Skip to content

Use systemd credentials to provision secrets for attestation server #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Use systemd credentials to provision secrets for attestation server #100

wants to merge 1 commit into from

Conversation

@hmenke
Copy link
Contributor

@hmenke hmenke commented May 1, 2021

Fixes #80 properly.

Depends on systemd 247 in NixOS 21.05.

@hmenke hmenke force-pushed the systemd-credentials branch from d638560 to 3c44211 Compare May 1, 2021 20:18
danielfullmer
danielfullmer reviewed May 2, 2021
View reviewed changes
@danielfullmer
Copy link
Collaborator

danielfullmer commented May 2, 2021

nixos/attestation-server/test.nix would fail with:

the string 'emailPassword:/nix/store/p4bgm05dvi71slw4qmfrxvdissfdvbg1-fake-password' is not allowed to refer to a store path (such as '!out!/nix/store/rycvccbacq114ds4dzpsi7h3clid549l-fake-password.drv')

Caused by https://github.com/danielfullmer/robotnix/blob/bdb085a460a83c79c50a00af72b961cb982d53dc/nixos/attestation-server/test.nix#L21
Should be possible to work around by writing to a temporary fake-password file outside of the nix store before starting the service, instead of using pkgs.writeText.

Although I think we'll delay merging this change until NixOS 21.05 is released, (luckily not too long).

@hmenke hmenke force-pushed the systemd-credentials branch from 3c44211 to 63f6adf Compare May 2, 2021 11:37
@hmenke
Copy link
Contributor Author

hmenke commented May 2, 2021

Should be possible to work around by writing to a temporary fake-password file outside of the nix store before starting the service, instead of using pkgs.writeText.

I think this just happened because of lib."..." which tried to use a store path to index an attrset and keys have to be context-free.

Although I think we'll delay merging this change until NixOS 21.05 is released, (luckily not too long).

NixOS 21.05 is a hard requirement, because LoadCredential needs systemd 247. I just opened this so I don't forget about it when the time comes.

@danielfullmer
Copy link
Collaborator

danielfullmer commented May 2, 2021

I think this just happened because of lib."..." which tried to use a store path to index an attrset and keys have to be context-free.

Makes sense. I was overthinking it and assuming that NixOS had some extra logic to ensure that publicly-readable secrets wouldn't end up in the LoadCredential option. But then I also forgot that we're pinned at 20.09, so even if that logic was added in 21.05, we wouldn't have it here.

@hmenke hmenke force-pushed the systemd-credentials branch from 63f6adf to bd29779 Compare June 8, 2021 14:37
@hmenke
Copy link
Contributor Author

hmenke commented Jun 8, 2021

I just ran the test on NixOS 21.05 but I get this weird failure:

Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/attestation-server.service: No such file or directory

danielfullmer
danielfullmer reviewed Jun 8, 2021
View reviewed changes
nixos/attestation-server/module.nix
"('emailLocal', '${if local then "1" else "0"}')"
];
in lib.optionals (passwordFile != null) [
# Note the leading + on the first command. The passwordFile could be
Copy link
Collaborator

@danielfullmer danielfullmer Jun 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove this comment as well

@danielfullmer
Copy link
Collaborator

danielfullmer commented Jun 8, 2021

I just ran the test on NixOS 21.05 but I get this weird failure:

Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/attestation-server.service: No such file or directory

I can reproduce that issue as well with 21.05. There's this issue, which looks related, as well a fix for it in systemd 248 (not in NixOS 21.05)

@hmenke hmenke force-pushed the systemd-credentials branch from bd29779 to 3fcf9cf Compare December 5, 2021 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielfullmer danielfullmer danielfullmer left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

attestation-server fails on first boot

2 participants

@hmenke @danielfullmer