feat(weller): add bootstrap configuration for two-stage install#293
feat(weller): add bootstrap configuration for two-stage install#293
Conversation
- Refactor 'hosts/weller/default.nix' to extract hardware config to 'hosts/weller/hardware.nix'. - Create 'modules/bootstrap.nix' for initial mutable install with SSH enabled and no secrets. - Add 'weller-bootstrap' nixosConfiguration to 'flake.nix'. Fixes #263
Summary of ChangesHello @patflynn, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request establishes a robust two-stage installation workflow for the 'weller' host, addressing issue #263. It separates hardware-specific settings into a dedicated file and introduces a temporary bootstrap configuration. This allows for an initial system setup with SSH access and mutable users, facilitating the subsequent transition to the full, secure 'weller' configuration. Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
- Add 'mkBootstrap' helper function to flake.nix for easy creation of bootstrap images for any host. - Update 'modules/bootstrap.nix' to use 'lib.mkDefault' for user options, allowing overrides. - Use 'mkBootstrap' for 'weller-bootstrap' configuration.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a two-stage installation process for the 'weller' host, effectively decoupling the initial setup from secret management, and refactors hardware configuration into a dedicated file for modularity. However, the new bootstrap module introduces critical security vulnerabilities, including a hardcoded default password and overly permissive SSH and sudo settings, which must be addressed to minimize the risk of compromise during the initial setup phase. Additionally, consider using distinct hostnames for the bootstrap and final configurations to improve clarity.
modules/bootstrap.nix
Outdated
| "networkmanager" | ||
| "video" | ||
| ]; | ||
| initialPassword = "nixos"; |
There was a problem hiding this comment.
The initialPassword for the default user is set to a hardcoded, well-known value (nixos). This is a significant security vulnerability as it allows anyone with network access to the system during the bootstrap phase to log in via SSH, potentially gaining immediate root privileges if passwordless sudo is also enabled. Hardcoding passwords in source code, even for bootstrap, is a security risk.
modules/bootstrap.nix
Outdated
| PermitRootLogin = "yes"; | ||
| PasswordAuthentication = true; | ||
| }; | ||
| }; | ||
|
|
||
| # Mutable users for bootstrap | ||
| users.mutableUsers = true; | ||
|
|
||
| users.users.root.openssh.authorizedKeys.keys = keys.users; | ||
|
|
||
| users.users.${config.cosmo.user.default} = { | ||
| isNormalUser = true; | ||
| uid = 1000; | ||
| extraGroups = [ | ||
| "wheel" | ||
| "networkmanager" | ||
| "video" | ||
| ]; | ||
| initialPassword = "nixos"; | ||
| openssh.authorizedKeys.keys = keys.users; | ||
| }; | ||
|
|
||
| # Make it easy to assume root during bootstrap | ||
| security.sudo.wheelNeedsPassword = false; |
There was a problem hiding this comment.
The bootstrap configuration enables SSH root login (PermitRootLogin = "yes"), password authentication (PasswordAuthentication = true), and allows the wheel group to use sudo without a password (security.sudo.wheelNeedsPassword = false). These settings significantly increase the attack surface and risk of unauthorized access if the system is exposed to a network. Since SSH keys are already configured, it is recommended to disable password-based authentication to improve security.
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
hosts/weller/hardware.nix
Outdated
| # --------------------------------------------------------------------------- | ||
| # Networking | ||
| # --------------------------------------------------------------------------- | ||
| networking.hostName = "weller"; |
There was a problem hiding this comment.
The hostname is hardcoded to "weller" in this shared hardware.nix file. This means the weller-bootstrap configuration will also have the hostname "weller", which could be confusing during the two-stage installation. It's generally better for each system configuration to define its own hostname.
I recommend removing this line from the shared hardware configuration. Then, you should add networking.hostName = "weller"; to hosts/weller/default.nix and networking.hostName = "weller-bootstrap"; to modules/bootstrap.nix to ensure each configuration has a distinct and appropriate hostname.
- Update Weller setup guide with Stage 1 (bootstrap) and Stage 2 (full) steps. - Explain usage of 'weller-bootstrap' flake target. - Document the SSH key generation and secret rekeying workflow.
- Disable password-based SSH and root login for bootstrap. - Remove hardcoded default 'nixos' password; use repo SSH keys instead. - Require sudo password by default in bootstrap for better security. - Move weller hostname definition to default.nix to resolve CI conflict.
- Refactor classic-laddie to use hardware.nix for better modularity. - Add classic-laddie-bootstrap to flake.nix. - Support networking.hostId in mkBootstrap for ZFS hosts.
1 participant
This PR introduces a two-stage installation process for the 'weller' host to resolve issue #263.
Changes:
Usage: