Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it possible to use Nixops without automatic SSH key provisioning #1247

Merged
merged 3 commits into from May 15, 2020
Merged

Make it possible to use Nixops without automatic SSH key provisioning #1247

merged 3 commits into from May 15, 2020

Conversation

adisbladis
Copy link
Member

No description provided.

@adisbladis adisbladis changed the title Make it possible to use Nixops automatic SSH key provisioning Make it possible to use Nixops without automatic SSH key provisioning Mar 10, 2020
@adisbladis adisbladis changed the title Make it possible to use Nixops without automatic SSH key provisioning WIP: Make it possible to use Nixops without automatic SSH key provisioning Mar 10, 2020
grahamc
grahamc reviewed Mar 10, 2020
View reviewed changes
Copy link
Member

@grahamc grahamc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking pretty cool so far :)

You and I were talking about this a few days ago, and this is what I wrote up then. I wonder if there is a way to author this PR in a way way to build out support for the other use cases?

example use cases we might want...

what we do now, but more explicit:

{
  defaults = { resources, ... }: {
    deployment.sshKey = resources.sshKeyPairs.management-key;
  };
  resources.sshKeyPairs.management-key = {};
}

create an SSH key per machine, automatically:

{
  defaults = { machine_uuid, resources, ... }: {
    deployment.sshKey = resources.sshKeyPairs."${machine_uid}"; # implicitly create an SSH key per host
  };
}

use a yubikey or other PKCS11-compatible device for SSH:

{
  defaults = { machine_uuid, resources, ... }: {
    deployment.sshKey = resources.sshKeyPairs.adams-yubikey;
  };
  resources.sshKeyPairs.adams-yubikey = {
    provider = "pkcs11";
    keyId = "abc123";
  };
}

get an automatically provisioned SSH key from Vault:

{
  defaults = { machine_uuid, resources, ... }: {
    deployment.sshKey = resources.sshKeyPairs.vault-deploykey;
  };
  resources.sshKeyPairs.vault-deploykey = {
    provider = "vault";
    server = "https://127.0.0.1:8200";
    secretEngine = "ssh-keys";
    role = "nixops-deploy";
  };
}

use your SSH agent, and using a defined SSH public key for provisioning:

{
  defaults = { machine_uuid, resources, ... }: {
    deployment.sshKey = resources.sshKeyPairs.agent;
  };
  resources.sshKeyPairs.agent = {
    provider = "ssh-agent";
    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUy2CGT6P3q2kApZEuyCHsuCruwdRzeWMdQe/WjdCak grahamc@Petunia"; # needed to copy to the target during provisioning
  };
}

nix/options.nix Outdated Show resolved Hide resolved
nixops/backends/none.py Outdated Show resolved Hide resolved
nixops/backends/none.py Outdated Show resolved Hide resolved
@adisbladis adisbladis closed this Mar 11, 2020
@adisbladis adisbladis reopened this Mar 11, 2020
@adisbladis
Copy link
Member Author

adisbladis commented Mar 11, 2020
edited

You and I were talking about this a few days ago, and this is what I wrote up then. I wonder if there is a way to author this PR in a way way to build out support for the other use cases?

I actually think we end up with more flexibility by not supporting each use case explicitly.
I think the most reasonable and flexible approach is to leave the specifics of authentication up to the user.

By doing this we automatically support most use cases that supports SSH agent.
PKCS11 is supported natively by OpenSSH too so that's supported with this approach already.

I don't know about using Vault, that may require explicit support from Nixops.

@adisbladis adisbladis changed the title WIP: Make it possible to use Nixops without automatic SSH key provisioning Make it possible to use Nixops without automatic SSH key provisioning Mar 11, 2020
@adisbladis adisbladis mentioned this pull request Mar 11, 2020
Closed
@tomberek
Copy link
Contributor

There is some overlap between this and #1048 #1054. A cohesive solution would be great.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update/6525/1

@adisbladis
Copy link
Member Author

Rebased on latest master

chreekat
chreekat approved these changes Apr 19, 2020
View reviewed changes
Copy link

@chreekat chreekat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking forward to this!

nix/options.nix Outdated Show resolved Hide resolved
@chreekat
Copy link

chreekat commented Apr 19, 2020
edited

I actually think we end up with more flexibility by not supporting each use case explicitly.
I think the most reasonable and flexible approach is to leave the specifics of authentication up to the user.

While working on a similar problem recently, I realized that accepting and/or generating an entire openssh config file is a really flexible option! In my utility, I was able to clean up all my ssh invocations this way (simply ssh -F $config_file) .

(This is not a recommendation for this PR, just a note!)

@adisbladis
Copy link
Member Author

While working on a similar problem recently, I realized that accepting and/or generating an entire openssh config file is a really flexible option!

This has been somewhat addressed in #1270 with the addition of sshOptions.

@chreekat chreekat mentioned this pull request Apr 19, 2020
Merged
@grahamc grahamc added this to the 2.0 milestone Apr 20, 2020
@grahamc grahamc added this to In progress in kanban Apr 23, 2020
@grahamc grahamc moved this from In progress to To do in kanban Apr 23, 2020
@adisbladis adisbladis force-pushed the no-ssh-key-provision branch 2 times, most recently from 1fcaaef to cf6069e Compare April 27, 2020 10:43
@adisbladis adisbladis force-pushed the no-ssh-key-provision branch 2 times, most recently from 1083a18 to b28fcb9 Compare May 5, 2020 11:31
@adisbladis adisbladis force-pushed the no-ssh-key-provision branch 3 times, most recently from 679d98f to 5e7d3a9 Compare May 15, 2020 15:46
grahamc
grahamc reviewed May 15, 2020
View reviewed changes
nix/options.nix Outdated Show resolved Hide resolved
grahamc
grahamc reviewed May 15, 2020
View reviewed changes
nixops/backends/none.py Outdated Show resolved Hide resolved
grahamc
grahamc reviewed May 15, 2020
View reviewed changes
nixops/backends/none.py Outdated Show resolved Hide resolved
@adisbladis
Make it possible to use Nixops without automatic SSH key provisioning
36b1adf
@adisbladis
eval-machine-info: Split options inherit's in multiple lines
a8e70ee 
This line has been a constant source of annoyance when adding/removing
options.
This may look ugly but optimises for "diffability".
grahamc
grahamc reviewed May 15, 2020
View reviewed changes
nixops/backends/none.py Outdated Show resolved Hide resolved
grahamc
grahamc approved these changes May 15, 2020
View reviewed changes
Copy link
Member

@grahamc grahamc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@adisbladis adisbladis merged commit 3bdc020 into NixOS:master May 15, 2020
kanban automation moved this from To do to Done May 15, 2020
@ThreeFx ThreeFx mentioned this pull request Jun 26, 2020
Closed
@tomberek tomberek mentioned this pull request Sep 8, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grahamc grahamc grahamc approved these changes

@chreekat chreekat chreekat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
kanban
  
Done
Milestone
2.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@adisbladis @tomberek @nixos-discourse @chreekat @grahamc