greg
/
nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix operator authorized keys setup 

This fixes these flaws in `copy-root-authorized-keys`:
- When `.vbox-nixops-client-key` is missing, operator's authorized_keys
  file is always appended to, growing the file indefinitely.
- Service is always added and not restricted to nixops-vbox deployments.
This commit is contained in:
Erik Arvstedt 2020-04-08 21:51:31 +02:00
parent 37b2faf63c
commit 145961c2de
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
1 changed files with 9 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
modules/presets/secure-node.nix
View File

@ -115,7 +115,7 @@ in {
nix-bitcoin.nodeinfo nix-bitcoin.nodeinfo
]; ];
# Create user operator which can use bitcoin-cli and lightning-cli # Create user 'operator' which can access the node's services
users.users.operator = { users.users.operator = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ cfg.bitcoind.group ] extraGroups = [ cfg.bitcoind.group ]
@ -124,6 +124,7 @@ in {
++ (optionals cfg.liquidd.enable [ cfg.liquidd.group ]) ++ (optionals cfg.liquidd.enable [ cfg.liquidd.group ])
++ (optionals (cfg.hardware-wallets.ledger || cfg.hardware-wallets.trezor) ++ (optionals (cfg.hardware-wallets.ledger || cfg.hardware-wallets.trezor)
[ cfg.hardware-wallets.group ]); [ cfg.hardware-wallets.group ]);
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
}; };
# Give operator access to onion hostnames # Give operator access to onion hostnames
services.onion-chef.enable = true; services.onion-chef.enable = true;
@ -139,25 +140,12 @@ in {
operator ALL=(lnd) NOPASSWD: ALL operator ALL=(lnd) NOPASSWD: ALL
''); '');
# Give root ssh access to the operator account # Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
# FIXME: move this to deployment/nixops.nix after merging PR 'nix-bitcoin-as-module' systemd.services.get-vbox-nixops-client-key =
systemd.services.copy-root-authorized-keys = { mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {
description = "Copy root authorized keys"; postStart = ''
wantedBy = [ "multi-user.target" ]; cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.operator.home}"
serviceConfig.type = "oneshot"; '';
script = let };
operator = config.users.users.operator.home;
root = config.users.users.root.home;
in ''
mkdir -p ${operator}/.ssh
if [[ -e "${root}/.vbox-nixops-client-key" ]]; then
cp ${root}/.vbox-nixops-client-key ${operator}/.ssh/authorized_keys
fi
if [[ -e "/etc/ssh/authorized_keys.d/root" ]]; then
cat /etc/ssh/authorized_keys.d/root >> ${operator}/.ssh/authorized_keys
fi
chown -R operator ${operator}/.ssh
'';
};
}; };
} }