search

NixOS / nixops

NixOps is a tool for deploying to NixOS machines in a network or cloud.
https://nixos.org/nixops
GNU Lesser General Public License v3.0
1.87k stars 364 forks source link

Always provide our known_hosts in addition to user known_hosts #1464

Closed roberth closed 3 years ago

roberth commented 3 years ago

Solves one of the problems from https://github.com/NixOS/nixops/pull/1264#issuecomment-889884626

It also solves a problem where multiple deployments to distinct private networks fight over the key for the same ip that occurs in both.

nixops import --include-keys-like functionality doesn't seem to be included.

Prevously, you'd

  1. create a deployment
  2. upload the state
  3. download the deployment state on a fresh machine (eg colleague)
  4. nixops ssh doesn't know the keys
  5. non-interactive deployments fail

With this pr, we don't have to rely on user configuration to include known_hosts entries for the deployments.

It makes nixops import --include-keys unnecessary, unless you use those entries outside of nixops.

Since recently we can get our deployment state from remote storage backends, but we didn't have a way to get configure the known_hosts yet. This is now largely unnecessary.

This functionality requires some cooperation from the plugins. For instance, here's what ec2 needs to do: (pun intended)

+    def get_ssh_host_keys(self):
+        return self.private_ipv4 + " " + self.public_host_key + "\n" + self.public_ipv4 + " " + self.public_host_key + "\n"

(https://github.com/NixOS/nixops-aws/pull/141)

roberth commented 3 years ago

Thanks @Mic92 that was very helpful!