kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Allow injecting a private key in the provisioned VM

Browse source
This commit is contained in:
Nicolas Jeannerod 2025-02-24 16:47:21 +01:00
parent bd270999f3
commit 11fd13a982
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
3 changed files with 35 additions and 8 deletions

13
infra/common/options.nix
View file

@ -125,8 +125,17 @@ in
hostPublicKey = mkOption { hostPublicKey = mkOption {
description = '' description = ''
The host public key of the machine. It is used to filter Age secrets and The ed25519 host public key of the machine. It is used to filter Age
only keep the relevant ones, and to feed to NixOps4. secrets and only keep the relevant ones, and to feed to NixOps4.
'';
};
unsafeHostPrivateKey = mkOption {
default = null;
description = ''
The ed25519 host private key of the machine. It is used when
provisioning to have a predictable public key. Warning: only ever use
this for testing machines, as it is a security hole for so many reasons.
''; '';
}; };
}; };

2
infra/flake-part.nix
View file

@ -86,6 +86,8 @@ let
sockets sockets
cores cores
memory memory
hostPublicKey
unsafeHostPrivateKey
; ;
}) })
); );

28
infra/proxmox-provision.sh
View file

@ -168,7 +168,7 @@ grab_vm_option () {
--impure --raw --expr " --impure --raw --expr "
builtins.toJSON (builtins.getFlake (builtins.toString ./.)).vmOptions.$1 builtins.toJSON (builtins.getFlake (builtins.toString ./.)).vmOptions.$1
" | jq -r ."$2" " | jq -r ."$2"
} }
################################################################################ ################################################################################
## Build ISO ## Build ISO
@ -177,9 +177,20 @@ build_iso () {
acquire_lock build acquire_lock build
printf 'Building ISO for VM %s...\n' "$2" printf 'Building ISO for VM %s...\n' "$2"
## FIXME: Support injecting host keys for test VMs (but not for production host_public_key=$(grab_vm_option "$2" hostPublicKey)
## VMs as that would be unsafe). host_private_key=$(grab_vm_option "$2" unsafeHostPrivateKey)
if [ "$host_public_key" != null ] && [ "$host_private_key" != null ]; then
echo "$host_public_key" > "$tmpdir"/"$2"_host_key.pub
echo "$host_private_key" > "$tmpdir"/"$2"_host_key
nix_host_keys="
hostKeys.ed25519 = {
public = $tmpdir/$2_host_key.pub;
private = $tmpdir/$2_host_key;
};
"
else
nix_host_keys=
fi
nix build \ nix build \
--impure --expr " --impure --expr "
@ -187,6 +198,7 @@ build_iso () {
flake.lib.makeInstallerIso { flake.lib.makeInstallerIso {
nixosConfiguration = flake.nixosConfigurations.$2; nixosConfiguration = flake.nixosConfigurations.$2;
nixpkgs = flake.inputs.nixpkgs; nixpkgs = flake.inputs.nixpkgs;
$nix_host_keys
} }
" \ " \
--log-format raw --quiet \ --log-format raw --quiet \
@ -305,14 +317,18 @@ start_vm () {
printf 'Provisioning VMs%s...\n' "$vm_names" printf 'Provisioning VMs%s...\n' "$vm_names"
provision_vm () { provision_vm () (
## NOTE: Mind the fact that we now run in a sub-shell, allowing the following
## functions to define global variables without clashing with concurrent VMs
## provisioning.
build_iso "$@" build_iso "$@"
upload_iso "$@" upload_iso "$@"
create_vm "$@" create_vm "$@"
install_vm "$@" install_vm "$@"
start_vm "$@" start_vm "$@"
remove_iso "$@" remove_iso "$@"
} )
for vm_name in $vm_names; do for vm_name in $vm_names; do
vm_id=$(grab_vm_option "$vm_name" vmId) vm_id=$(grab_vm_option "$vm_name" vmId)