chore: remove openssh for now

2024-11-17 20:45:09 +01:00 · 2024-11-17 20:45:09 +01:00 · fa55edf0de
commit fa55edf0de
parent 902c3eddf3
9 changed files with 0 additions and 111 deletions
--- a/flake.nix
+++ b/flake.nix
@ -74,7 +74,6 @@
      };

      checks.${system} = {
-        ssh-preseed = import ./tests/ssh-preseed.nix { inherit pkgs self; };
        podman = import ./tests/podman.nix { inherit pkgs self; };
        system-update = import ./tests/system-update.nix { inherit pkgs self; };
      };
--- a/modules/image/builder.nix
+++ b/modules/image/builder.nix
@ -76,9 +76,6 @@ let
      contents = {
        "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
        "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
-        "/default-ssh-authorized-keys.txt" = lib.mkIf config.system.image.sshKeys.enable {
-          source = pkgs.writeText "ssh-keys" (lib.concatStringsSep "\n" config.system.image.sshKeys.keys);
-        };
      };
      repartConfig = {
        Type = "esp";
--- a/modules/image/default.nix
+++ b/modules/image/default.nix
@ -8,7 +8,6 @@

  imports = [
    ./updater.nix
-    ./ssh.nix
    ./builder.nix
    ./veritysetup.nix
  ];
@ -127,14 +126,6 @@
    "nls_iso8859-1"
  ];

-  # Store SSH host keys on /var/lib/ssh since /etc is read-only
-  services.openssh.hostKeys = [
-    {
-      path = "/var/lib/ssh/ssh_host_ed25519_key";
-      type = "ed25519";
-    }
-  ];
-
  environment.etc."machine-id" = {
    text = "";
    mode = "0755";
--- a/modules/image/ssh.nix
+++ b/modules/image/ssh.nix
@ -1,40 +0,0 @@
-{ config, lib, ... }:
-{
-  options.system.image.sshKeys = {
-    enable = lib.mkEnableOption "provisioning of default SSH keys from ESP";
-    keys = lib.mkOption {
-      type = lib.types.listOf lib.types.singleLineStr;
-      default = [ ];
-    };
-  };
-
-  config = lib.mkIf config.system.image.sshKeys.enable {
-
-    assertions = [
-      {
-        assertion = config.services.openssh.enable;
-        message = "OpenSSH must be enabled to preseed authorized keys";
-      }
-    ];
-
-    systemd.services."default-ssh-keys" = {
-      script = ''
-        mkdir -p /var/home/admin/.ssh/
-        cat /efi/default-ssh-authorized-keys.txt >> /var/home/admin/.ssh/authorized_keys
-      '';
-      wantedBy = [
-        "sshd.service"
-        "sshd.socket"
-      ];
-      unitConfig = {
-        ConditionPathExists = [
-          "/var/home/admin"
-          "!/var/home/admin/.ssh/authorized_keys"
-          "/efi/default-ssh-authorized-keys.txt"
-        ];
-      };
-    };
-
-  };
-
-}
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@ -45,9 +45,6 @@
  # FIXME: fstrim should only be enabled for virtual machine images?
  services.fstrim.enable = true;

-
-  services.openssh.settings.PasswordAuthentication = lib.mkDefault false;
-
  users.allowNoPasswordLogin = true;
  users.users.root.home = lib.mkForce "/";

--- a/modules/profiles/devel.nix
+++ b/modules/profiles/devel.nix
@ -36,14 +36,4 @@
  };

  services.getty.autologinUser = "admin";
-
-  services.openssh.enable = true;
-  system.image.sshKeys.enable = true;
-  system.image.sshKeys.keys = [
-    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIHMAEZx02kbHrEygyPQYStiXlrIe6EIqBCv7anIkL0pAAAABHNzaDo= dln1"
-    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJNOBFoU7Cdsgi4KpYRcv7EhR/8kD4DYjEZnwk6urRx7AAAABHNzaDo= dln2"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDx+7ZEJi7lUCAtoHRRIduJzH3hrpx4YS1f0ZxrJ+uW dln3"
-    "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBLpoKvsZDIQQLfgzJhe1jAQubBNxjydkj8UfdUPaSXqgfB02OypMOC1m5ZuJYcQIxox0I+4Z8xstFhYP6s8zKZwAAAAEc3NoOg== lsjostro1"
-    "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBJ10mLOpInoqDaySyrxbzvcOrJfLw48Y6eWHa9501lw+hEEBXya3ib7nlvpCqEQJ8aPU5fVRqpkOW5zSimCiRbwAAAAEc3NoOg== lsjostro2"
-  ];
 }
--- a/modules/profiles/server.nix
+++ b/modules/profiles/server.nix
@ -14,6 +14,5 @@
    "quiet"
  ];

-
  virtualisation.podman.enable = true;
 }
--- a/pkgs/openssh.nix
+++ b/pkgs/openssh.nix
@ -1,7 +0,0 @@
-{ prev, ... }:
-
-prev.openssh.overrideAttrs (final: prev: {
-  doCheck = false;
-  doInstallCheck = false;
-  dontCheck = true;
-})
--- a/tests/ssh-preseed.nix
+++ b/tests/ssh-preseed.nix
@ -1,37 +0,0 @@
-{ pkgs, self }:
-let
-  lib = pkgs.lib;
-  test-common = import ./common.nix { inherit self lib pkgs; };
-  sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs;
-
-  image = test-common.makeImage {
-    system.image.sshKeys.keys = [ sshKeys.snakeOilPublicKey ];
-    system.extraDependencies = [ sshKeys.snakeOilPrivateKey ];
-  };
-
-in
-test-common.makeImageTest {
-  name = "ssh-preseed";
-  inherit image;
-  script = ''
-    start_tpm()
-    machine.start()
-
-    machine.wait_for_unit("multi-user.target")
-
-    machine.succeed("[ -e /efi/default-ssh-authorized-keys.txt ]")
-    machine.succeed("[ -e /var/home/admin/.ssh/authorized_keys ]")
-
-    machine.wait_for_open_port(22)
-
-    machine.succeed(
-        "cat ${sshKeys.snakeOilPrivateKey} > privkey.snakeoil"
-    )
-    machine.succeed("chmod 600 privkey.snakeoil")
-
-    machine.succeed(
-      "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil admin@127.0.0.1 true",
-      timeout=30
-    )
-  '';
-}