nodes can identify one another #633

New issue

Open

opened 2025-12-03 15:55:51 +01:00 by kiara · 0 comments

kiara commented

2025-12-03 15:55:51 +01:00

Owner

As a hosting provider,
I want deployed nodes to safely identify one another,
so that we may deny unauthorized requests.

implementation notes

useful for securing e.g. for vault/openbao access (see #493)
prior art
- spire module nixpkgs PR
  - example
- AFNix:
  - implementation
  - plan
SPIFFE (spec) / spire (reference implementation)
- nix talk
- spire attestation methods:
  - node attestation: node's unique SPIFFE ID, proven by e.g.:
    - verifying a private key stored on a Hardware Security Module or Trusted Platform Module (TPM)
      - on VMs involves using vTPM
    - a manual verification provided through a join token when the agent is installed
    - identification credentials provisioned by a multi-node software system when it was installed on the node (such as a Kubernetes Service Account token)
    - deployed server certificate
    - an identity document delivered to the node via a cloud platform
  - workload attestation
    - User ID (uid)
    - Group ID (gid)
    - filesystem path
kubernetes service accounts

**As** a hosting provider, **I want** deployed nodes to safely identify one another, **so that** we may deny unauthorized requests. ### implementation notes - useful for securing e.g. for vault/openbao access (see #493) - prior art - [spire module nixpkgs PR](https://github.com/NixOS/nixpkgs/pull/481447) - [example](https://github.com/search?q=repo%3Aarianvp%2Fnixos-stuff+spire+language%3ANix&type=code&l=Nix) - AFNix: - [implementation](https://git.afnix.fr/afnix/infra/search/?path=&q=spire&mode=exact) - [plan](https://zulip.afnix.fr/#narrow/channel/4-infra/topic/RFC.3A.20Design.20for.20automatic.20Vault.20access.20for.20VMs/with/2622) - [SPIFFE](https://spiffe.io/) (spec) / spire (reference implementation) - [nix talk](https://fosdem.org/2026/schedule/event/9QDZF8-look_ma_no_secrets_-_bootstrapping_cryptographic_trust_in_my_homelab_using_nixos/) - spire [attestation methods](https://spiffe.io/docs/latest/spire-about/spire-concepts/#attestation): - node attestation: node's unique SPIFFE ID, proven by e.g.: - verifying a private key stored on a Hardware Security Module or [Trusted Platform Module (TPM)](https://wiki.nixos.org/wiki/TPM) - on VMs involves using [vTPM](https://forum.proxmox.com/threads/vtpm-support-do-we-have-guide-to-add-the-vtpm-support.56982/page-2#post-421614) - a manual verification provided through a join token when the agent is installed - identification credentials provisioned by a multi-node software system when it was installed on the node (such as a Kubernetes Service Account token) - deployed server certificate - an identity document delivered to the node via a cloud platform - workload attestation - User ID (uid) - Group ID (gid) - filesystem path - [kubernetes service accounts](https://kubernetes.io/docs/concepts/security/service-accounts/)

kiara added the

type: task

21 points

labels

2025-12-03 15:55:51 +01:00

kiara added a new dependency

2025-12-03 15:56:05 +01:00

#291 code passes security check

kiara referenced this issue

2025-12-03 16:16:43 +01:00

portable ephemeral state #493

kiara referenced this issue