git.delta.rocks / jrsonnet / refs/commits / 53dc93b160c1

difftreelog

feat sign built systems by default

Yaroslav Bolyukin2023-10-22parent: #7a60d07.patch.diff
in: trunk

6 files changed

modifiedcmds/fleet/src/cmds/build_systems.rsdiffbeforeafterboth
--- a/cmds/fleet/src/cmds/build_systems.rs
+++ b/cmds/fleet/src/cmds/build_systems.rs
@@ -191,6 +191,7 @@
 	// TODO: If rollback target exists - bail, it should be removed. Lockfile will not work in case if rollback
 	// is scheduler on next boot (default behavior). On current boot - rollback activator will fail due to
 	// unit name conflict in systemd-run
+	// This code is tied to rollback.nix
 	if !build.disable_rollback {
 		let _span = info_span!("preparing").entered();
 		info!("preparing for rollback");
@@ -334,6 +335,19 @@
 			Action::Upload { action } => {
 				if !config.is_local(&host) {
 					info!("uploading system closure");
+					{
+						let mut sign = MyCommand::new("sudo");
+						// Private key for host machine is registered in nix-sign.nix
+						sign.arg("nix")
+							.arg("store")
+							.arg("sign")
+							.comparg("-k", "/etc/nix/private-key")
+							.arg("-r")
+							.arg(&built);
+						if let Err(e) = sign.run_nix().await {
+							warn!("Failed to sign store paths: {e}");
+						};
+					}
 					let mut tries = 0;
 					loop {
 						let mut nix = MyCommand::new("nix");
modifiedcmds/fleet/src/command.rsdiffbeforeafterboth
--- a/cmds/fleet/src/command.rs
+++ b/cmds/fleet/src/command.rs
@@ -269,7 +269,7 @@
 								drv = pkg;
 							}
 						}
-						info!(target: "nix","copying {} {} -> {}", drv, from, to);
+						// info!(target: "nix","copying {} {} -> {}", drv, from, to);
 						let span = info_span!("copy", from, to, drv);
 						span.pb_start();
 						self.spans.insert(id, span);
modifiednixos/modules/module-list.nixdiffbeforeafterboth
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -3,4 +3,5 @@
   ../meta.nix
   ../secrets.nix
   ../rollback.nix
+  ../nix-sign.nix
 ]
addednixos/nix-sign.nixdiffbeforeafterboth
--- /dev/null
+++ b/nixos/nix-sign.nix
@@ -0,0 +1,14 @@
+# Required for nix copy in build_systems.rs
+{config, ...}: {
+  # https://github.com/NixOS/nix/issues/3023
+  systemd.services.generate-nix-cache-key = {
+    wantedBy = ["multi-user.target"];
+    serviceConfig.Type = "oneshot";
+    path = [config.nix.package];
+    script = ''
+      [[ -f /etc/nix/private-key ]] && exit
+      nix-store --generate-binary-cache-key ${config.networking.hostName}-1 /etc/nix/private-key /etc/nix/public-key
+    '';
+  };
+  nix.settings.secret-key-files = "/etc/nix/private-key";
+}
modifiednixos/rollback.nixdiffbeforeafterboth
before · nixos/rollback.nix
1{config, ...}: {2  # TODO: Make it work with systemd-initrd approach.3  # In this case we can't just switch generation and re-run activation script, since the root filesystem might not be4  # mounted yet. We need to explicitly remove the last generation, and this needs deeper integration with systemd/grub/5  # whatever user uses. boot.json also might help here.67  systemd.services.rollback-watchdog = {8    description = "Rollback watchdog";9    script = ''10      set -eux11      if [ -f /etc/fleet_rollback_marker ]; then12        echo "found the rollback marker, switching to older generation"13        target=$(cat /etc/fleet_rollback_marker)14        echo "rolling back profile"15        nix profile rollback --profile /nix/var/nix/profiles/system --to "$target"16        echo "executing activation script"17        "/nix/var/nix/profiles/system-$target-link/bin/switch-to-configuration" switch || true18        echo "removing rollback marker"19        rm -f /etc/fleet_rollback_marker20      else21        echo "rollback marker was removed, upgrade is succeeded"22      fi23    '';24    path = [25      # Should have nix-command support26      config.nix.package27    ];28    serviceConfig.Type = "exec";29    unitConfig = {30      X-StopOnRemoval = false;31      X-RestartIfChanged = false;32      X-StopIfChanged = false;33    };34  };3536  systemd.timers.rollback-watchdog = {37    description = "Timer for rollback watchdog";38    wantedBy = ["timers.target"];39    timerConfig = {40      OnActiveSec = "3min";41      RemainAfterElapse = false;42    };43    unitConfig = {44      ConditionPathExists = "/etc/fleet_rollback_marker";45    };46  };47}
after · nixos/rollback.nix
1# Tied to build_systems.rs2{config, ...}: {3  # TODO: Make it work with systemd-initrd approach.4  # In this case we can't just switch generation and re-run activation script, since the root filesystem might not be5  # mounted yet. We need to explicitly remove the last generation, and this needs deeper integration with systemd/grub/6  # whatever user uses. boot.json also might help here.78  systemd.services.rollback-watchdog = {9    description = "Rollback watchdog";10    script = ''11      set -eux12      if [ -f /etc/fleet_rollback_marker ]; then13        echo "found the rollback marker, switching to older generation"14        target=$(cat /etc/fleet_rollback_marker)15        echo "rolling back profile"16        nix profile rollback --profile /nix/var/nix/profiles/system --to "$target"17        echo "executing activation script"18        "/nix/var/nix/profiles/system-$target-link/bin/switch-to-configuration" switch || true19        echo "removing rollback marker"20        rm -f /etc/fleet_rollback_marker21      else22        echo "rollback marker was removed, upgrade is succeeded"23      fi24    '';25    path = [26      # Should have nix-command support27      config.nix.package28    ];29    serviceConfig.Type = "exec";30    unitConfig = {31      X-StopOnRemoval = false;32      X-RestartIfChanged = false;33      X-StopIfChanged = false;34    };35  };3637  systemd.timers.rollback-watchdog = {38    description = "Timer for rollback watchdog";39    wantedBy = ["timers.target"];40    timerConfig = {41      OnActiveSec = "3min";42      RemainAfterElapse = false;43    };44    unitConfig = {45      ConditionPathExists = "/etc/fleet_rollback_marker";46    };47  };48}
addedscripts/install-trusted-cert.shdiffbeforeafterboth
--- /dev/null
+++ b/scripts/install-trusted-cert.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -eu
+
+pubkey="$(sudo cat /etc/nix/private-key | nix key convert-secret-to-public)"
+echo pubkey = "$pubkey"
+
+edited_conf=$(mktemp)
+
+remote_conf=$(ssh "$1" cat /etc/nix/nix.conf)
+echo remote_conf = \"\"\"
+echo "$remote_conf"
+echo \"\"\"
+echo "$remote_conf" > "$edited_conf"
+sed -i 's/\.  Do not edit it!/\. Then it was altered by install-trusted-cert. Do not edit!/g' "$edited_conf"
+sed -i "s|^trusted-public-keys =.*|& $pubkey|g" "$edited_conf"
+
+echo edited_conf = \"\"\"
+cat "$edited_conf"
+echo \"\"\"
+
+# Make nix.conf editable
+ssh "$1" sudo mv /etc/nix/nix.conf /etc/nix/nix.conf.bk
+ssh "$1" sudo cp /etc/nix/nix.conf.bk /etc/nix/nix.conf
+ssh "$1" "cat | sudo dd of=/etc/nix/nix.conf" < "$edited_conf"
+ssh "$1" sudo systemctl restart nix-daemon