!PSmBFWNKoXmlQBzUQf:helsinki-systems.de

Stage 1 systemd

73 Members
systemd in NixOs's stage 1, replacing the current bash tooling https://github.com/NixOS/nixpkgs/projects/5123 Servers

Load older messages

SenderMessageTime
11 Jun 2023
@elvishjerricco:matrix.orgElvishJerricco * in fact the non-sane thing we did before was the implementation of flushBeforeStage2 = true, because systemd-networkd expects you to want to carry network configs over between stages and just does that by default 06:39:20
@elvishjerricco:matrix.orgElvishJerricco now the real question is... do I upstream my tailscaled in initrd implementation... 06:40:30
@k900:0upti.meK900Does it need special setup?06:41:24
@elvishjerricco:matrix.orgElvishJerriccoyea06:41:30
@elvishjerricco:matrix.orgElvishJerriccowhere is the tailscale state dir?06:41:37
@elvishjerricco:matrix.orgElvishJerriccobecause if it isn't something persistent then it's useless06:41:47
@k900:0upti.meK900Oh yeah makes sense06:41:54
@elvishjerricco:matrix.orgElvishJerriccomy system does it by having the tailscale state dir shared between stages and stored on a disk that's TPM2 encrypted, and unlocked in initrd without user input06:42:19
@elvishjerricco:matrix.orgElvishJerriccoletting me log in so I can enter the key for the root fs and get the system booted06:42:43
@k900:0upti.meK900I have a horrible idea now06:43:15
@elvishjerricco:matrix.orgElvishJerriccodo tell06:43:23
@k900:0upti.meK900You could, in theory, do OIDC with a key stored on the TPM06:44:20
@elvishjerricco:matrix.orgElvishJerriccowhat's OIDC?06:44:38
@k900:0upti.meK900OpenID Connect, which is the thing Tailscale uses for auth06:44:49
@elvishjerricco:matrix.orgElvishJerriccoso what does it mean to store a key for it on the TPM?06:46:02
@k900:0upti.meK900It's just auth06:46:10
@k900:0upti.meK900You sign a token with your private key06:46:16
@k900:0upti.meK900And send it to the server that knows your public key06:46:23
@k900:0upti.meK900So you can log in to Tailscale without any secrets ever being persisted outside the TPM06:46:43
@elvishjerricco:matrix.orgElvishJerriccooh that's a really cool idea actually06:47:01
@elvishjerricco:matrix.orgElvishJerriccothough usually people don't actually store shit in the tpm06:47:08
@elvishjerricco:matrix.orgElvishJerriccosince space there is very limited06:47:12
@elvishjerricco:matrix.orgElvishJerriccoand I think it can only store tpm key hierarchy things?06:47:30
@elvishjerricco:matrix.orgElvishJerriccobut sealing a key is just as good06:48:01
@elvishjerricco:matrix.orgElvishJerriccoor, no, you want to do the actual auth crypto on the tpm and never on the host06:48:17
@elvishjerricco:matrix.orgElvishJerriccohm06:48:23
@k900:0upti.meK900Yep06:48:26
@k900:0upti.meK900You should be able to06:48:32
@elvishjerricco:matrix.orgElvishJerriccoyea I dunno the details well enough to be sure06:48:41
@elvishjerricco:matrix.orgElvishJerriccobut it sounds possible06:48:48

Show newer messages

Back to Room ListRoom Version: 6