Remove support for encrypted links

If someone still wants to use this implementation it can be split into a plugin.
adisbladis · Mar 31, 2020 · de59e48 · de59e48
1 parent bc22d7d
commit de59e48
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 227 deletions.
diff --git a/doc/manual/introduction.xml b/doc/manual/introduction.xml
@@ -50,9 +50,7 @@ several nice properties:</para>
   a local “physical” machine, another to an automatically instantiated
   Amazon EC2 instance in the <literal>eu-west-1</literal> region,
   another in the <literal>us-east-1</literal> region, and so on.
-  NixOps arranges the necessary network configuration to ensure that
-  these machines can communicate securely with each other (e.g. by
-  setting up encrypted tunnels).</para></listitem>
+  </para></listitem>
 
   <listitem><para>It supports <emphasis>separation of “logical” and
   “physical” aspects</emphasis> of a deployment.  NixOps

diff --git a/nix/eval-machine-info.nix b/nix/eval-machine-info.nix
@@ -118,7 +118,7 @@ rec {
     machines =
       flip mapAttrs nodes (n: v': let v = scrubOptionValue v'; in
       foldr (a: b: a // b)
-        { inherit (v.config.deployment) targetEnv targetPort targetHost encryptedLinksTo storeKeysOnMachine alwaysActivate owners keys hasFastConnection;
+        { inherit (v.config.deployment) targetEnv targetPort targetHost storeKeysOnMachine alwaysActivate owners keys hasFastConnection;
           nixosRelease = v.config.system.nixos.release or v.config.system.nixosRelease or (removeSuffix v.config.system.nixosVersionSuffix v.config.system.nixosVersion);
           publicIPv4 = v.config.networking.publicIPv4;
         }

diff --git a/nix/options.nix b/nix/options.nix
@@ -12,7 +12,6 @@ in
 
   imports =
     [
-      ./ssh-tunnel.nix
       ./auto-raid0.nix
       ./auto-luks.nix
       ./keys.nix
@@ -61,21 +60,6 @@ in
       '';
     };
 
-    deployment.encryptedLinksTo = mkOption {
-      default = [];
-      type = types.listOf types.str;
-      description = ''
-        NixOps will set up an encrypted tunnel (via SSH) to the
-        machines listed here.  Since this is a two-way (peer to peer)
-        connection, it is not necessary to set this option on both
-        endpoints.  NixOps will set up <filename>/etc/hosts</filename>
-        so that the host names of the machines listed here resolve to
-        the IP addresses of the tunnels.  It will also add the alias
-        <literal><replaceable>machine</replaceable>-encrypted</literal>
-        for each machine.
-      '';
-    };
-
     deployment.owners = mkOption {
       default = [];
       type = types.listOf types.str;

diff --git a/nix/ssh-tunnel.nix b/nix/ssh-tunnel.nix
diff --git a/nixops/backends/__init__.py b/nixops/backends/__init__.py
@@ -15,10 +15,6 @@ class MachineDefinition(nixops.resources.ResourceDefinition):
 
     def __init__(self, xml, config={}) -> None:
         nixops.resources.ResourceDefinition.__init__(self, xml, config)
-        self.encrypted_links_to: Set[str] = {
-            e.get("value")
-            for e in xml.findall("attrs/attr[@name='encryptedLinksTo']/list/string")
-        }
         self.store_keys_on_machine = (
             xml.find("attrs/attr[@name='storeKeysOnMachine']/bool").get("value")
             == "true"
@@ -438,31 +434,6 @@ def copy_closure_to(self, path):
             env=env,
         )
 
-    def generate_vpn_key(self):
-        key_missing = False
-        try:
-            self.run_command("test -f /root/.ssh/id_charon_vpn")
-        except nixops.ssh_util.SSHCommandFailed:
-            key_missing = True
-
-        if self.public_vpn_key and not key_missing:
-            return
-
-        (private, public) = nixops.util.create_key_pair(
-            key_name="NixOps VPN key of {0}".format(self.name)
-        )
-        f = open(self.depl.tempdir + "/id_vpn-" + self.name, "w+")
-        f.write(private)
-        f.seek(0)
-        res = self.run_command(
-            "umask 077 && mkdir -p /root/.ssh &&" " cat > /root/.ssh/id_charon_vpn",
-            check=False,
-            stdin=f,
-        )
-        if res != 0:
-            raise Exception("unable to upload VPN key to ‘{0}’".format(self.name))
-        self.public_vpn_key = public
-
     def get_scp_name(self):
         ssh_name = self.get_ssh_name()
         # ipv6 addresses have to be wrapped in brackets for scp

diff --git a/nixops/deployment.py b/nixops/deployment.py
@@ -617,72 +617,6 @@ def do_machine(m: nixops.backends.MachineState) -> None:
 
             attrs_list = attrs_per_resource[m.name]
 
-            # Emit configuration to realise encrypted peer-to-peer links.
-            for m2 in active_resources.values():
-                ip = m.address_to(m2)
-                if ip:
-                    hosts[m.name][ip] += [m2.name, m2.name + "-unencrypted"]
-
-            # Always use the encrypted/unencrypted suffixes for aliases rather
-            # than for the canonical name!
-            hosts[m.name]["127.0.0.1"].append(m.name + "-encrypted")
-
-            for m2_name in defn.encrypted_links_to:
-
-                if m2_name not in active_machines:
-                    raise Exception(
-                        "‘deployment.encryptedLinksTo’ in machine ‘{0}’ refers to an unknown machine ‘{1}’".format(
-                            m.name, m2_name
-                        )
-                    )
-                m2 = active_machines[m2_name]
-
-                # Don't create two tunnels between a pair of machines.
-                if (
-                    m.name
-                    in self._machine_definition_for_required(m2.name).encrypted_links_to
-                    and m.name >= m2.name
-                ):
-                    continue
-                local_ipv4 = index_to_private_ip(m.index)
-                remote_ipv4 = index_to_private_ip(m2.index)
-                local_tunnel = 10000 + m2.index
-                remote_tunnel = 10000 + m.index
-                attrs_list.append(
-                    {
-                        ("networking", "p2pTunnels", "ssh", m2.name): {
-                            "target": "{0}-unencrypted".format(m2.name),
-                            "targetPort": m2.ssh_port,
-                            "localTunnel": local_tunnel,
-                            "remoteTunnel": remote_tunnel,
-                            "localIPv4": local_ipv4,
-                            "remoteIPv4": remote_ipv4,
-                            "privateKey": "/root/.ssh/id_charon_vpn",
-                        }
-                    }
-                )
-
-                # FIXME: set up the authorized_key file such that ‘m’
-                # can do nothing more than create a tunnel.
-                if m.public_vpn_key:
-                    authorized_keys[m2.name].append(m.public_vpn_key)
-                kernel_modules[m.name].add("tun")
-                kernel_modules[m2.name].add("tun")
-                hosts[m.name][remote_ipv4] += [m2.name, m2.name + "-encrypted"]
-                hosts[m2.name][local_ipv4] += [m.name, m.name + "-encrypted"]
-                trusted_interfaces[m.name].add("tun" + str(local_tunnel))
-                trusted_interfaces[m2.name].add("tun" + str(remote_tunnel))
-
-            private_ipv4 = m.private_ipv4
-            if private_ipv4:
-                attrs_list.append({("networking", "privateIPv4"): private_ipv4})
-            public_ipv4 = m.public_ipv4
-            if public_ipv4:
-                attrs_list.append({("networking", "publicIPv4"): public_ipv4})
-            public_vpn_key = m.public_vpn_key
-            if public_vpn_key:
-                attrs_list.append({("networking", "vpnPublicKey"): public_vpn_key})
-
             # Set system.stateVersion if the Nixpkgs version supports it.
             nixos_version = nixops.util.parse_nixos_version(defn.config["nixosRelease"])
             if nixos_version >= ["15", "09"]:
@@ -762,11 +696,7 @@ def emit_resource(r: nixops.resources.ResourceState) -> Any:
                         config.append(
                             {
                                 ("services", "openssh", "knownHosts", m2.name): {
-                                    "hostNames": [
-                                        m2.name + "-unencrypted",
-                                        m2.name + "-encrypted",
-                                        m2.name,
-                                    ],
+                                    "hostNames": [m2.name,],
                                     "publicKey": m2.public_host_key,
                                 }
                             }
@@ -1367,7 +1297,6 @@ def worker(r: nixops.resources.ResourceState):
                                 m.warn("cannot determine NixOS version")
 
                         m.wait_for_ssh(check=check)
-                        m.generate_vpn_key()
 
                 except:
                     r._errored = True