Add psk distribution for key sharing between VM and host (#30)

- add psk distribution for vm - add psk distribution for host - add ip and user name for nmLuncher - add shared storage for ssh keys to use with nmLauncher Signed-off-by: Ivan Kuznetsov <[email protected]>
tiiuae · Apr 18, 2024 · ba03ec3 · ba03ec3
1 parent 6504397
commit ba03ec3
Show file tree

Hide file tree

Showing 6 changed files with 134 additions and 3 deletions.
diff --git a/hardware/fmo-os-rugged-laptop-7330.nix b/hardware/fmo-os-rugged-laptop-7330.nix
@@ -22,6 +22,7 @@
       }
       {
         app = "nmLauncher";
+        extraArgs = "192.168.101.1 ghaf";
       }
     ]; # launchers;
 
@@ -31,6 +32,9 @@
         boot.initrd.availableKernelModules = [ "nvme" "ahci" ];
 
         services = {
+          fmo-psk-distribution-service-host = {
+              enable = true;
+          };
           registration-agent-laptop = {
             enable = true;
           }; # services.registration-agent-laptop
@@ -85,6 +89,10 @@
               reflector = true;
             }; # services.avahi
 
+            fmo-psk-distribution-service-vm = {
+              enable = true;
+            };
+
             portforwarding-service = {
               enable = true;
               ipaddress = "192.168.100.12";
@@ -156,9 +164,15 @@
                 proto = "virtiofs";
                 socket = "netconf.sock";
               }
+              {
+                tag = "ssh-public-key";
+                source = "/run/ssh-public-key";
+                mountPoint = "/run/ssh-public-key";
+              }
             ]; # microvm.shares
           }; # microvm
 
+          fileSystems."/run/ssh-public-key".options = ["ro"];
           # For WLAN firmwares
           hardware.enableRedistributableFirmware = true;
         }]; # extraModules

diff --git a/hardware/fmo-os-rugged-tablet-7230.nix b/hardware/fmo-os-rugged-tablet-7230.nix
@@ -22,6 +22,7 @@
       }
       {
         app = "nmLauncher";
+        extraArgs = "192.168.101.1 ghaf";
       }
     ]; # launchers;
 
@@ -85,6 +86,10 @@
               reflector = true;
             }; # services.avahi
 
+            fmo-psk-distribution-service-vm = {
+              enable = true;
+            };
+
             portforwarding-service = {
               enable = true;
               ipaddress = "192.168.100.12";
@@ -136,9 +141,15 @@
                 proto = "virtiofs";
                 socket = "netconf.sock";
               }
+              {
+                tag = "ssh-public-key";
+                source = "/run/ssh-public-key";
+                mountPoint = "/run/ssh-public-key";
+              }
             ]; # microvm.shares
           }; # microvm
 
+          fileSystems."/run/ssh-public-key".options = ["ro"];
           # For WLAN firmwares
           hardware.enableRedistributableFirmware = true;
         }]; # extraModules

diff --git a/modules/custom-packages/nmLauncher/default.nix b/modules/custom-packages/nmLauncher/default.nix
@@ -4,9 +4,11 @@
   nmLauncher = final.writeShellScriptBin "nmLauncher" ''
           export DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/ssh_session_dbus.sock
           export DBUS_SYSTEM_BUS_ADDRESS=unix:path=/tmp/ssh_system_dbus.sock
-          ${final.openssh}/bin/ssh-keygen -R 192.168.100.1
+          netvmip=''${1:-192.168.101.1}
+          netvmuser=''${2:-ghaf}
+          ${final.openssh}/bin/ssh-keygen -R $netvmip
           ${final.openssh}/bin/ssh -M -S /tmp/ssh_control_socket \
-              -f -N -q [email protected] \
+              -f -N -q $netvmuser@$netvmip \
               -i /run/ssh-keys/id_ed25519 \
               -o StrictHostKeyChecking=no \
               -o StreamLocalBindUnlink=yes \
@@ -15,6 +17,6 @@
               -L /tmp/ssh_system_dbus.sock:/run/dbus/system_bus_socket
           ${final.networkmanagerapplet}/bin/nm-connection-editor
           # Use the control socket to close the ssh tunnel.
-          ${final.openssh}/bin/ssh -q -S /tmp/ssh_control_socket -O exit [email protected]
+          ${final.openssh}/bin/ssh -q -S /tmp/ssh_control_socket -O exit $netvmuser@$netvmip
         '';
 })
diff --git a/modules/fmo-module-list.nix b/modules/fmo-module-list.nix
@@ -16,4 +16,6 @@
   ./portforwarding-service
   ./registration-agent-laptop
   ../utils/write-to-file
+  ./fmo-psk-distribution-host
+  ./fmo-psk-distribution-vm
 ]
diff --git a/modules/fmo-psk-distribution-host/default.nix b/modules/fmo-psk-distribution-host/default.nix
@@ -0,0 +1,58 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{ lib, pkgs, config, ... }:
+with lib;
+let
+  cfg = config.services.fmo-psk-distribution-service-host;
+in {
+  options.services.fmo-psk-distribution-service-host = {
+    enable = mkEnableOption "fmo-psk-distribution-service-host";
+  };
+
+  config = mkIf cfg.enable {
+    ### host part ###
+    systemd.services."psk-ssh-keygen" = let
+      keygenScript = pkgs.writeShellScriptBin "psk-ssh-keygen" ''
+        set -xeuo pipefail
+        mkdir -p /run/ssh-keys
+        echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/ssh-keys/id_ed25519 -C ""
+        chown ghaf:ghaf /run/ssh-keys/*
+        chmod 600 /run/ssh-keys/*
+        cp /run/ssh-keys/id_ed25519.pub /run/ssh-public-key/id_ed25519.pub
+        chmod 644 /run/ssh-public-key/id_ed25519.pub
+      '';
+    in {
+      enable = true;
+      description = "Generate SSH keys for Waypipe";
+      path = [keygenScript];
+      wantedBy = ["multi-user.target"];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        StandardOutput = "journal";
+        StandardError = "journal";
+        ExecStart = "${keygenScript}/bin/psk-ssh-keygen";
+      };
+    };
+
+   # This directory needs to be created before any of the microvms start.
+    systemd.services."create-ssh-public-key-directory" = let
+      script = pkgs.writeShellScriptBin "create-ssh-public-key-directory" ''
+        mkdir -pv /run/ssh-public-key
+        chown -v microvm /run/ssh-public-key
+      '';
+    in {
+      enable = true;
+      description = "Create shared directory on host";
+      path = [];
+      wantedBy = ["microvms.target"];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        StandardOutput = "journal";
+        StandardError = "journal";
+        ExecStart = "${script}/bin/create-ssh-public-key-directory";
+      };
+    };
+  };
+}
diff --git a/modules/fmo-psk-distribution-vm/default.nix b/modules/fmo-psk-distribution-vm/default.nix
@@ -0,0 +1,44 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{ lib, pkgs, config, ... }:
+with lib;
+let
+  cfg = config.services.fmo-psk-distribution-service-vm;
+in {
+  options.services.fmo-psk-distribution-service-vm = {
+    enable   = mkEnableOption "fmo-psk-distribution-service-vm";
+
+    ipaddress-path = mkOption {
+      type = types.str;
+      description = "Path to ipaddress file for dynamic use";
+      default = "";
+    };
+
+    ipaddress = mkOption {
+      type = types.str;
+      description = "Static IP address to use instead for dynamic from file";
+      default = "";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    ### vm part ###
+    # SSH is very picky about the file permissions and ownership and will
+    # accept neither direct path inside /nix/store or symlink that points
+    # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by
+    # setting mode), instead of symlinking it.
+    environment.etc."ssh/get-auth-keys" = {
+      source = let
+        script = pkgs.writeShellScriptBin "get-auth-keys" ''
+          [[ "$1" != "ghaf" ]] && exit 0
+          ${pkgs.coreutils}/bin/cat /run/ssh-public-key/id_ed25519.pub
+        '';
+      in "${script}/bin/get-auth-keys";
+      mode = "0555";
+    };
+    services.openssh = {
+      authorizedKeysCommand = "/etc/ssh/get-auth-keys";
+      authorizedKeysCommandUser = "nobody";
+    };
+  };
+}