diff --git a/README.md b/README.md index c8f495e..39b3ba0 100644 --- a/README.md +++ b/README.md @@ -38,41 +38,6 @@ There's already a `.vscode` directory which should direct VSCode to enable the D # Infrastructure -## Setting up SSH access - -You'll need to trust the SSH certificate authority that generates SSH keys for Epesooj's hosts. -The CA's public key is in `./host_config/ssh_certs/host_ca.pub`. - -This is the template for the SSH `known_hosts` entry: - -``` -@cert-authority -``` - -For example: - -``` -@cert-authority code.akols.com ssh-ed25519 AAAA... -``` - -## Signing a user's public SSH key to give them host access - -Run `just sign_user_key `. -This will by default give them `root` access. -Check the definition of this `just` command to see how to give them access to different user(s). - -Once this is done, give them the signed public key (it'll be a file in the same directory as `` with the `-cert.pub` suffix) and tell them to add the `CertificateFile` option to their SSH config to make sure it'll also present the signed public key. -For example: - -``` -Host epesooj - User root - HostName code.akols.com - IdentityFile ~/.ssh/epesooj_personal.pub - CertificateFile ~/.ssh/epesooj_personal-cert.pub - IdentitiesOnly yes -``` - ## Nixifying a new host If you have a bunch of SSH keys in your SSH agent and get errors when trying to SSH into a fresh host, you may need to temporarily add the following config to your SSH config (obviously change the details for your case). @@ -85,15 +50,7 @@ Host 188.245.194.78 IdentitiesOnly yes ``` -Once you can SSH into the host normally, run `just nixify_host "code" ","`. -For example: `just nixify_host epesooj-code-0001 code "code.akols.com,188.245.194.78"`. - -This command requires you to have the key for the Epesooj Host SSH certificate authority. -If you don't have it, contact someone who does. - ## Deploying the webring You should have a `.env` file with the id and deploy key for each script in the webring, as well as a key to deploy the index page to bunny. When you have this, run `deno task deploy`. -You'll need the API keys required to deploy these. -If you don't have them, contact someone who does. diff --git a/host_config/default.nix b/code_server.nix similarity index 96% rename from host_config/default.nix rename to code_server.nix index ea9b4e5..889ed5e 100644 --- a/host_config/default.nix +++ b/code_server.nix @@ -96,10 +96,6 @@ settings = { PasswordAuthentication = false; }; - extraConfig = '' - HostCertificate /persisted/etc/ssh/ssh_host_ed25519_key-cert.pub - TrustedUserCAKeys /persisted/etc/ssh/user_cas.pub - ''; }; users.users.root = { diff --git a/host_config/code_server_disk.nix b/code_server_disk.nix similarity index 100% rename from host_config/code_server_disk.nix rename to code_server_disk.nix diff --git a/flake.lock b/flake.lock index ec46993..32a38dd 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1750903843, - "narHash": "sha256-Ng9+f0H5/dW+mq/XOKvB9uwvGbsuiiO6HrPdAcVglCs=", + "lastModified": 1739841949, + "narHash": "sha256-lSOXdgW/1zi/SSu7xp71v+55D5Egz8ACv0STkj7fhbs=", "owner": "nix-community", "repo": "disko", - "rev": "83c4da299c1d7d300f8c6fd3a72ac46cb0d59aae", + "rev": "15dbf8cebd8e2655a883b74547108e089f051bf0", "type": "github" }, "original": { @@ -25,11 +25,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1749398372, - "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", + "lastModified": 1738453229, + "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", + "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", "type": "github" }, "original": { @@ -38,18 +38,38 @@ "type": "github" } }, - "nil": { + "flake-utils": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ] + "systems": "systems" }, "locked": { - "lastModified": 1751341694, - "narHash": "sha256-zXag1+8iZC3H5yVFP7KhIi4ps9z8xKrFIkyaeXlZ7Uo=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nil": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1732053863, + "narHash": "sha256-DCIVdlb81Fct2uwzbtnawLBC/U03U2hqx8trqTJB7WA=", "owner": "oxalica", "repo": "nil", - "rev": "b043bfe1f3f4c4be4b688e24c5ae96e81f525805", + "rev": "2e24c9834e3bb5aa2a3701d3713b43a6fb106362", "type": "github" }, "original": { @@ -60,11 +80,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751271578, - "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=", + "lastModified": 1740126099, + "narHash": "sha256-ozoOtE2hGsqh4XkTJFsrTkNxkRgShxpQxDynaPZUGxk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df", + "rev": "32fb99ba93fea2798be0e997ea331dd78167f814", "type": "github" }, "original": { @@ -76,17 +96,14 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1748740939, - "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "656a64127e9d791a334452c6b6606d17539476e2", - "type": "github" + "lastModified": 1738452942, + "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" }, "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" } }, "root": { @@ -96,6 +113,42 @@ "nil": "nil", "nixpkgs": "nixpkgs" } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "nil", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1731983527, + "narHash": "sha256-JECaBgC0pQ91Hq3W4unH6K9to8s2Zl2sPNu7bLOv4ek=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "71287228d96e9568e1e70c6bbfa3f992d145947b", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index d8ec428..784d0dc 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,7 @@ systems = [ "x86_64-linux" ]; imports = [ - ./host_config + ./code_server.nix ]; flake = diff --git a/host_config/bootstrap_host.sh b/host_config/bootstrap_host.sh deleted file mode 100755 index cbf2341..0000000 --- a/host_config/bootstrap_host.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/env bash - -set -euxo pipefail - -SCRIPT_DIR=$(dirname "$(readlink -f "$0")") -host_ca_key="${SCRIPT_DIR}/ssh_certs/host_ca" -user_ca_pub="${SCRIPT_DIR}/ssh_certs/user_ca.pub" - -if [ ! -f "${host_ca_key}" ] -then - echo "Host CA key not found." - exit 1 -fi - -if [ ! -f "${user_ca_pub}" ] -then - echo "Public User CA key not found." - exit 1 -fi - -temp=$(mktemp -d) - -cleanup() { - rm -rf "${temp}" -} -# trap cleanup EXIT - -host_type=$1 -hostname=$2 -extra_names=${3:-} - -principal_names="${hostname}" - -if [ ! -z "${extra_names}" ] -then - principal_names="${principal_names},${extra_names}" -fi - -install -d -m755 "${temp}/persisted/etc/ssh" -ssh-keygen -t ed25519 -f "${temp}/persisted/etc/ssh/ssh_host_ed25519_key" -C '' -N '' -ssh-keygen -s ${host_ca_key} -I ${hostname} -h -n "${principal_names}" -V +52w "${temp}/persisted/etc/ssh/ssh_host_ed25519_key.pub" - -cp "${user_ca_pub}" "${temp}/persisted/etc/ssh/user_cas.pub" - -echo "${temp}" - -#nix run github:nix-community/nixos-anywhere -- --extra-files "${temp}" --flake .#${host_type} --target-host root@${hostname} diff --git a/host_config/sign_user_pub.sh b/host_config/sign_user_pub.sh deleted file mode 100755 index edf614d..0000000 --- a/host_config/sign_user_pub.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash - -set -euxo pipefail - -SCRIPT_DIR=$(dirname "$(readlink -f "$0")") -user_ca_key="${SCRIPT_DIR}/ssh_certs/user_ca" - -if [ ! -f "${user_ca_key}" ] -then - echo "User CA key not found." - exit 1 -fi - -username=$1 -principals=$2 -user_pub=$3 - -if [ ! -f "${user_pub}" ] -then - echo "User public key not found." - exit 1 -fi - -ssh-keygen -s "${user_ca_key}" -I "${username}" -n "${principals}" -V +52w "${user_pub}" -echo "Done!" diff --git a/host_config/ssh_certs/.gitignore b/host_config/ssh_certs/.gitignore deleted file mode 100644 index b8718ec..0000000 --- a/host_config/ssh_certs/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -host_ca -user_ca diff --git a/host_config/ssh_certs/host_ca.pub b/host_config/ssh_certs/host_ca.pub deleted file mode 100644 index 1714776..0000000 --- a/host_config/ssh_certs/host_ca.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJygYxMUdGgApUE3KirRQVgG2X5zWurIBPbwEc10FxDi epesooj host ca diff --git a/host_config/ssh_certs/user_ca.pub b/host_config/ssh_certs/user_ca.pub deleted file mode 100644 index 248ea65..0000000 --- a/host_config/ssh_certs/user_ca.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINdiqYdA3pm9yKgR5hFlL7ZeSV3xeKH9HwyNwaxY6yZZ epesooj user ca diff --git a/justfile b/justfile index 1fcde48..bd926c2 100644 --- a/justfile +++ b/justfile @@ -4,8 +4,5 @@ default: build_nixos_config host_type="code": nix build .#nixosConfigurations.{{host_type}}.config.system.build.toplevel -nixify_host hostname host_type="code" extra_names="": - ./host_config/bootstrap_host.sh {{host_type}} {{hostname}} {{extra_names}} - -sign_user_key username user_pub_key principals="root": - ./host_config/sign_user_pub.sh {{username}} {{principals}} {{user_pub_key}} +nixify_host hostname host_type="code": + nix run github:nix-community/nixos-anywhere -- --flake .#{{host_type}} --target-host root@{{hostname}} diff --git a/scripts/bunny_api/main.ts b/scripts/bunny_api/main.ts index 1d6133c..0603140 100644 --- a/scripts/bunny_api/main.ts +++ b/scripts/bunny_api/main.ts @@ -90,21 +90,21 @@ export async function uploadFile(filepath: string, contents: Uint8Array) { } } -export async function purgeCDNCache() { - const pullZoneIdEnvName = 'BUNNY_PULL_ZONE_ID'; - const pullZoneId = Deno.env.get(pullZoneIdEnvName); +export async function purgePath(filepath: string) { + const cdnBaseUrlEnvName = 'BUNNY_CDN_BASE_URL'; + const cdnBaseUrl = Deno.env.get(cdnBaseUrlEnvName); const accessKeyEnvName = 'BUNNY_ACCESS_KEY'; const accessKey = Deno.env.get(accessKeyEnvName); - if (pullZoneId === undefined) { + if (cdnBaseUrl === undefined) { throw new Error( - `Can't purge CDN cache for because we don't know the pull zone ID. Please set it by setting the environment variable '${pullZoneIdEnvName}'.` + `Can't purge cache for '${filepath}' because we don't know the CDN base URL. Please set it by setting the environment variable '${cdnBaseUrlEnvName}'.` ); } if (accessKey === undefined) { throw new Error( - `Can't purge CDN cache because we don't have an API key. Please set it by setting the environment variable '${accessKeyEnvName}'.` + `Can't purge cache for '${filepath}' because we don't have an API key. Please set it by setting the environment variable '${accessKeyEnvName}'.` ); } @@ -114,7 +114,9 @@ export async function purgeCDNCache() { accesskey: accessKey, }; - const fetchUrl = `https://api.bunny.net/pullzone/${pullZoneId}/purgeCache`; + const fetchUrl = new URL(`https://api.bunny.net/purge`); + fetchUrl.searchParams.append('async', 'false'); + fetchUrl.searchParams.append('url', `${cdnBaseUrl}/${filepath}`); const res = await fetch(fetchUrl.toString(), { method: 'POST', @@ -123,6 +125,6 @@ export async function purgeCDNCache() { if (!res.ok) { console.error(await res.text()); - throw new Error(`Failed to purge CDN cache: ${res.statusText}`); + throw new Error(`Failed to purge cache: ${res.statusText}`); } } diff --git a/scripts/deploy_bunny.ts b/scripts/deploy_bunny.ts index 29367b3..3d1fb39 100644 --- a/scripts/deploy_bunny.ts +++ b/scripts/deploy_bunny.ts @@ -1,5 +1,5 @@ import { join } from '@std/path'; -import { deployScript, purgeCDNCache, uploadFile } from './bunny_api/main.ts'; +import { deployScript, purgePath, uploadFile } from './bunny_api/main.ts'; if (import.meta.main) { console.log(`Attempting to upload index.html`); @@ -8,8 +8,8 @@ if (import.meta.main) { await uploadFile('index.html', indexContents); console.log(`Done!`); - console.log(`Attempting to purge the CDN cache.`); - await purgeCDNCache(); + console.log(`Attempting to purge the cache for index.html`); + await purgePath('index.html'); console.log(`Done!`); for (const dirEntry of Deno.readDirSync( diff --git a/templates/index.html b/templates/index.html index cca30ae..38d405e 100644 --- a/templates/index.html +++ b/templates/index.html @@ -5,6 +5,7 @@