Skip to content

Use systemd credentials to provision secrets for attestation server#100

Draft
hmenke wants to merge 1 commit intonix-community:masterfrom
hmenke:systemd-credentials
Draft

Use systemd credentials to provision secrets for attestation server#100
hmenke wants to merge 1 commit intonix-community:masterfrom
hmenke:systemd-credentials

Conversation

@hmenke
Copy link
Contributor

@hmenke hmenke commented May 1, 2021

Fixes #80 properly.

Depends on systemd 247 in NixOS 21.05.

@hmenke hmenke force-pushed the systemd-credentials branch from d638560 to 3c44211 Compare May 1, 2021 20:18
danielfullmer
danielfullmer reviewed May 2, 2021
View reviewed changes
@danielfullmer
Copy link
Collaborator

danielfullmer commented May 2, 2021

nixos/attestation-server/test.nix would fail with:

the string 'emailPassword:/nix/store/p4bgm05dvi71slw4qmfrxvdissfdvbg1-fake-password' is not allowed to refer to a store path (such as '!out!/nix/store/rycvccbacq114ds4dzpsi7h3clid549l-fake-password.drv')

Caused by https://github.com/danielfullmer/robotnix/blob/bdb085a460a83c79c50a00af72b961cb982d53dc/nixos/attestation-server/test.nix#L21
Should be possible to work around by writing to a temporary fake-password file outside of the nix store before starting the service, instead of using pkgs.writeText.

Although I think we'll delay merging this change until NixOS 21.05 is released, (luckily not too long).

@hmenke hmenke force-pushed the systemd-credentials branch from 3c44211 to 63f6adf Compare May 2, 2021 11:37
@hmenke
Copy link
Contributor Author

hmenke commented May 2, 2021

Should be possible to work around by writing to a temporary fake-password file outside of the nix store before starting the service, instead of using pkgs.writeText.

I think this just happened because of lib."..." which tried to use a store path to index an attrset and keys have to be context-free.

Although I think we'll delay merging this change until NixOS 21.05 is released, (luckily not too long).

NixOS 21.05 is a hard requirement, because LoadCredential needs systemd 247. I just opened this so I don't forget about it when the time comes.

@danielfullmer
Copy link
Collaborator

danielfullmer commented May 2, 2021

I think this just happened because of lib."..." which tried to use a store path to index an attrset and keys have to be context-free.

Makes sense. I was overthinking it and assuming that NixOS had some extra logic to ensure that publicly-readable secrets wouldn't end up in the LoadCredential option. But then I also forgot that we're pinned at 20.09, so even if that logic was added in 21.05, we wouldn't have it here.

@hmenke hmenke force-pushed the systemd-credentials branch from 63f6adf to bd29779 Compare June 8, 2021 14:37
@hmenke
Copy link
Contributor Author

hmenke commented Jun 8, 2021

I just ran the test on NixOS 21.05 but I get this weird failure:

Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/attestation-server.service: No such file or directory

danielfullmer
danielfullmer reviewed Jun 8, 2021
View reviewed changes
nixos/attestation-server/module.nix
@@ -125,12 +127,9 @@ in
# Note the leading + on the first command. The passwordFile could be
Copy link
Collaborator

@danielfullmer danielfullmer Jun 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove this comment as well

@danielfullmer
Copy link
Collaborator

danielfullmer commented Jun 8, 2021

I just ran the test on NixOS 21.05 but I get this weird failure:

Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/attestation-server.service: No such file or directory

I can reproduce that issue as well with 21.05. There's this issue, which looks related, as well a fix for it in systemd 248 (not in NixOS 21.05)

@hmenke hmenke force-pushed the systemd-credentials branch from bd29779 to 3fcf9cf Compare December 5, 2021 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielfullmer danielfullmer danielfullmer left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

attestation-server fails on first boot

2 participants

@hmenke @danielfullmer