difftreelog
feat sign built systems by default
in: trunk
6 files changed
cmds/fleet/src/cmds/build_systems.rsdiffbeforeafterboth--- a/cmds/fleet/src/cmds/build_systems.rs
+++ b/cmds/fleet/src/cmds/build_systems.rs
@@ -191,6 +191,7 @@
// TODO: If rollback target exists - bail, it should be removed. Lockfile will not work in case if rollback
// is scheduler on next boot (default behavior). On current boot - rollback activator will fail due to
// unit name conflict in systemd-run
+ // This code is tied to rollback.nix
if !build.disable_rollback {
let _span = info_span!("preparing").entered();
info!("preparing for rollback");
@@ -334,6 +335,19 @@
Action::Upload { action } => {
if !config.is_local(&host) {
info!("uploading system closure");
+ {
+ let mut sign = MyCommand::new("sudo");
+ // Private key for host machine is registered in nix-sign.nix
+ sign.arg("nix")
+ .arg("store")
+ .arg("sign")
+ .comparg("-k", "/etc/nix/private-key")
+ .arg("-r")
+ .arg(&built);
+ if let Err(e) = sign.run_nix().await {
+ warn!("Failed to sign store paths: {e}");
+ };
+ }
let mut tries = 0;
loop {
let mut nix = MyCommand::new("nix");
cmds/fleet/src/command.rsdiffbeforeafterboth--- a/cmds/fleet/src/command.rs
+++ b/cmds/fleet/src/command.rs
@@ -269,7 +269,7 @@
drv = pkg;
}
}
- info!(target: "nix","copying {} {} -> {}", drv, from, to);
+ // info!(target: "nix","copying {} {} -> {}", drv, from, to);
let span = info_span!("copy", from, to, drv);
span.pb_start();
self.spans.insert(id, span);
nixos/modules/module-list.nixdiffbeforeafterbothnixos/nix-sign.nixdiffbeforeafterboth--- /dev/null
+++ b/nixos/nix-sign.nix
@@ -0,0 +1,14 @@
+# Required for nix copy in build_systems.rs
+{config, ...}: {
+ # https://github.com/NixOS/nix/issues/3023
+ systemd.services.generate-nix-cache-key = {
+ wantedBy = ["multi-user.target"];
+ serviceConfig.Type = "oneshot";
+ path = [config.nix.package];
+ script = ''
+ [[ -f /etc/nix/private-key ]] && exit
+ nix-store --generate-binary-cache-key ${config.networking.hostName}-1 /etc/nix/private-key /etc/nix/public-key
+ '';
+ };
+ nix.settings.secret-key-files = "/etc/nix/private-key";
+}
nixos/rollback.nixdiffbeforeafterboth--- a/nixos/rollback.nix
+++ b/nixos/rollback.nix
@@ -1,3 +1,4 @@
+# Tied to build_systems.rs
{config, ...}: {
# TODO: Make it work with systemd-initrd approach.
# In this case we can't just switch generation and re-run activation script, since the root filesystem might not be
scripts/install-trusted-cert.shdiffbeforeafterboth--- /dev/null
+++ b/scripts/install-trusted-cert.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -eu
+
+pubkey="$(sudo cat /etc/nix/private-key | nix key convert-secret-to-public)"
+echo pubkey = "$pubkey"
+
+edited_conf=$(mktemp)
+
+remote_conf=$(ssh "$1" cat /etc/nix/nix.conf)
+echo remote_conf = \"\"\"
+echo "$remote_conf"
+echo \"\"\"
+echo "$remote_conf" > "$edited_conf"
+sed -i 's/\. Do not edit it!/\. Then it was altered by install-trusted-cert. Do not edit!/g' "$edited_conf"
+sed -i "s|^trusted-public-keys =.*|& $pubkey|g" "$edited_conf"
+
+echo edited_conf = \"\"\"
+cat "$edited_conf"
+echo \"\"\"
+
+# Make nix.conf editable
+ssh "$1" sudo mv /etc/nix/nix.conf /etc/nix/nix.conf.bk
+ssh "$1" sudo cp /etc/nix/nix.conf.bk /etc/nix/nix.conf
+ssh "$1" "cat | sudo dd of=/etc/nix/nix.conf" < "$edited_conf"
+ssh "$1" sudo systemctl restart nix-daemon