No known key found for this signature in database
GPG Key ID: B4C3BF012D9B26BE
19 changed files with
204 additions and
15 deletions
-
flake.nix
-
gathered/manager/ssh_host_ed25519_key.pub
-
gathered/node-00/ssh_host_ed25519_key.pub
-
machines.nix
-
machines/manager/cache.nix
-
machines/manager/default.nix
-
machines/manager/ldap.nix
-
machines/manager/netinstall.nix
-
machines/manager/network.nix
-
machines/manager/nfs.nix
-
machines/manager/users.nix
-
machines/node/default.nix
-
machines/node/users.nix
-
modules/default.nix
-
modules/hostFile.nix
-
patches/openssh-keysign-check-remove.patch
-
shared/default.nix
-
shared/ssh.nix
-
shared/users.nix
|
@ -69,6 +69,8 @@ |
|
|
let |
|
|
let |
|
|
pkgs = nixpkgs.legacyPackages.${system}; |
|
|
pkgs = nixpkgs.legacyPackages.${system}; |
|
|
|
|
|
|
|
|
|
|
|
colmena = inputs.colmena.defaultPackage.${system}; |
|
|
|
|
|
|
|
|
pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run { |
|
|
pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run { |
|
|
src = ./.; |
|
|
src = ./.; |
|
|
hooks = { |
|
|
hooks = { |
|
|
|
@ -0,0 +1 @@ |
|
|
|
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzkFbPeDhbSD7K+gJZ7peJYe36kyKKHsLnQWGTxJptq root@nixos |
|
@ -0,0 +1 @@ |
|
|
|
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcyF+SJiS1f1j2Waa0Af2Mx4zxPHl6J3u9gaDMhE9Yv root@nixos |
|
@ -5,6 +5,8 @@ let |
|
|
localSystem.system = "x86_64-linux"; |
|
|
localSystem.system = "x86_64-linux"; |
|
|
}; |
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
nrNodes = 1; |
|
|
|
|
|
|
|
|
in |
|
|
in |
|
|
with deploymentPkgs.lib; let |
|
|
with deploymentPkgs.lib; let |
|
|
|
|
|
|
|
@ -31,7 +33,8 @@ with deploymentPkgs.lib; let |
|
|
(i: nameValuePair |
|
|
(i: nameValuePair |
|
|
"node-${fixedWidthNumber 2 i}" |
|
|
"node-${fixedWidthNumber 2 i}" |
|
|
(mkMachine "node" { id = i; }) |
|
|
(mkMachine "node" { id = i; }) |
|
|
) 16)); |
|
|
|
|
|
|
|
|
) |
|
|
|
|
|
nrNodes)); |
|
|
|
|
|
|
|
|
in |
|
|
in |
|
|
{ |
|
|
{ |
|
|
|
@ -20,4 +20,8 @@ |
|
|
}; |
|
|
}; |
|
|
}; |
|
|
}; |
|
|
}; |
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
hpc.hostFile.aliases = [ |
|
|
|
|
|
"cache.${config.networking.domain}" |
|
|
|
|
|
]; |
|
|
} |
|
|
} |
|
@ -10,6 +10,7 @@ with lib; |
|
|
./network.nix |
|
|
./network.nix |
|
|
./nfs.nix |
|
|
./nfs.nix |
|
|
./ldap.nix |
|
|
./ldap.nix |
|
|
|
|
|
./users.nix |
|
|
#./beegfs.nix |
|
|
#./beegfs.nix |
|
|
./ntp.nix |
|
|
./ntp.nix |
|
|
#./gateway.nix |
|
|
#./gateway.nix |
|
|
|
@ -50,4 +50,8 @@ in |
|
|
sops.secrets."ldap/root/password" = { |
|
|
sops.secrets."ldap/root/password" = { |
|
|
owner = "openldap"; |
|
|
owner = "openldap"; |
|
|
}; |
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
hpc.hostFile.aliases = [ |
|
|
|
|
|
"ldap.${config.networking.domain}" |
|
|
|
|
|
]; |
|
|
} |
|
|
} |
|
@ -26,4 +26,8 @@ |
|
|
}; |
|
|
}; |
|
|
}; |
|
|
}; |
|
|
}; |
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
hpc.hostFile = [ |
|
|
|
|
|
"boot.${config.networking.domain}" |
|
|
|
|
|
]; |
|
|
} |
|
|
} |
|
@ -10,4 +10,8 @@ |
|
|
address = "10.32.30.1"; |
|
|
address = "10.32.30.1"; |
|
|
interface = "enp11s0f0"; |
|
|
interface = "enp11s0f0"; |
|
|
}; |
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
networking.firewall.trustedInterfaces = [ |
|
|
|
|
|
"enp11s0f0" |
|
|
|
|
|
]; |
|
|
} |
|
|
} |
|
@ -2,7 +2,7 @@ |
|
|
services.nfs.server = { |
|
|
services.nfs.server = { |
|
|
enable = true; |
|
|
enable = true; |
|
|
exports = '' |
|
|
exports = '' |
|
|
/home node*.${config.networking.domain}(rw) |
|
|
|
|
|
|
|
|
/home node-*.${config.networking.domain}(rw,no_root_squash) |
|
|
''; |
|
|
''; |
|
|
}; |
|
|
}; |
|
|
} |
|
|
} |
|
@ -0,0 +1,27 @@ |
|
|
|
|
|
{ pkgs, lib, config, ... }: |
|
|
|
|
|
|
|
|
|
|
|
with lib; |
|
|
|
|
|
|
|
|
|
|
|
{ |
|
|
|
|
|
programs.ssh = { |
|
|
|
|
|
package = pkgs.openssh.overrideAttrs (final: prev: { |
|
|
|
|
|
patches = prev.patches ++ [ |
|
|
|
|
|
../../patches/openssh-keysign-check-remove.patch |
|
|
|
|
|
]; |
|
|
|
|
|
}); |
|
|
|
|
|
|
|
|
|
|
|
extraConfig = '' |
|
|
|
|
|
EnableSSHKeysign yes |
|
|
|
|
|
|
|
|
|
|
|
Host node-*.${config.networking.domain} |
|
|
|
|
|
HostbasedAuthentication yes |
|
|
|
|
|
''; |
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
security.wrappers."ssh-keysign" = { |
|
|
|
|
|
source = "${pkgs.openssh}/libexec/ssh-keysign"; |
|
|
|
|
|
setuid = true; |
|
|
|
|
|
owner = "root"; |
|
|
|
|
|
group = "root"; |
|
|
|
|
|
}; |
|
|
|
|
|
} |
|
@ -8,6 +8,7 @@ with lib; |
|
|
./hardware.nix |
|
|
./hardware.nix |
|
|
./disk.nix |
|
|
./disk.nix |
|
|
./network.nix |
|
|
./network.nix |
|
|
|
|
|
./users.nix |
|
|
]; |
|
|
]; |
|
|
|
|
|
|
|
|
deployment = { |
|
|
deployment = { |
|
|
|
@ -1,16 +1,11 @@ |
|
|
{ |
|
|
|
|
|
users.ldap = { |
|
|
|
|
|
enable = true; |
|
|
|
|
|
|
|
|
|
|
|
server = "ldap://manager.hpc.informatik.hs-fulda.de/"; |
|
|
|
|
|
base = "dc=hpc,dc=informatik,dc=hs-fulda,dc=de"; |
|
|
|
|
|
|
|
|
|
|
|
daemon.enable = true; |
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
{ lib, config, nodes, ... }: |
|
|
|
|
|
|
|
|
|
|
|
with lib; |
|
|
|
|
|
|
|
|
filesystem."home" = { |
|
|
|
|
|
|
|
|
{ |
|
|
|
|
|
fileSystems."home" = { |
|
|
mountPoint = "/home"; |
|
|
mountPoint = "/home"; |
|
|
device = "manager.hpc.informatik.hs-fulda.de:/home"; |
|
|
|
|
|
|
|
|
device = "manager.${config.networking.domain}:/home"; |
|
|
fsType = "nfs"; |
|
|
fsType = "nfs"; |
|
|
options = [ |
|
|
options = [ |
|
|
"nfsvers=4.2" |
|
|
"nfsvers=4.2" |
|
@ -19,4 +14,21 @@ |
|
|
"x-systemd.idle-timeout=600" |
|
|
"x-systemd.idle-timeout=600" |
|
|
]; |
|
|
]; |
|
|
}; |
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
services.openssh = { |
|
|
|
|
|
extraConfig = '' |
|
|
|
|
|
IgnoreRhosts no |
|
|
|
|
|
|
|
|
|
|
|
Match Group cluster |
|
|
|
|
|
HostbasedAuthentication yes |
|
|
|
|
|
HostbasedAcceptedAlgorithms ssh-ed25519* |
|
|
|
|
|
HostbasedUsesNameFromPacketOnly yes |
|
|
|
|
|
''; |
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
environment.etc."ssh/shosts.equiv".text = concatMapStringsSep "\n" |
|
|
|
|
|
(node: node.config.networking.fqdn) |
|
|
|
|
|
(attrValues nodes); |
|
|
|
|
|
|
|
|
|
|
|
users.groups."cluster" = { }; |
|
|
} |
|
|
} |
|
@ -1,5 +1,6 @@ |
|
|
{ |
|
|
{ |
|
|
imports = [ |
|
|
imports = [ |
|
|
|
|
|
./hostFile.nix |
|
|
./beegfs.nix |
|
|
./beegfs.nix |
|
|
]; |
|
|
]; |
|
|
} |
|
|
|
|
|
|
|
|
} |
|
@ -0,0 +1,55 @@ |
|
|
|
|
|
{ pkgs, lib, config, nodes, ... }: |
|
|
|
|
|
|
|
|
|
|
|
with lib; |
|
|
|
|
|
|
|
|
|
|
|
{ |
|
|
|
|
|
options.hpc.hostFile = { |
|
|
|
|
|
addresses = mkOption { |
|
|
|
|
|
description = '' |
|
|
|
|
|
IP addresses of this host |
|
|
|
|
|
''; |
|
|
|
|
|
type = types.listOf types.str; |
|
|
|
|
|
default = |
|
|
|
|
|
let |
|
|
|
|
|
interface = config.networking.interfaces.${config.networking.defaultGateway.interface}; |
|
|
|
|
|
in |
|
|
|
|
|
concatLists [ |
|
|
|
|
|
(map (e: e.address) interface.ipv4.addresses) |
|
|
|
|
|
(map (e: e.address) interface.ipv6.addresses) |
|
|
|
|
|
]; |
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
canonical = mkOption { |
|
|
|
|
|
description = '' |
|
|
|
|
|
Canonical host name |
|
|
|
|
|
''; |
|
|
|
|
|
type = types.str; |
|
|
|
|
|
default = config.networking.fqdn; |
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
aliases = mkOption { |
|
|
|
|
|
description = '' |
|
|
|
|
|
Aliases for this host |
|
|
|
|
|
''; |
|
|
|
|
|
type = types.listOf types.str; |
|
|
|
|
|
default = [ ]; |
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
entries = mkOption { |
|
|
|
|
|
description = '' |
|
|
|
|
|
Host name entries for this host |
|
|
|
|
|
''; |
|
|
|
|
|
type = types.listOf types.str; |
|
|
|
|
|
readOnly = true; |
|
|
|
|
|
default = (singleton config.hpc.hostFile.canonical) ++ config.hpc.hostFile.aliases; |
|
|
|
|
|
}; |
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
config = { |
|
|
|
|
|
networking.hosts = listToAttrs (concatMap |
|
|
|
|
|
(node: map |
|
|
|
|
|
(address: nameValuePair address node.config.hpc.hostFile.entries) |
|
|
|
|
|
node.config.hpc.hostFile.addresses) |
|
|
|
|
|
(attrValues nodes)); |
|
|
|
|
|
}; |
|
|
|
|
|
} |
|
@ -0,0 +1,14 @@ |
|
|
|
|
|
diff --git a/sshconnect2.c b/sshconnect2.c
|
|
|
|
|
|
--- a/sshconnect2.c
|
|
|
|
|
|
+++ b/sshconnect2.c
|
|
|
|
|
|
@@ -2055,10 +2055,6 @@
|
|
|
|
|
|
*sigp = NULL; |
|
|
|
|
|
*lenp = 0; |
|
|
|
|
|
|
|
|
|
|
|
- if (stat(_PATH_SSH_KEY_SIGN, &st) == -1) {
|
|
|
|
|
|
- error_f("not installed: %s", strerror(errno));
|
|
|
|
|
|
- return -1;
|
|
|
|
|
|
- }
|
|
|
|
|
|
if (fflush(stdout) != 0) { |
|
|
|
|
|
error_f("fflush: %s", strerror(errno)); |
|
|
|
|
|
return -1; |
|
@ -1,9 +1,10 @@ |
|
|
{ pkgs, modulesPath, ... }: |
|
|
|
|
|
|
|
|
{ pkgs, config, modulesPath, ... }: |
|
|
|
|
|
|
|
|
{ |
|
|
{ |
|
|
imports = [ |
|
|
imports = [ |
|
|
./network.nix |
|
|
./network.nix |
|
|
./users.nix |
|
|
./users.nix |
|
|
|
|
|
./ssh.nix |
|
|
|
|
|
|
|
|
"${modulesPath}/profiles/headless.nix" |
|
|
"${modulesPath}/profiles/headless.nix" |
|
|
"${modulesPath}/profiles/all-hardware.nix" |
|
|
"${modulesPath}/profiles/all-hardware.nix" |
|
@ -16,6 +17,11 @@ |
|
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; |
|
|
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; |
|
|
}; |
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
gather = { |
|
|
|
|
|
target = part: "gathered/${config.networking.hostName}/${part}"; |
|
|
|
|
|
root = ../.; |
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
time.timeZone = "Europe/Berlin"; |
|
|
time.timeZone = "Europe/Berlin"; |
|
|
console.keyMap = "de"; |
|
|
console.keyMap = "de"; |
|
|
|
|
|
|
|
@ -26,5 +32,7 @@ |
|
|
tmux |
|
|
tmux |
|
|
]; |
|
|
]; |
|
|
|
|
|
|
|
|
|
|
|
services.haveged.enable = true; |
|
|
|
|
|
|
|
|
system.stateVersion = "22.11"; |
|
|
system.stateVersion = "22.11"; |
|
|
} |
|
|
} |
|
@ -0,0 +1,23 @@ |
|
|
|
|
|
{ lib, nodes, ... }: |
|
|
|
|
|
|
|
|
|
|
|
with lib; |
|
|
|
|
|
|
|
|
|
|
|
{ |
|
|
|
|
|
programs.ssh = { |
|
|
|
|
|
# Add know-host entries for all machines in the cluster |
|
|
|
|
|
knownHosts = mapAttrs |
|
|
|
|
|
(name: node: { |
|
|
|
|
|
hostNames = [ |
|
|
|
|
|
node.config.networking.hostName |
|
|
|
|
|
node.config.networking.fqdn |
|
|
|
|
|
]; |
|
|
|
|
|
publicKeyFile = node.config.gather.parts."ssh/hostKey".path; |
|
|
|
|
|
}) |
|
|
|
|
|
nodes; |
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
gather.parts."ssh/hostKey" = { |
|
|
|
|
|
name = "ssh_host_ed25519_key.pub"; |
|
|
|
|
|
file = "/etc/ssh/ssh_host_ed25519_key.pub"; |
|
|
|
|
|
}; |
|
|
|
|
|
} |
|
@ -1,3 +1,12 @@ |
|
|
|
|
|
{ lib, config, ... }: |
|
|
|
|
|
|
|
|
|
|
|
with lib; |
|
|
|
|
|
|
|
|
|
|
|
let |
|
|
|
|
|
baseDN = concatMapStringsSep "," |
|
|
|
|
|
(part: "dc=${part}") |
|
|
|
|
|
(splitString "." config.networking.domain); |
|
|
|
|
|
in |
|
|
{ |
|
|
{ |
|
|
users.mutableUsers = false; |
|
|
users.mutableUsers = false; |
|
|
|
|
|
|
|
@ -8,4 +17,19 @@ |
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so" |
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so" |
|
|
]; |
|
|
]; |
|
|
}; |
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
users.ldap = { |
|
|
|
|
|
enable = true; |
|
|
|
|
|
|
|
|
|
|
|
server = "ldap://manager.${config.networking.domain}/"; |
|
|
|
|
|
base = baseDN; |
|
|
|
|
|
|
|
|
|
|
|
daemon.enable = true; |
|
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
users.users."fooker" = { |
|
|
|
|
|
isNormalUser = true; |
|
|
|
|
|
group = "cluster"; |
|
|
|
|
|
password = "asdasd123"; |
|
|
|
|
|
}; |
|
|
} |
|
|
} |