Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make it possible to use Nixops without automatic SSH key provisioning #1247

Merged
merged 3 commits into from May 15, 2020

Conversation

@adisbladis
Copy link
Member

adisbladis commented Mar 10, 2020

No description provided.

@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch from 897f04b to 7060b92 Mar 10, 2020
@adisbladis adisbladis changed the title Make it possible to use Nixops automatic SSH key provisioning Make it possible to use Nixops without automatic SSH key provisioning Mar 10, 2020
@adisbladis adisbladis changed the title Make it possible to use Nixops without automatic SSH key provisioning WIP: Make it possible to use Nixops without automatic SSH key provisioning Mar 10, 2020
Copy link
Member

grahamc left a comment

Looking pretty cool so far :)

You and I were talking about this a few days ago, and this is what I wrote up then. I wonder if there is a way to author this PR in a way way to build out support for the other use cases?

example use cases we might want...

what we do now, but more explicit:

{
  defaults = { resources, ... }: {
    deployment.sshKey = resources.sshKeyPairs.management-key;
  };
  resources.sshKeyPairs.management-key = {};
}

create an SSH key per machine, automatically:

{
  defaults = { machine_uuid, resources, ... }: {
    deployment.sshKey = resources.sshKeyPairs."${machine_uid}"; # implicitly create an SSH key per host
  };
}

use a yubikey or other PKCS11-compatible device for SSH:

{
  defaults = { machine_uuid, resources, ... }: {
    deployment.sshKey = resources.sshKeyPairs.adams-yubikey;
  };
  resources.sshKeyPairs.adams-yubikey = {
    provider = "pkcs11";
    keyId = "abc123";
  };
}

get an automatically provisioned SSH key from Vault:

{
  defaults = { machine_uuid, resources, ... }: {
    deployment.sshKey = resources.sshKeyPairs.vault-deploykey;
  };
  resources.sshKeyPairs.vault-deploykey = {
    provider = "vault";
    server = "https://127.0.0.1:8200";
    secretEngine = "ssh-keys";
    role = "nixops-deploy";
  };
}

use your SSH agent, and using a defined SSH public key for provisioning:

{
  defaults = { machine_uuid, resources, ... }: {
    deployment.sshKey = resources.sshKeyPairs.agent;
  };
  resources.sshKeyPairs.agent = {
    provider = "ssh-agent";
    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUy2CGT6P3q2kApZEuyCHsuCruwdRzeWMdQe/WjdCak grahamc@Petunia"; # needed to copy to the target during provisioning
  };
}
nix/options.nix Outdated Show resolved Hide resolved
nixops/backends/none.py Outdated Show resolved Hide resolved
nixops/backends/none.py Outdated Show resolved Hide resolved
@adisbladis adisbladis closed this Mar 11, 2020
@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch from 7060b92 to b4c38df Mar 11, 2020
@adisbladis adisbladis reopened this Mar 11, 2020
@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch from db4546b to aa91367 Mar 11, 2020
@adisbladis
Copy link
Member Author

adisbladis commented Mar 11, 2020

You and I were talking about this a few days ago, and this is what I wrote up then. I wonder if there is a way to author this PR in a way way to build out support for the other use cases?

I actually think we end up with more flexibility by not supporting each use case explicitly.
I think the most reasonable and flexible approach is to leave the specifics of authentication up to the user.

By doing this we automatically support most use cases that supports SSH agent.
PKCS11 is supported natively by OpenSSH too so that's supported with this approach already.

I don't know about using Vault, that may require explicit support from Nixops.

@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch from aa91367 to 03a9e0d Mar 11, 2020
@adisbladis adisbladis changed the title WIP: Make it possible to use Nixops without automatic SSH key provisioning Make it possible to use Nixops without automatic SSH key provisioning Mar 11, 2020
@tomberek
Copy link
Contributor

tomberek commented Mar 12, 2020

There is some overlap between this and #1048 #1054. A cohesive solution would be great.

@nixos-discourse
Copy link

nixos-discourse commented Apr 1, 2020

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update/6525/1

@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch from 03a9e0d to f703400 Apr 14, 2020
@adisbladis
Copy link
Member Author

adisbladis commented Apr 14, 2020

Rebased on latest master

Copy link

chreekat left a comment

Looking forward to this!

nix/options.nix Outdated Show resolved Hide resolved
@chreekat
Copy link

chreekat commented Apr 19, 2020

I actually think we end up with more flexibility by not supporting each use case explicitly.
I think the most reasonable and flexible approach is to leave the specifics of authentication up to the user.

While working on a similar problem recently, I realized that accepting and/or generating an entire openssh config file is a really flexible option! In my utility, I was able to clean up all my ssh invocations this way (simply ssh -F $config_file) .

(This is not a recommendation for this PR, just a note!)

@adisbladis
Copy link
Member Author

adisbladis commented Apr 19, 2020

While working on a similar problem recently, I realized that accepting and/or generating an entire openssh config file is a really flexible option!

This has been somewhat addressed in #1270 with the addition of sshOptions.

@grahamc grahamc added this to the 2.0 milestone Apr 20, 2020
@grahamc grahamc added this to In progress in kanban Apr 23, 2020
@grahamc grahamc moved this from In progress to To do in kanban Apr 23, 2020
@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch 2 times, most recently from 1fcaaef to cf6069e Apr 23, 2020
@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch 2 times, most recently from 1083a18 to b28fcb9 May 1, 2020
@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch 3 times, most recently from 679d98f to 5e7d3a9 May 14, 2020
@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch from 5e7d3a9 to 600d036 May 15, 2020
nix/options.nix Outdated Show resolved Hide resolved
@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch from 60bd470 to a58a7b1 May 15, 2020
nixops/backends/none.py Outdated Show resolved Hide resolved
@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch from a58a7b1 to f2f50af May 15, 2020
nixops/backends/none.py Outdated Show resolved Hide resolved
adisbladis added 2 commits Mar 10, 2020
This line has been a constant source of annoyance when adding/removing
options.
This may look ugly but optimises for "diffability".
@adisbladis adisbladis force-pushed the adisbladis:no-ssh-key-provision branch from f2f50af to a8e70ee May 15, 2020
nixops/backends/none.py Outdated Show resolved Hide resolved
Copy link
Member

grahamc left a comment

lgtm!

@adisbladis adisbladis merged commit 3bdc020 into NixOS:master May 15, 2020
10 checks passed
10 checks passed
parsing
Details
build
Details
black
Details
mypy
Details
flake8
Details
mypy-ratchet
Details
coverage
Details
docs
Details
poetry-up-to-date
Details
docs/readthedocs.org:nixops Read the Docs build succeeded!
Details
kanban automation moved this from To do to Done May 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
kanban
  
Done
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.