Merge pull request #14 from petm5/dev

petm5 · web-flow · commit 2791ca48ea0b · 2025-05-08T14:10:51.000-04:00
Nixlet v0.2.0
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -12,7 +12,6 @@
     baseConfig = [
       ./modules/profiles/minimal.nix
       ./modules/profiles/image-based.nix
-      ./modules/profiles/headless.nix
       ./modules/profiles/server.nix
       ./modules/hardware/generic-pc.nix
       (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix")
diff --git a/modules/image/repart-verity-store.nix b/modules/image/repart-verity-store.nix
@@ -17,13 +17,6 @@ in {
     compress = lib.mkEnableOption "image compression" // {
       default = true;
     };
-    sshKeys = {
-      enable = lib.mkEnableOption "provisioning of default SSH keys from ESP";
-      keys = lib.mkOption {
-        type = lib.types.listOf lib.types.singleLineStr;
-        default = [];
-      };
-    };
   };
 
   imports = [
@@ -62,11 +55,6 @@ in {
           # Include systemd-boot
           "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source =
             "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
-
-          # Include default SSH keys, used in tests
-          "/default-ssh-authorized-keys.txt" = lib.mkIf config.system.image.sshKeys.enable {
-            source = pkgs.writeText "ssh-keys" (lib.concatStringsSep "\n" config.system.image.sshKeys.keys);
-          };
         };
         repartConfig = {
           Type = "esp";
diff --git a/modules/profiles/headless.nix b/modules/profiles/headless.nix
diff --git a/modules/profiles/minimal.nix b/modules/profiles/minimal.nix
@@ -1,4 +1,4 @@
-{ config, modulesPath, ... }: {
+{ config, pkgs, modulesPath, ... }: {
 
   imports = [
     (modulesPath + "/profiles/minimal.nix")
@@ -22,6 +22,20 @@
   # Modules must be loaded by initrd
   boot.initrd.kernelModules = config.boot.kernelModules;
 
+  systemd.package = pkgs.systemd.overrideAttrs {
+    src = pkgs.fetchFromGitHub {
+      owner = "petm5";
+      repo = "systemd";
+      rev = "c70d5474185d1bc49bdc1a5a296694ae7194c08d";
+      hash = "sha256-kXySBrV/lGJD34va2oSZ67B+f+IUav1Vv9UvwLe3Z0g=";
+    };
+  };
+
+  boot.kernelModules = [
+    # Required for systemd SMBIOS credential import
+    "dmi_sysfs"
+  ];
+
   # Remove foreign language support
   i18n.supportedLocales = [
     "en_US.UTF-8/UTF-8"
diff --git a/modules/profiles/server.nix b/modules/profiles/server.nix
@@ -58,30 +58,17 @@
 
   time.timeZone = "UTC";
 
-  systemd.services."default-ssh-keys" = {
-    script = ''
-      mkdir /root/.ssh
-
-      # Try to copy keys from the ESP
-      if [ -e /boot/default-ssh-authorized-keys.txt ]; then
-        cat /boot/default-ssh-authorized-keys.txt >> /root/.ssh/authorized_keys
-        exit 0
-      fi
-
-      # Otherwise, generate a default keypair and display it
-      ${pkgs.openssh}/bin/ssh-keygen -f /root/.ssh/id_default -t ed25519
-      cat /root/.ssh/id_default.pub > /root/.ssh/authorized_keys
-      if [ -e /dev/ttyS0 ]; then
-        cat /root/.ssh/id_default > /dev/ttyS0
-      fi
-      if [ -e /dev/tty1 ]; then
-        cat /root/.ssh/id_default | ${pkgs.qrencode}/bin/qrencode -t UTF8 > /dev/tty1
-      fi
-    '';
-    wantedBy = [ "sshd.service" "sshd.socket" ];
-    unitConfig = {
-      ConditionPathExists = [ "!/root/.ssh/authorized_keys" ];
-    };
+  # The system should reboot on failure
+  systemd.watchdog = {
+    runtimeTime = "10s";
+    rebootTime = "30s";
   };
 
+  boot.kernelParams = [ "panic=30" "boot.panic_on_fail" "quiet" ];
+
+  # Enable configuration on first boot
+  systemd.additionalUpstreamSystemUnits = [
+    "systemd-firstboot.service"
+  ];
+
 }
diff --git a/tests/common.nix b/tests/common.nix
@@ -50,9 +50,10 @@ in rec {
     system = makeSystem extraConfig;
   in "${system.config.system.build.updatePackage}";
 
-  makeImageTest = { name, image, script, httpRoot ? null }: let
+  makeImageTest = { name, image, script, httpRoot ? null, sshAuthorizedKey ? null }: let
     qemu = qemu-common.qemuBinary pkgs.qemu_test;
     flags = [
+      "-machine" "type=q35,accel=kvm,smm=on"
       "-m" "512M"
       "-drive" "if=pflash,format=raw,unit=0,readonly=on,file=${pkgs.OVMF.firmware}"
       "-drive" "if=pflash,format=raw,unit=1,readonly=on,file=${pkgs.OVMF.variables}"
@@ -62,7 +63,9 @@ in rec {
       "-device" "tpm-tis,tpmdev=tpm0"
       "-netdev" ("'user,id=net0" + (lib.optionalString (httpRoot != null) ",guestfwd=tcp:10.0.2.1:80-cmd:${pkgs.micro-httpd}/bin/micro_httpd ${httpRoot}") + "'")
       "-device" "virtio-net-pci,netdev=net0"
-    ];
+    ] ++ (lib.optionals (sshAuthorizedKey != null) [
+      "-smbios" ("'type=11,value=io.systemd.credential:ssh.authorized_keys.root=" + sshAuthorizedKey + "'")
+    ]);
     flagsStr = lib.concatStringsSep " " flags;
     startCommand = "${qemu} ${flagsStr}";
     mutableImage = "/tmp/linked-image.qcow2";
diff --git a/tests/integration.nix b/tests/integration.nix
@@ -6,23 +6,24 @@
   sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs;
 
   initialImage = test-common.makeImage {
-    system.image.sshKeys.enable = true;
-    system.image.sshKeys.keys = [ sshKeys.snakeOilPublicKey ];
     system.extraDependencies = [ sshKeys.snakeOilPrivateKey ];
   };
 
 in test-common.makeImageTest {
   name = "integration";
   image = initialImage;
+  sshAuthorizedKey = sshKeys.snakeOilPublicKey;
   script = ''
     start_tpm()
     machine.start()
 
     machine.wait_for_unit("multi-user.target")
 
+    machine.succeed("systemd-creds --system list > /dev/console")
+    machine.succeed("systemd-run -p ImportCredential=ssh.authorized_keys.root -P --wait systemd-creds cat ssh.authorized_keys.root")
+
     # Test SSH key provisioning functionality
 
-    machine.succeed("[ -e /boot/default-ssh-authorized-keys.txt ]")
     machine.succeed("[ -e /root/.ssh/authorized_keys ]")
 
     machine.wait_for_open_port(22)
