
       10
       +
             virtualisation = {

     

       11
       11
       +
               emptyDiskImages = [ 4096 ];

     

       12
       12
       +
               useBootLoader = true;

     

       13
       13
       +
               useEFIBoot = true;

     

       14
       14
       +
             };

     

       15
       15
       +
       

     

       16
       16
       +
             specialisation.encrypted-root.configuration = {

     

       17
       17
       +
               virtualisation.bootDevice = "/dev/mapper/root";

     

       18
       18
       +
               boot.initrd.luks.devices = lib.mkVMOverride {

     

       19
       19
       +
                 root.device = "/dev/vdc";

     

       20
       20
       +
               };

     

       21
       21
       +
               boot.initrd.systemd.enable = true;

     

       22
       22
       +
               boot.initrd.network = {

     

       23
       23
       +
                 enable = true;

     

       24
       24
       +
                 ssh = {

     

       25
       25
       +
                   enable = true;

     

       26
       26
       +
                   authorizedKeys = [ (readFile ./initrd-network-ssh/id_ed25519.pub) ];

     

       27
       27
       +
                   port = 22;

     

       28
       28
       +
                   # Terrible hack so it works with useBootLoader

     

       29
       29
       +
                   hostKeys = [ { outPath = "${./initrd-network-ssh/ssh_host_ed25519_key}"; } ];

     

       30
       30
       +
                 };

     

       31
       31
       +
               };

     

       32
       32
       +
             };

     

       33
       33
       +
           };

     

       34
       34
       +
       

     

       35
       35
       +
           client = { config, ... }: {

     

       36
       36
       +
             environment.etc = {

     

       37
       37
       +
               knownHosts = {

     

       38
       38
       +
                 text = concatStrings [

     

       39
       39
       +
                   "server,"

     

       40
       40
       +
                   "${

     

       41
       41
       +
                     toString (head (splitString " " (toString

     

       42
       42
       +
                       (elemAt (splitString "\n" config.networking.extraHosts) 2))))

     

       43
       43
       +
                   } "

     

       44
       44
       +
                   "${readFile ./initrd-network-ssh/ssh_host_ed25519_key.pub}"

     

       45
       45
       +
                 ];

     

       46
       46
       +
               };

     

       47
       47
       +
               sshKey = {

     

       48
       48
       +
                 source = ./initrd-network-ssh/id_ed25519;

     

       49
       49
       +
                 mode = "0600";

     

       50
       50
       +
               };

     

       51
       51
       +
             };

     

       52
       52
       +
           };

     

       53
       53
       +
         };

     

       54
       54
       +
       

     

       55
       55
       +
         testScript = ''

     

       56
       56
       +
           start_all()

     

       57
       57
       +
       

     

       58
       58
       +
           def ssh_is_up(_) -> bool:

     

       59
       59
       +
               status, _ = client.execute("nc -z server 22")

     

       60
       60
       +
               return status == 0

     

       61
       61
       +
       

     

       62
       62
       +
           server.wait_for_unit("multi-user.target")

     

       63
       63
       +
           server.succeed(

     

       64
       64
       +
               "echo somepass | cryptsetup luksFormat --type=luks2 /dev/vdc",

     

       65
       65
       +
               "bootctl set-default nixos-generation-1-specialisation-encrypted-root.conf",

     

       66
       66
       +
               "sync",

     

       67
       67
       +
           )

     

       68
       68
       +
           server.shutdown()

     

       69
       69
       +
           server.start()

     

       70
       70
       +
       

     

       71
       71
       +
           client.wait_for_unit("network.target")

     

       72
       72
       +
           with client.nested("waiting for SSH server to come up"):

     

       73
       73
       +
               retry(ssh_is_up)

     

       74
       74
       +
       

     

       75
       75
       +
           client.succeed(

     

       76
       76
       +
               "echo somepass | ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'systemd-tty-ask-password-agent' & exit"

     

       77
       77
       +
           )

     

       78
       78
       +
       

     

       79
       79
       +
           server.wait_for_unit("multi-user.target")

     

       80
       80
       +
           server.succeed("mount | grep '/dev/mapper/root on /'")

     

       81
       81
       +
         '';

     

       82
       82
       +
       })