mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-06 13:03:34 +00:00
2e751c0772
the conversion procedure is simple: - find all things that look like options, ie calls to either `mkOption` or `lib.mkOption` that take an attrset. remember the attrset as the option - for all options, find a `description` attribute who's value is not a call to `mdDoc` or `lib.mdDoc` - textually convert the entire value of the attribute to MD with a few simple regexes (the set from mdize-module.sh) - if the change produced a change in the manual output, discard - if the change kept the manual unchanged, add some text to the description to make sure we've actually found an option. if the manual changes this time, keep the converted description this procedure converts 80% of nixos options to markdown. around 2000 options remain to be inspected, but most of those fail the "does not change the manual output check": currently the MD conversion process does not faithfully convert docbook tags like <code> and <package>, so any option using such tags will not be converted at all.
216 lines
6.5 KiB
Nix
216 lines
6.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.boot.initrd.network.ssh;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options.boot.initrd.network.ssh = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc ''
|
|
Start SSH service during initrd boot. It can be used to debug failing
|
|
boot on a remote server, enter pasphrase for an encrypted partition etc.
|
|
Service is killed when stage-1 boot is finished.
|
|
|
|
The sshd configuration is largely inherited from
|
|
{option}`services.openssh`.
|
|
'';
|
|
};
|
|
|
|
port = mkOption {
|
|
type = types.int;
|
|
default = 22;
|
|
description = lib.mdDoc ''
|
|
Port on which SSH initrd service should listen.
|
|
'';
|
|
};
|
|
|
|
shell = mkOption {
|
|
type = types.str;
|
|
default = "/bin/ash";
|
|
description = lib.mdDoc ''
|
|
Login shell of the remote user. Can be used to limit actions user can do.
|
|
'';
|
|
};
|
|
|
|
hostKeys = mkOption {
|
|
type = types.listOf (types.either types.str types.path);
|
|
default = [];
|
|
example = [
|
|
"/etc/secrets/initrd/ssh_host_rsa_key"
|
|
"/etc/secrets/initrd/ssh_host_ed25519_key"
|
|
];
|
|
description = ''
|
|
Specify SSH host keys to import into the initrd.
|
|
|
|
To generate keys, use
|
|
<citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
|
|
|
|
<screen>
|
|
<prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
|
|
<prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
|
|
</screen>
|
|
|
|
<warning>
|
|
<para>
|
|
Unless your bootloader supports initrd secrets, these keys
|
|
are stored insecurely in the global Nix store. Do NOT use
|
|
your regular SSH host private keys for this purpose or
|
|
you'll expose them to regular users!
|
|
</para>
|
|
<para>
|
|
Additionally, even if your initrd supports secrets, if
|
|
you're using initrd SSH to unlock an encrypted disk then
|
|
using your regular host keys exposes the private keys on
|
|
your unencrypted boot partition.
|
|
</para>
|
|
</warning>
|
|
'';
|
|
};
|
|
|
|
authorizedKeys = mkOption {
|
|
type = types.listOf types.str;
|
|
default = config.users.users.root.openssh.authorizedKeys.keys;
|
|
defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys";
|
|
description = lib.mdDoc ''
|
|
Authorized keys for the root user on initrd.
|
|
'';
|
|
};
|
|
|
|
extraConfig = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
description = lib.mdDoc "Verbatim contents of {file}`sshd_config`.";
|
|
};
|
|
};
|
|
|
|
imports =
|
|
map (opt: mkRemovedOptionModule ([ "boot" "initrd" "network" "ssh" ] ++ [ opt ]) ''
|
|
The initrd SSH functionality now uses OpenSSH rather than Dropbear.
|
|
|
|
If you want to keep your existing initrd SSH host keys, convert them with
|
|
$ dropbearconvert dropbear openssh dropbear_host_$type_key ssh_host_$type_key
|
|
and then set options.boot.initrd.network.ssh.hostKeys.
|
|
'') [ "hostRSAKey" "hostDSSKey" "hostECDSAKey" ];
|
|
|
|
config = let
|
|
# Nix complains if you include a store hash in initrd path names, so
|
|
# as an awful hack we drop the first character of the hash.
|
|
initrdKeyPath = path: if isString path
|
|
then path
|
|
else let name = builtins.baseNameOf path; in
|
|
builtins.unsafeDiscardStringContext ("/etc/ssh/" +
|
|
substring 1 (stringLength name) name);
|
|
|
|
sshdCfg = config.services.openssh;
|
|
|
|
sshdConfig = ''
|
|
Port ${toString cfg.port}
|
|
|
|
PasswordAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
|
|
${flip concatMapStrings cfg.hostKeys (path: ''
|
|
HostKey ${initrdKeyPath path}
|
|
'')}
|
|
|
|
KexAlgorithms ${concatStringsSep "," sshdCfg.kexAlgorithms}
|
|
Ciphers ${concatStringsSep "," sshdCfg.ciphers}
|
|
MACs ${concatStringsSep "," sshdCfg.macs}
|
|
|
|
LogLevel ${sshdCfg.logLevel}
|
|
|
|
${if sshdCfg.useDns then ''
|
|
UseDNS yes
|
|
'' else ''
|
|
UseDNS no
|
|
''}
|
|
|
|
${cfg.extraConfig}
|
|
'';
|
|
in mkIf (config.boot.initrd.network.enable && cfg.enable) {
|
|
assertions = [
|
|
{
|
|
assertion = cfg.authorizedKeys != [];
|
|
message = "You should specify at least one authorized key for initrd SSH";
|
|
}
|
|
|
|
{
|
|
assertion = cfg.hostKeys != [];
|
|
message = ''
|
|
You must now pre-generate the host keys for initrd SSH.
|
|
See the boot.initrd.network.ssh.hostKeys documentation
|
|
for instructions.
|
|
'';
|
|
}
|
|
];
|
|
|
|
boot.initrd.extraUtilsCommands = ''
|
|
copy_bin_and_libs ${pkgs.openssh}/bin/sshd
|
|
cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib
|
|
'';
|
|
|
|
boot.initrd.extraUtilsCommandsTest = ''
|
|
# sshd requires a host key to check config, so we pass in the test's
|
|
tmpkey="$(mktemp initrd-ssh-testkey.XXXXXXXXXX)"
|
|
cp "${../../../tests/initrd-network-ssh/ssh_host_ed25519_key}" "$tmpkey"
|
|
# keys from Nix store are world-readable, which sshd doesn't like
|
|
chmod 600 "$tmpkey"
|
|
echo -n ${escapeShellArg sshdConfig} |
|
|
$out/bin/sshd -t -f /dev/stdin \
|
|
-h "$tmpkey"
|
|
rm "$tmpkey"
|
|
'';
|
|
|
|
boot.initrd.network.postCommands = ''
|
|
echo '${cfg.shell}' > /etc/shells
|
|
echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd
|
|
echo 'sshd:x:1:1:sshd:/var/empty:/bin/nologin' >> /etc/passwd
|
|
echo 'passwd: files' > /etc/nsswitch.conf
|
|
|
|
mkdir -p /var/log /var/empty
|
|
touch /var/log/lastlog
|
|
|
|
mkdir -p /etc/ssh
|
|
echo -n ${escapeShellArg sshdConfig} > /etc/ssh/sshd_config
|
|
|
|
echo "export PATH=$PATH" >> /etc/profile
|
|
echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> /etc/profile
|
|
|
|
mkdir -p /root/.ssh
|
|
${concatStrings (map (key: ''
|
|
echo ${escapeShellArg key} >> /root/.ssh/authorized_keys
|
|
'') cfg.authorizedKeys)}
|
|
|
|
${flip concatMapStrings cfg.hostKeys (path: ''
|
|
# keys from Nix store are world-readable, which sshd doesn't like
|
|
chmod 0600 "${initrdKeyPath path}"
|
|
'')}
|
|
|
|
/bin/sshd -e
|
|
'';
|
|
|
|
boot.initrd.postMountCommands = ''
|
|
# Stop sshd cleanly before stage 2.
|
|
#
|
|
# If you want to keep it around to debug post-mount SSH issues,
|
|
# run `touch /.keep_sshd` (either from an SSH session or in
|
|
# another initrd hook like preDeviceCommands).
|
|
if ! [ -e /.keep_sshd ]; then
|
|
pkill -x sshd
|
|
fi
|
|
'';
|
|
|
|
boot.initrd.secrets = listToAttrs
|
|
(map (path: nameValuePair (initrdKeyPath path) path) cfg.hostKeys);
|
|
};
|
|
|
|
}
|