Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 42d03aabbd34
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 05f0934825c2
Choose a head ref
26 contributors

Commits on Mar 15, 2020

  1. passExtensions.pass-audit: 0.1 -> 1.0.1, refactor 

    Updates to v1.0.1[1] which supports subdirs and zxcvbn[2]-based
complexity checks. Also, the following things changed:

* Add separate output for man-pages
* Enable test-suite (after adding a patch which mocks the
  `pwnedpasswords.com`).
* Added myself as maintainer.

[1] https://github.com/roddhjav/pass-audit/releases/tag/v1.0.1 /
    https://github.com/roddhjav/pass-audit/releases/tag/v1.0

[2] https://pypi.org/project/zxcvbn-python/
    @Ma27
    Ma27 committed Mar 15, 2020
    Copy the full SHA
    16001ea View commit details

  2. pass: allow adding extensions without rebuilding the package 

    Until now, `pkgs.pass` was rebuilt entirely when adding an extension
using the `pass.withExtensions`-function. This is fixed now by removing the
linking of extensions from the fixupPhase and merge all paths (including
those from pkgs.pass) together in using `pkgs.buildEnv`.
    @Ma27
    Ma27 committed Mar 15, 2020
    Copy the full SHA
    187f3e7 View commit details

Commits on Mar 17, 2020

  1. nixos/alertmanager: start after the network-online target 

    If the host network stack is slow to start, the alertmanager fails to
start with this error message:

    caller=main.go:256 msg="unable to initialize gossip mesh" err="create memberlist: Failed to get final advertise address: No private IP address found, and explicit IP not provided"

This bug can be reproduced by shutting down the network stack and
restarting the alertmanager.

Note I don't know why I didn't hit this issue with previous
alertmanager releases.
    @nlewo
    nlewo committed Mar 17, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    NeQuissimus Tim Steinbach
    GPG key ID: FD36A5EAAC49035A
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    39621bb View commit details

Commits on Mar 20, 2020

  1. vim_configurable: fix default gui for darwin

    @millerjason
    millerjason committed Mar 20, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    NeQuissimus Tim Steinbach
    GPG key ID: FD36A5EAAC49035A
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    43ff2ab View commit details

Commits on Mar 25, 2020

  1. nixos/initrd-ssh: switch from Dropbear to OpenSSH 

    Dropbear lags behind OpenSSH significantly in both support for modern
key formats like `ssh-ed25519`, let alone the recently-introduced
U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched
my `authorizedKeys` over to it and promptly locked myself out of my
server's initrd SSH, breaking reboots), as well as security features
like multiprocess isolation. Using the same SSH daemon for stage-1 and
the main system ensures key formats will always remain compatible, as
well as more conveniently allowing the sharing of configuration and
host keys.

The main reason to use Dropbear over OpenSSH would be initrd space
concerns, but NixOS initrds are already large (17 MiB currently on my
server), and the size difference between the two isn't huge (the test's
initrd goes from 9.7 MiB to 12 MiB with this change). If the size is
still a problem, then it would be easy to shrink sshd down to a few
hundred kilobytes by using an initrd-specific build that uses musl and
disables things like Kerberos support.

This passes the test and works on my server, but more rigorous testing
and review from people who use initrd SSH would be appreciated!
    @emilazy
    emilazy committed Mar 25, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    NeQuissimus Tim Steinbach
    GPG key ID: FD36A5EAAC49035A
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    d930466 View commit details

Commits on Mar 26, 2020

  1. atlassian-confluence: 7.2.1 -> 7.3.4

    @ajs124
    ajs124 committed Mar 26, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    NeQuissimus Tim Steinbach
    GPG key ID: FD36A5EAAC49035A
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    5dbeb69 View commit details

Commits on Mar 27, 2020

  1. slack: 4.2.0 -> 4.4.0 

    * 4.4.1 on Darwin
* remove dark-theme, it's now included in the release
    @prusnak
    prusnak committed Mar 27, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    NeQuissimus Tim Steinbach
    GPG key ID: FD36A5EAAC49035A
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    84d18ac View commit details

  2. slack-dark: alias to slack

    @mmahut @prusnak
    mmahut authored and prusnak committed Mar 27, 2020

    Verified

    This commit was signed with the committer’s verified signature.
    vcunat Vladimír Čunát
    GPG key ID: E747DF1F9575A3AA
    Verified
    Learn about vigilant mode
    Copy the full SHA
    9a43587 View commit details

  3. firejail: local profile handling fixed 

    made it possible to place local profiles in `~/.config/firejail`,
as well as in `/etc/firejail`.
    @snicket2100
    snicket2100 committed Mar 27, 2020
    Copy the full SHA
    a63f6a7 View commit details

Commits on Mar 28, 2020

  1. vimPlugins.vim-kitty-navigator: init at 2019-11-04

    @equirosa
    equirosa committed Mar 28, 2020
    Copy the full SHA
    aed79fb View commit details

  2. python27Packages.plumbum: 1.6.8 -> 1.6.9

    @r-ryantm
    r-ryantm committed Mar 28, 2020
    Copy the full SHA
    0174009 View commit details

  3. xidlehook: 0.8.0 -> 0.8.2

    @Mic92
    Mic92 committed Mar 28, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    cc9389e View commit details

  4. pythonPackages.bravia-tv: init at 1.0.1

    @colemickens
    colemickens committed Mar 28, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    4366b19 View commit details

  5. home-assistant: regenerate component-packages.nix (bravia-tv)

    @colemickens
    colemickens committed Mar 28, 2020
    Copy the full SHA
    d0fabe4 View commit details

  6. Merge pull request #82603 from emilazy/nixos-initrd-openssh 

    nixos/initrd-ssh: switch from Dropbear to OpenSSH
    @lukateras
    lukateras authored Mar 28, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    5626cb9 View commit details

  7. antimony: 2019-10-30 -> 2020-03-28

    @rnhmjoj
    rnhmjoj committed Mar 28, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    veprbl Dmitry Kalinkin
    GPG key ID: 06AF1D3C38F04E0E
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    9c7c0e1 View commit details

  8. Merge pull request #82808 from nlewo/fix-alertmanager 

    nixos/alertmanager: start after the network-online target
    @nlewo
    nlewo authored Mar 28, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    Ma27 Maximilian Bosch
    GPG key ID: 091DBF4D1FC46B8E
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    afb035a View commit details

  9. Merge pull request #78014 from colemickens/nixpkgs-ha-pkgs-bravia 

    pythonPackages.bravia_tv: init at 1.0.1
    @globin
    globin authored Mar 28, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    Ma27 Maximilian Bosch
    GPG key ID: 091DBF4D1FC46B8E
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    9ce91ec View commit details

  10. Merge pull request #83576 from rnhmjoj/antimony 

    antimony: 2019-10-30 -> 2020-03-28
    @rnhmjoj
    rnhmjoj authored Mar 28, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    Ma27 Maximilian Bosch
    GPG key ID: 091DBF4D1FC46B8E
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    ddd9f00 View commit details

  11. atlassian-jira: 8.7.1 -> 8.8.0 (#83218) 

    fix not starting service when jdk is jdk11
    @basilgood
    basilgood authored Mar 28, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    Ma27 Maximilian Bosch
    GPG key ID: 091DBF4D1FC46B8E
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    758f81d View commit details

  12. soci: init at 4.0.0

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    3125cc6 View commit details

  13. bcunit: 3.0.2 -> unstable-2019-11-19

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    4179075 View commit details

  14. bctoolbox: 0.6.0 -> 4.3.1

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    9bd2612 View commit details

  15. belr: 0.1.3 -> unstable-2020-03-09

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    8a236c6 View commit details

  16. ortp: 1.0.2 -> unstable-2020-03-17

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    1e9f771 View commit details

  17. belle-sip: 1.6.3 -> unstable-2020-02-18

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    810dac3 View commit details

  18. lime: init at 4.3.1

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    dcf2f11 View commit details

  19. belcard: 1.0.2 -> 4.3.1

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    187ae7c View commit details

  20. bzrtp: 1.0.6 -> 4.3.1

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    7c5bff5 View commit details

  21. mediastreamer: 2.16.1 -> unstable-2020-03-20

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    d4988c7 View commit details

  22. Merge pull request #82499 from helsinki-systems/upd/atlassian-confluence 

    atlassian-confluence: 7.2.1 -> 7.3.4
    @globin
    globin authored Mar 28, 2020
    Copy the full SHA
    c273c38 View commit details

  23. vimPlugins.gruvbox-community: 2019-05-31 -> 2020-02-24, switch to aut… 

    …ogenerated
    @minijackson
    minijackson committed Mar 28, 2020
    Copy the full SHA
    bf96f91 View commit details

  24. Merge pull request #82691 from Ma27/pass-exts 

    pass: don't rebuild when adding extensions, pass-audit: 0.1 -> 1.0.1
    @globin
    globin authored Mar 28, 2020
    Copy the full SHA
    16c8590 View commit details

  25. firefox-beta-bin: 75.0b2 -> 75.0b10

    @adisbladis
    adisbladis committed Mar 28, 2020
    Copy the full SHA
    657d81a View commit details

  26. firefox-devedition-bin: 75.0b2 -> 75.0b10

    @adisbladis
    adisbladis committed Mar 28, 2020
    Copy the full SHA
    e76a190 View commit details

  27. Merge pull request #83515 from snicket2100/firejail-fix 

    firejail: local profile handling fixed
    @7c6f434c
    7c6f434c authored Mar 28, 2020
    Copy the full SHA
    7dc2439 View commit details

  28. liblinphone: init at unstable-2020-03-20

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    1e51592 View commit details

  29. linphone: 3.12.0 -> unstable-2020-03-06

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    8b2abbb View commit details

  30. mediastreamer-openh264: 1.2.1 -> unstable-2020-03-03

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    70e5388 View commit details

  31. trx: 0.4 -> 0.5

    @jluttine
    jluttine committed Mar 28, 2020
    Copy the full SHA
    86a012b View commit details

  32. Merge pull request #82097 from millerjason/bugfix/vim_configurable 

    vim_configurable: fix default gui for darwin
    @LnL7
    LnL7 authored Mar 28, 2020
    Copy the full SHA
    67938c1 View commit details

  33. Merge pull request #82682 from Mic92/xidlehook 

    xidlehook: 0.8.0 -> 0.8.2
    @Mic92
    Mic92 authored Mar 28, 2020
    Copy the full SHA
    b4567fb View commit details

  34. Merge pull request #79193 from equirosa/vimPlugins.vim-kitty-navigator 

    vimPlugins.vim-kitty-navigator: init at 2019-11-04
    @timokau
    timokau authored Mar 28, 2020
    Copy the full SHA
    f076ece View commit details

  35. msmtp: adding texinfo to buildInputs (#83497)

    @spacekookie
    spacekookie authored Mar 28, 2020
    Copy the full SHA
    b3e6d20 View commit details

  36. gitAndTools.grv: 0.3.1 -> 0.3.2

    @Mic92
    Mic92 committed Mar 28, 2020
    Copy the full SHA
    d13c14b View commit details

  37. deepin.dde-api: fix strict build

    @Mic92
    Mic92 committed Mar 28, 2020
    Copy the full SHA
    4f44435 View commit details

  38. deepin.dde-daemon: fix strict deps build

    @Mic92
    Mic92 committed Mar 28, 2020
    Copy the full SHA
    f031352 View commit details

  39. deepin.startdde: fix strict deps build

    @Mic92
    Mic92 committed Mar 28, 2020
    Copy the full SHA
    716bb29 View commit details

  40. gitAndTools.grv: fix build by using vendored libgit

    @Mic92
    Mic92 committed Mar 28, 2020
    Copy the full SHA
    f909e50 View commit details

  41. Merge pull request #83502 from minijackson/vimPlugins-gruvbox-communi… 

    …ty-2020-02-24

vimPlugins.gruvbox-community: 2019-05-31 -> 2020-02-24
    @timokau
    timokau authored Mar 28, 2020
    Copy the full SHA
    d8cb79d View commit details
Showing with 2,317 additions and 1,364 deletions.
  1. +17 −0 nixos/doc/manual/release-notes/rl-2009.xml
  2. +1 −1 nixos/modules/services/monitoring/prometheus/alertmanager.nix
  3. +124 −54 nixos/modules/system/boot/initrd-ssh.nix
  4. +4 −1 nixos/modules/system/boot/stage-1.nix
  5. +16 −6 nixos/tests/initrd-network-ssh/default.nix
  6. BIN nixos/tests/initrd-network-ssh/dropbear.priv
  7. +0 −1 nixos/tests/initrd-network-ssh/dropbear.pub
  8. +3 −5 nixos/tests/initrd-network-ssh/generate-keys.nix
  9. +7 −0 nixos/tests/initrd-network-ssh/id_ed25519
  10. +1 −0 nixos/tests/initrd-network-ssh/id_ed25519.pub
  11. +0 −51 nixos/tests/initrd-network-ssh/openssh.priv
  12. +0 −1 nixos/tests/initrd-network-ssh/openssh.pub
  13. +7 −0 nixos/tests/initrd-network-ssh/ssh_host_ed25519_key
  14. +1 −0 nixos/tests/initrd-network-ssh/ssh_host_ed25519_key.pub
  15. +1 −1 pkgs/applications/editors/vim/configurable.nix
  16. +5 −6 pkgs/applications/graphics/antimony/default.nix
  17. +2 −2 pkgs/applications/graphics/gscan2pdf/default.nix
  18. +385 −385 pkgs/applications/networking/browsers/firefox-bin/beta_sources.nix
  19. +385 −385 pkgs/applications/networking/browsers/firefox-bin/devedition_sources.nix
  20. +214 −36 pkgs/applications/networking/instant-messengers/linphone/default.nix
  21. +13 −0 pkgs/applications/networking/instant-messengers/linphone/fix_minizip_linking.patch
  22. +0 −19 pkgs/applications/networking/instant-messengers/slack/dark-theme.nix
  23. +55 −45 pkgs/applications/networking/instant-messengers/slack/default.nix
  24. +0 −19 pkgs/applications/networking/instant-messengers/slack/update.sh
  25. +2 −2 pkgs/applications/networking/msmtp/default.nix
  26. +21 −6 pkgs/applications/version-management/git-and-tools/grv/default.nix
  27. +12 −9 pkgs/desktops/deepin/dde-api/default.nix
  28. +7 −5 pkgs/desktops/deepin/dde-daemon/default.nix
  29. +4 −4 pkgs/desktops/deepin/startdde/default.nix
  30. +22 −10 pkgs/development/libraries/bctoolbox/default.nix
  31. +21 −11 pkgs/development/libraries/belcard/default.nix
  32. +25 −10 pkgs/development/libraries/belle-sip/default.nix
  33. +23 −12 pkgs/development/libraries/belr/default.nix
  34. +21 −9 pkgs/development/libraries/bzrtp/default.nix
  35. +150 −0 pkgs/development/libraries/liblinphone/default.nix
  36. +36 −0 pkgs/development/libraries/lime/default.nix
  37. +81 −20 pkgs/development/libraries/mediastreamer/default.nix
  38. +33 −15 pkgs/development/libraries/mediastreamer/msopenh264.nix
  39. +14 −20 pkgs/development/libraries/mediastreamer/plugins_dir.patch
  40. +20 −8 pkgs/development/libraries/ortp/default.nix
  41. +31 −0 pkgs/development/libraries/soci/default.nix
  42. +28 −0 pkgs/development/python-modules/bravia-tv/default.nix
  43. +2 −2 pkgs/development/python-modules/plumbum/default.nix
  44. +22 −0 pkgs/misc/vim-plugins/generated.nix
  45. +0 −12 pkgs/misc/vim-plugins/overrides.nix
  46. +2 −0 pkgs/misc/vim-plugins/vim-plugin-names
  47. +20 −3 pkgs/os-specific/linux/firejail/default.nix
  48. +2 −2 pkgs/servers/atlassian/confluence.nix
  49. +8 −3 pkgs/servers/atlassian/jira.nix
  50. +1 −1 pkgs/servers/home-assistant/component-packages.nix
  51. +4 −3 pkgs/tools/X11/xidlehook/default.nix
  52. +15 −0 pkgs/tools/audio/trx/add_bctoolbox_ldlib.patch
  53. +8 −2 pkgs/tools/audio/trx/default.nix
  54. +24 −16 pkgs/tools/misc/bcunit/default.nix
  55. +120 −115 pkgs/tools/security/pass/default.nix
  56. +32 −0 pkgs/tools/security/pass/extension-dir.patch
  57. +0 −42 pkgs/tools/security/pass/extensions/audit.nix
  58. +175 −0 pkgs/tools/security/pass/extensions/audit/0001-Make-it-possible-to-run-the-tests-offline.patch
  59. +28 −0 pkgs/tools/security/pass/extensions/audit/0002-Fix-audit.bash-setup.patch
  60. +51 −0 pkgs/tools/security/pass/extensions/audit/default.nix
  61. +1 −1 pkgs/tools/security/pass/extensions/default.nix
  62. +1 −0 pkgs/top-level/aliases.nix
  63. +7 −3 pkgs/top-level/all-packages.nix
  64. +2 −0 pkgs/top-level/python-packages.nix
17 changes: 17 additions & 0 deletions nixos/doc/manual/release-notes/rl-2009.xml
View file
Original file line number Diff line number Diff line change
@@ -108,6 +108,23 @@
<link linkend="opt-security.duosec.integrationKey">security.duosec.integrationKey</link>.
</para>
</listitem>
<listitem>
<para>
The initrd SSH support now uses OpenSSH rather than Dropbear to
allow the use of Ed25519 keys and other OpenSSH-specific
functionality. Host keys must now be in the OpenSSH format, and at
least one pre-generated key must be specified.
</para>
<para>
If you used the <option>boot.initrd.network.ssh.host*Key</option>
options, you'll get an error explaining how to convert your host
keys and migrate to the new
<option>boot.initrd.network.ssh.hostKeys</option> option.
Otherwise, if you don't have any host keys set, you'll need to
generate some; see the <option>hostKeys</option> option
documentation for instructions.
</para>
</listitem>
</itemizedlist>
</section>

2 changes: 1 addition & 1 deletion nixos/modules/services/monitoring/prometheus/alertmanager.nix
View file
Original file line number Diff line number Diff line change
@@ -155,7 +155,7 @@ in {

systemd.services.alertmanager = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
after = [ "network-online.target" ];
preStart = ''
${lib.getBin pkgs.envsubst}/bin/envsubst -o "/tmp/alert-manager-substituted.yaml" \
-i "${alertmanagerYml}"
178 changes: 124 additions & 54 deletions nixos/modules/system/boot/initrd-ssh.nix
View file
Original file line number Diff line number Diff line change
@@ -10,123 +10,193 @@ in

{

options = {

boot.initrd.network.ssh.enable = mkOption {
options.boot.initrd.network.ssh = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Start SSH service during initrd boot. It can be used to debug failing
boot on a remote server, enter pasphrase for an encrypted partition etc.
Service is killed when stage-1 boot is finished.
The sshd configuration is largely inherited from
<option>services.openssh</option>.
'';
};

boot.initrd.network.ssh.port = mkOption {
port = mkOption {
type = types.int;
default = 22;
description = ''
Port on which SSH initrd service should listen.
'';
};

boot.initrd.network.ssh.shell = mkOption {
shell = mkOption {
type = types.str;
default = "/bin/ash";
description = ''
Login shell of the remote user. Can be used to limit actions user can do.
'';
};

boot.initrd.network.ssh.hostRSAKey = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
RSA SSH private key file in the Dropbear format.
WARNING: Unless your bootloader supports initrd secrets, this key is
contained insecurely in the global Nix store. Do NOT use your regular
SSH host private keys for this purpose or you'll expose them to
regular users!
'';
};

boot.initrd.network.ssh.hostDSSKey = mkOption {
type = types.nullOr types.path;
default = null;
hostKeys = mkOption {
type = types.listOf (types.either types.str types.path);
default = [];
example = [
"/etc/secrets/initrd/ssh_host_rsa_key"
"/etc/secrets/initrd/ssh_host_ed25519_key"
];
description = ''
DSS SSH private key file in the Dropbear format.
WARNING: Unless your bootloader supports initrd secrets, this key is
contained insecurely in the global Nix store. Do NOT use your regular
SSH host private keys for this purpose or you'll expose them to
regular users!
Specify SSH host keys to import into the initrd.
To generate keys, use
<citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
<screen>
<prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
<prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed_25519_key
</screen>
<warning>
<para>
Unless your bootloader supports initrd secrets, these keys
are stored insecurely in the global Nix store. Do NOT use
your regular SSH host private keys for this purpose or
you'll expose them to regular users!
</para>
<para>
Additionally, even if your initrd supports secrets, if
you're using initrd SSH to unlock an encrypted disk then
using your regular host keys exposes the private keys on
your unencrypted boot partition.
</para>
</warning>
'';
};

boot.initrd.network.ssh.hostECDSAKey = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
ECDSA SSH private key file in the Dropbear format.
WARNING: Unless your bootloader supports initrd secrets, this key is
contained insecurely in the global Nix store. Do NOT use your regular
SSH host private keys for this purpose or you'll expose them to
regular users!
'';
};

boot.initrd.network.ssh.authorizedKeys = mkOption {
authorizedKeys = mkOption {
type = types.listOf types.str;
default = config.users.users.root.openssh.authorizedKeys.keys;
defaultText = "config.users.users.root.openssh.authorizedKeys.keys";
description = ''
Authorized keys for the root user on initrd.
Note that Dropbear doesn't support OpenSSH's Ed25519 key type.
'';
};

};

config = mkIf (config.boot.initrd.network.enable && cfg.enable) {
imports =
map (opt: mkRemovedOptionModule ([ "boot" "initrd" "network" "ssh" ] ++ [ opt ]) ''
The initrd SSH functionality now uses OpenSSH rather than Dropbear.
If you want to keep your existing initrd SSH host keys, convert them with
$ dropbearconvert dropbear openssh dropbear_host_$type_key ssh_host_$type_key
and then set options.boot.initrd.network.ssh.hostKeys.
'') [ "hostRSAKey" "hostDSSKey" "hostECDSAKey" ];

config = let
# Nix complains if you include a store hash in initrd path names, so
# as an awful hack we drop the first character of the hash.
initrdKeyPath = path: if isString path
then path
else let name = builtins.baseNameOf path; in
builtins.unsafeDiscardStringContext ("/etc/ssh/" +
substring 1 (stringLength name) name);

sshdCfg = config.services.openssh;

sshdConfig = ''
Port ${toString cfg.port}
PasswordAuthentication no
ChallengeResponseAuthentication no
${flip concatMapStrings cfg.hostKeys (path: ''
HostKey ${initrdKeyPath path}
'')}
KexAlgorithms ${concatStringsSep "," sshdCfg.kexAlgorithms}
Ciphers ${concatStringsSep "," sshdCfg.ciphers}
MACs ${concatStringsSep "," sshdCfg.macs}
LogLevel ${sshdCfg.logLevel}
${if sshdCfg.useDns then ''
UseDNS yes
'' else ''
UseDNS no
''}
'';
in mkIf (config.boot.initrd.network.enable && cfg.enable) {
assertions = [
{ assertion = cfg.authorizedKeys != [];
{
assertion = cfg.authorizedKeys != [];
message = "You should specify at least one authorized key for initrd SSH";
}

{
assertion = cfg.hostKeys != [];
message = ''
You must now pre-generate the host keys for initrd SSH.
See the boot.inird.network.ssh.hostKeys documentation
for instructions.
'';
}
];

boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear
copy_bin_and_libs ${pkgs.openssh}/bin/sshd
cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib
'';

boot.initrd.extraUtilsCommandsTest = ''
$out/bin/dropbear -V
# sshd requires a host key to check config, so we pass in the test's
echo -n ${escapeShellArg sshdConfig} |
$out/bin/sshd -t -f /dev/stdin \
-h ${../../../tests/initrd-network-ssh/ssh_host_ed25519_key}
'';

boot.initrd.network.postCommands = ''
echo '${cfg.shell}' > /etc/shells
echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd
echo 'sshd:x:1:1:sshd:/var/empty:/bin/nologin' >> /etc/passwd
echo 'passwd: files' > /etc/nsswitch.conf
mkdir -p /var/log
mkdir -p /var/log /var/empty
touch /var/log/lastlog
mkdir -p /etc/dropbear
mkdir -p /etc/ssh
echo -n ${escapeShellArg sshdConfig} > /etc/ssh/sshd_config
echo "export PATH=$PATH" >> /etc/profile
echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> /etc/profile
mkdir -p /root/.ssh
${concatStrings (map (key: ''
echo ${escapeShellArg key} >> /root/.ssh/authorized_keys
'') cfg.authorizedKeys)}
dropbear -s -j -k -E -p ${toString cfg.port} ${optionalString (cfg.hostRSAKey == null && cfg.hostDSSKey == null && cfg.hostECDSAKey == null) "-R"}
${flip concatMapStrings cfg.hostKeys (path: ''
# keys from Nix store are world-readable, which sshd doesn't like
chmod 0600 "${initrdKeyPath path}"
'')}
/bin/sshd -e
'';

boot.initrd.secrets =
(optionalAttrs (cfg.hostRSAKey != null) { "/etc/dropbear/dropbear_rsa_host_key" = cfg.hostRSAKey; }) //
(optionalAttrs (cfg.hostDSSKey != null) { "/etc/dropbear/dropbear_dss_host_key" = cfg.hostDSSKey; }) //
(optionalAttrs (cfg.hostECDSAKey != null) { "/etc/dropbear/dropbear_ecdsa_host_key" = cfg.hostECDSAKey; });
boot.initrd.postMountCommands = ''
# Stop sshd cleanly before stage 2.
#
# If you want to keep it around to debug post-mount SSH issues,
# run `touch /.keep_sshd` (either from an SSH session or in
# another initrd hook like preDeviceCommands).
if ! [ -e /.keep_sshd ]; then
pkill -x sshd
fi
'';

boot.initrd.secrets = listToAttrs
(map (path: nameValuePair (initrdKeyPath path) path) cfg.hostKeys);
};

}
5 changes: 4 additions & 1 deletion nixos/modules/system/boot/stage-1.nix
View file
Original file line number Diff line number Diff line change
@@ -142,7 +142,10 @@ let
let source' = if source == null then dest else source; in
''
mkdir -p $(dirname "$out/secrets/${dest}")
cp -a ${source'} "$out/secrets/${dest}"
# Some programs (e.g. ssh) doesn't like secrets to be
# symlinks, so we use `cp -L` here to match the
# behaviour when secrets are natively supported.
cp -Lr ${source'} "$out/secrets/${dest}"
''
) config.boot.initrd.secrets))
}
22 changes: 16 additions & 6 deletions nixos/tests/initrd-network-ssh/default.nix
View file
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@ import ../make-test-python.nix ({ lib, ... }:
{
name = "initrd-network-ssh";
meta = with lib.maintainers; {
maintainers = [ willibutz ];
maintainers = [ willibutz emily ];
};

nodes = with lib; {
@@ -17,9 +17,9 @@ import ../make-test-python.nix ({ lib, ... }:
enable = true;
ssh = {
enable = true;
authorizedKeys = [ "${readFile ./openssh.pub}" ];
authorizedKeys = [ (readFile ./id_ed25519.pub) ];
port = 22;
hostRSAKey = ./dropbear.priv;
hostKeys = [ ./ssh_host_ed25519_key ];
};
};
boot.initrd.preLVMCommands = ''
@@ -42,11 +42,11 @@ import ../make-test-python.nix ({ lib, ... }:
"${toString (head (splitString " " (
toString (elemAt (splitString "\n" config.networking.extraHosts) 2)
)))} "
"${readFile ./dropbear.pub}"
"${readFile ./ssh_host_ed25519_key.pub}"
];
};
sshKey = {
source = ./openssh.priv; # dont use this anywhere else
source = ./id_ed25519;
mode = "0600";
};
};
@@ -56,7 +56,17 @@ import ../make-test-python.nix ({ lib, ... }:
testScript = ''
start_all()
client.wait_for_unit("network.target")
client.wait_until_succeeds("ping -c 1 server")
def ssh_is_up(_) -> bool:
status, _ = client.execute("nc -z server 22")
return status == 0
with client.nested("waiting for SSH server to come up"):
retry(ssh_is_up)
client.succeed(
"ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'touch /fnord'"
)
Binary file removed nixos/tests/initrd-network-ssh/dropbear.priv
View file
Binary file not shown.
1 change: 0 additions & 1 deletion nixos/tests/initrd-network-ssh/dropbear.pub
View file

This file was deleted.

8 changes: 3 additions & 5 deletions nixos/tests/initrd-network-ssh/generate-keys.nix
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
with import ../../.. {};

runCommand "gen-keys" {
buildInputs = [ dropbear openssh ];
buildInputs = [ openssh ];
}
''
mkdir $out
dropbearkey -t rsa -f $out/dropbear.priv -s 4096 | sed -n 2p > $out/dropbear.pub
ssh-keygen -q -t rsa -b 4096 -N "" -f client
mv client $out/openssh.priv
mv client.pub $out/openssh.pub
ssh-keygen -q -t ed25519 -N "" -f $out/ssh_host_ed25519_key
ssh-keygen -q -t ed25519 -N "" -f $out/id_ed25519
''
7 changes: 7 additions & 0 deletions nixos/tests/initrd-network-ssh/id_ed25519
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAVcX+32Yqig25RxRA8bel/f604wV0p/63um+Oku/3vfwAAAJi/AJZMvwCW
TAAAAAtzc2gtZWQyNTUxOQAAACAVcX+32Yqig25RxRA8bel/f604wV0p/63um+Oku/3vfw
AAAEAPLjQusjrB90Lk3996G3AbtTeK+XweNgxaegYnml/A/RVxf7fZiqKDblHFEDxt6X9/
rTjBXSn/re6b46S7/e9/AAAAEG5peGJsZEBsb2NhbGhvc3QBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
1 change: 1 addition & 0 deletions nixos/tests/initrd-network-ssh/id_ed25519.pub
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBVxf7fZiqKDblHFEDxt6X9/rTjBXSn/re6b46S7/e9/ nixbld@localhost
Loading