robotnix icon indicating copy to clipboard operation
robotnix copied to clipboard

Published 20 hours ago verified publisher icon danielfullmer

Use systemd credentials to provision secrets for attestation server

Open hmenke opened this issue 4 years ago • 5 comments

Fixes https://github.com/danielfullmer/robotnix/issues/80 properly.

Depends on systemd 247 in NixOS 21.05.

hmenke avatar May 01 '21 20:05 hmenke

nixos/attestation-server/test.nix would fail with:

the string 'emailPassword:/nix/store/p4bgm05dvi71slw4qmfrxvdissfdvbg1-fake-password' is not allowed to refer to a store path (such as '!out!/nix/store/rycvccbacq114ds4dzpsi7h3clid549l-fake-password.drv')

Caused by https://github.com/danielfullmer/robotnix/blob/bdb085a460a83c79c50a00af72b961cb982d53dc/nixos/attestation-server/test.nix#L21 Should be possible to work around by writing to a temporary fake-password file outside of the nix store before starting the service, instead of using pkgs.writeText.

Although I think we'll delay merging this change until NixOS 21.05 is released, (luckily not too long).

danielfullmer avatar May 02 '21 03:05 danielfullmer

Should be possible to work around by writing to a temporary fake-password file outside of the nix store before starting the service, instead of using pkgs.writeText.

I think this just happened because of lib."..." which tried to use a store path to index an attrset and keys have to be context-free.

Although I think we'll delay merging this change until NixOS 21.05 is released, (luckily not too long).

NixOS 21.05 is a hard requirement, because LoadCredential needs systemd 247. I just opened this so I don't forget about it when the time comes.

hmenke avatar May 02 '21 11:05 hmenke

I think this just happened because of lib."..." which tried to use a store path to index an attrset and keys have to be context-free.

Makes sense. I was overthinking it and assuming that NixOS had some extra logic to ensure that publicly-readable secrets wouldn't end up in the LoadCredential option. But then I also forgot that we're pinned at 20.09, so even if that logic was added in 21.05, we wouldn't have it here.

danielfullmer avatar May 02 '21 20:05 danielfullmer

I just ran the test on NixOS 21.05 but I get this weird failure:

Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/attestation-server.service: No such file or directory

hmenke avatar Jun 08 '21 14:06 hmenke

I just ran the test on NixOS 21.05 but I get this weird failure:

Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/attestation-server.service: No such file or directory

I can reproduce that issue as well with 21.05. There's this issue, which looks related, as well a fix for it in systemd 248 (not in NixOS 21.05)

danielfullmer avatar Jun 08 '21 22:06 danielfullmer