From ba03ec36558b8501b00c0491dbfe15fe360361ef Mon Sep 17 00:00:00 2001 From: jsvapiav Date: Thu, 18 Apr 2024 10:37:10 +0300 Subject: [PATCH] Add psk distribution for key sharing between VM and host (#30) - add psk distribution for vm - add psk distribution for host - add ip and user name for nmLuncher - add shared storage for ssh keys to use with nmLauncher Signed-off-by: Ivan Kuznetsov --- hardware/fmo-os-rugged-laptop-7330.nix | 14 +++++ hardware/fmo-os-rugged-tablet-7230.nix | 11 ++++ .../custom-packages/nmLauncher/default.nix | 8 ++- modules/fmo-module-list.nix | 2 + modules/fmo-psk-distribution-host/default.nix | 58 +++++++++++++++++++ modules/fmo-psk-distribution-vm/default.nix | 44 ++++++++++++++ 6 files changed, 134 insertions(+), 3 deletions(-) create mode 100644 modules/fmo-psk-distribution-host/default.nix create mode 100644 modules/fmo-psk-distribution-vm/default.nix diff --git a/hardware/fmo-os-rugged-laptop-7330.nix b/hardware/fmo-os-rugged-laptop-7330.nix index f1c18f9..7c76109 100644 --- a/hardware/fmo-os-rugged-laptop-7330.nix +++ b/hardware/fmo-os-rugged-laptop-7330.nix @@ -22,6 +22,7 @@ } { app = "nmLauncher"; + extraArgs = "192.168.101.1 ghaf"; } ]; # launchers; @@ -31,6 +32,9 @@ boot.initrd.availableKernelModules = [ "nvme" "ahci" ]; services = { + fmo-psk-distribution-service-host = { + enable = true; + }; registration-agent-laptop = { enable = true; }; # services.registration-agent-laptop @@ -85,6 +89,10 @@ reflector = true; }; # services.avahi + fmo-psk-distribution-service-vm = { + enable = true; + }; + portforwarding-service = { enable = true; ipaddress = "192.168.100.12"; @@ -156,9 +164,15 @@ proto = "virtiofs"; socket = "netconf.sock"; } + { + tag = "ssh-public-key"; + source = "/run/ssh-public-key"; + mountPoint = "/run/ssh-public-key"; + } ]; # microvm.shares }; # microvm + fileSystems."/run/ssh-public-key".options = ["ro"]; # For WLAN firmwares hardware.enableRedistributableFirmware = true; }]; # extraModules diff --git a/hardware/fmo-os-rugged-tablet-7230.nix b/hardware/fmo-os-rugged-tablet-7230.nix index f4a6b8d..6521789 100644 --- a/hardware/fmo-os-rugged-tablet-7230.nix +++ b/hardware/fmo-os-rugged-tablet-7230.nix @@ -22,6 +22,7 @@ } { app = "nmLauncher"; + extraArgs = "192.168.101.1 ghaf"; } ]; # launchers; @@ -85,6 +86,10 @@ reflector = true; }; # services.avahi + fmo-psk-distribution-service-vm = { + enable = true; + }; + portforwarding-service = { enable = true; ipaddress = "192.168.100.12"; @@ -136,9 +141,15 @@ proto = "virtiofs"; socket = "netconf.sock"; } + { + tag = "ssh-public-key"; + source = "/run/ssh-public-key"; + mountPoint = "/run/ssh-public-key"; + } ]; # microvm.shares }; # microvm + fileSystems."/run/ssh-public-key".options = ["ro"]; # For WLAN firmwares hardware.enableRedistributableFirmware = true; }]; # extraModules diff --git a/modules/custom-packages/nmLauncher/default.nix b/modules/custom-packages/nmLauncher/default.nix index b234506..b4b1ac0 100644 --- a/modules/custom-packages/nmLauncher/default.nix +++ b/modules/custom-packages/nmLauncher/default.nix @@ -4,9 +4,11 @@ nmLauncher = final.writeShellScriptBin "nmLauncher" '' export DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/ssh_session_dbus.sock export DBUS_SYSTEM_BUS_ADDRESS=unix:path=/tmp/ssh_system_dbus.sock - ${final.openssh}/bin/ssh-keygen -R 192.168.100.1 + netvmip=''${1:-192.168.101.1} + netvmuser=''${2:-ghaf} + ${final.openssh}/bin/ssh-keygen -R $netvmip ${final.openssh}/bin/ssh -M -S /tmp/ssh_control_socket \ - -f -N -q ghaf@192.168.100.1 \ + -f -N -q $netvmuser@$netvmip \ -i /run/ssh-keys/id_ed25519 \ -o StrictHostKeyChecking=no \ -o StreamLocalBindUnlink=yes \ @@ -15,6 +17,6 @@ -L /tmp/ssh_system_dbus.sock:/run/dbus/system_bus_socket ${final.networkmanagerapplet}/bin/nm-connection-editor # Use the control socket to close the ssh tunnel. - ${final.openssh}/bin/ssh -q -S /tmp/ssh_control_socket -O exit ghaf@192.168.100.1 + ${final.openssh}/bin/ssh -q -S /tmp/ssh_control_socket -O exit $netvmuser@$netvmip ''; }) diff --git a/modules/fmo-module-list.nix b/modules/fmo-module-list.nix index 8c580da..7d0796c 100644 --- a/modules/fmo-module-list.nix +++ b/modules/fmo-module-list.nix @@ -16,4 +16,6 @@ ./portforwarding-service ./registration-agent-laptop ../utils/write-to-file + ./fmo-psk-distribution-host + ./fmo-psk-distribution-vm ] diff --git a/modules/fmo-psk-distribution-host/default.nix b/modules/fmo-psk-distribution-host/default.nix new file mode 100644 index 0000000..4fd6212 --- /dev/null +++ b/modules/fmo-psk-distribution-host/default.nix @@ -0,0 +1,58 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.services.fmo-psk-distribution-service-host; +in { + options.services.fmo-psk-distribution-service-host = { + enable = mkEnableOption "fmo-psk-distribution-service-host"; + }; + + config = mkIf cfg.enable { + ### host part ### + systemd.services."psk-ssh-keygen" = let + keygenScript = pkgs.writeShellScriptBin "psk-ssh-keygen" '' + set -xeuo pipefail + mkdir -p /run/ssh-keys + echo -en "\n\n\n" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /run/ssh-keys/id_ed25519 -C "" + chown ghaf:ghaf /run/ssh-keys/* + chmod 600 /run/ssh-keys/* + cp /run/ssh-keys/id_ed25519.pub /run/ssh-public-key/id_ed25519.pub + chmod 644 /run/ssh-public-key/id_ed25519.pub + ''; + in { + enable = true; + description = "Generate SSH keys for Waypipe"; + path = [keygenScript]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${keygenScript}/bin/psk-ssh-keygen"; + }; + }; + + # This directory needs to be created before any of the microvms start. + systemd.services."create-ssh-public-key-directory" = let + script = pkgs.writeShellScriptBin "create-ssh-public-key-directory" '' + mkdir -pv /run/ssh-public-key + chown -v microvm /run/ssh-public-key + ''; + in { + enable = true; + description = "Create shared directory on host"; + path = []; + wantedBy = ["microvms.target"]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${script}/bin/create-ssh-public-key-directory"; + }; + }; + }; +} diff --git a/modules/fmo-psk-distribution-vm/default.nix b/modules/fmo-psk-distribution-vm/default.nix new file mode 100644 index 0000000..959c0f1 --- /dev/null +++ b/modules/fmo-psk-distribution-vm/default.nix @@ -0,0 +1,44 @@ +# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.services.fmo-psk-distribution-service-vm; +in { + options.services.fmo-psk-distribution-service-vm = { + enable = mkEnableOption "fmo-psk-distribution-service-vm"; + + ipaddress-path = mkOption { + type = types.str; + description = "Path to ipaddress file for dynamic use"; + default = ""; + }; + + ipaddress = mkOption { + type = types.str; + description = "Static IP address to use instead for dynamic from file"; + default = ""; + }; + }; + + config = mkIf cfg.enable { + ### vm part ### + # SSH is very picky about the file permissions and ownership and will + # accept neither direct path inside /nix/store or symlink that points + # there. Therefore we copy the file to /etc/ssh/get-auth-keys (by + # setting mode), instead of symlinking it. + environment.etc."ssh/get-auth-keys" = { + source = let + script = pkgs.writeShellScriptBin "get-auth-keys" '' + [[ "$1" != "ghaf" ]] && exit 0 + ${pkgs.coreutils}/bin/cat /run/ssh-public-key/id_ed25519.pub + ''; + in "${script}/bin/get-auth-keys"; + mode = "0555"; + }; + services.openssh = { + authorizedKeysCommand = "/etc/ssh/get-auth-keys"; + authorizedKeysCommandUser = "nobody"; + }; + }; +}