Still pre-alpha, but tonight I got the first complete run of a little Kubernetes controller I’ve been wanting!
Wahoo yipee etc.! Right now we have a CRD which triggers a Nix build of a given flake URL, expected to produce a Docker or OCI image — it chooses a node which can build for the target system, spawns a Job which builds the target, and then imports it into the node’s container registry. We assume that something like Spegel is running and so any node that needs the image will pick it up.
The “hard” part (other than writing directly against the k8s API for the first time) was getting the Nix stuff to work well vis-à-vis building in a container while caching everything nicely — the flakes themselves, as well as whatever ends up in the store, as much of it will be reused between versions. Thankfully all the tooling is Cool As Fuck and it was actually really easy. We create a locally-provisioned PersistentVolume per node and stuff $HOME/.cache/nix and the Nix store in there. For now we use a chroot store, but I’d like to try an overlay store in future to avoid potentially duplicating whatever comes along in the nixos/nix image. Importing into the node’s container store is as simple as mounting the host /run and locating containerd’s socket — it differs depending on your k8s distro, and I’m developing on kind while deploying to k3s.
I still have to clean it up in this state, and have plans after this to remove the CustomResourceDefinition and trigger builds automatically when needed, getting the source details from annotations on the Deployment, but I’m happy. I don’t particularly like manually executing builds, nor do I want to stand up a registry and pre-build everything. My cluster runs on two architectures, but whether any given revision of an application will actually ever run on either, both, or any(!) of those is a matter of the particular scheduling constraints for the application and the state of the cluster at any given moment. Rather than waste energy pre-building and storing, let’s build on-demand instead! 💛🤍💜🖤
Was looking through old emails for some receipts (the literal kind, not the Twitter kind), and stumbled upon this beauty of an opener:
Date: 2016-12-19.
John Goerzen’s Easily Using SSH with FIDO2/U2F Hardware Security Keys came up yesterday, and I thought it was a good time to fix my mess of private keys. I already own a YubiKey 5C Nano, which sits in my laptop at all times, as well as a 5C NFC, which I figured I could use hopefully with both my phone (NFC) and tablet (USB-C) for SSH when needed.
The ideal was to drop all non-SK keys, and use move to using agent forwarding exclusively when authenticating between hosts — rarely needed, but nice for some remote-to-remote scps or git+ssh pushes. (Agent forwarding is traditionally frowned upon, since someone who has or gains access to your VPS can use your socket to get your agent to auth things, but that issue is greatly reduced when user presence is verified on each use, viz. requiring you to touch your key.)
Turns out all was pretty much that easy! Just two minor hiccups:
-
Terminus on iOS supports FIDO2 keys, no payment required (despite what some search results say; looks like it was maybe a paid-only feature during beta but since not). Non-resident Ed25519 keys work very well over NFC on iPhone, but not over USB-C on iPad. The only reference I can find is this from their “ideas” page:
Unfortunately, iPads and iPhones with USB-C cannot be compatible with OpenSSH-generate FIDO2-based keys. Please generate new FIDO2-based keys in the Termius app. These keys are supported in OpenSSH and all Termius apps.
Upon testing, Terminus generates a non-resident ECDSA, and that works just great. So, in the end, I have three private keys: an Ed25519 for the 5C Nano, and an Ed25519 and ECDSA for the 5C NFC for use with NFC and USB-C respectively.
-
The OpenSSH bundled in macOS (at time of writing, OpenSSH_9.9p2, LibreSSL 3.3.6) doesn’t support the use of these keys. I haven’t checked whether it’s non-resident SKs specifically or what, or whether it’s the version or just a matter of what support is compiled in.
NixOS/nix-darwin 25.05 carries an OpenSSH_10.0p2, OpenSSL 3.4.1 11 Feb 2025, and it does!
Using agent forwarding without losing what’s left of one’s humanity implies getting your ssh-agent setup working nicely. How?
I looked into a few different ways, but opted for the simplest: patching OpenSSH (!?). The thought process is as follows:
/System/Library/LaunchAgents/com.openssh.ssh-agent.plist will put an SSH_AUTH_SOCKET in your environment, which launches the system-provided ssh-agent when first addressed.- This is a nice, macOS-y way to do things, but we don’t want to go down any rabbit hole that involves disabling SIP, so we can’t just swap the binary path (or binary itself) out.
- Even if we could, we still need to add launchd support to the ssh-agent in Nix. Thankfully, the needed changes are small, and easy to find; just look for
__APPLE_LAUNCHD__ in ssh-agent.c.
- In my experience, disabling the system-provided launch agent doesn’t work reliably.
We apply two patches:
- Add the
__APPLE_LAUNCHD__ bits into the Nix-provided OpenSSH.
- Change
SSH_AUTHSOCKET_ENV_NAME to "VYX_SSH_AUTH_SOCK".
Finally, we install our own launchd user agent (modelled upon the system one, but with our binary), which puts the socket in the VYX_SSH_AUTH_SOCK env var instead. This means we don’t need to worry about the system launch agent; it’ll only get triggered/used when something calls the system ssh binary.
Head teed!
Today it was finally time to write a policy file for one of my Anubis instances. I use Timoni as a fairly thin wrapper over CUE to write templates for my own k8s deployments, and I found it really shone in this particular instance. I’ll just tl;dr and show the code; here’s an excerpt from my blog engine’s bundle.cue, which is the “entrypoint” for compiling its manifests:
anubis: {
secretName: "anubis-20250816-071240"
policy: permitPaths: [{
name: "permit-atom-xml"
path_regex: "^/atom\\.xml$"
}, {
name: "permit-feed-xml"
path_regex: "^/feed\\.xml$"
}]
}
I’m aiming to expose just a minimum of configurability first. Here’s how the schema side of that is defined in config.cue:
anubis?: {
// Needs to already exist in the target namespace. Should have key
// "ED25519_PRIVATE_KEY_HEX".
secretName: string
policy?: {
permitPaths: *[] | [... close({
name: string
path_regex: string
})]
}
}
I grabbed the default root bot policy file from https://github.com/TecharoHQ/anubis/blob/main/data/botPolicies.yaml, and converted it to CUE with cue import botPolicies.yaml. Then we put it in the templates package, add a way to inject our config, and use the config to expand upon the defaults:
package templates
#AnubisBotPolicies: {
#config: #Config
//# Anubis has the ability to let you import snippets of configuration into the main
//# configuration file. This allows you to break up your config into smaller parts
//# that get logically assembled into one big file.
// ...
}, if #config.kv.anubis.policy.permitPaths != _|_ for setting in #config.kv.anubis.policy.permitPaths {
name: setting.name
path_regex: setting.path_regex
action: "ALLOW"
}, {
// ...
Finally, the bit I really like: creating the ConfigMap (which gets mounted as a volume) with the policy YAML:
#AnubisConfigMap: timoniv1.#ImmutableConfig & {
Config=#config: #Config
#Kind: timoniv1.#ConfigMapKind
#Meta: #config.metadata
#Suffix: "-anubis-env"
#Data: {
"policy.yml": yaml.Marshal(#AnubisBotPolicies & {#config: Config})
}
}
Note the careful lack of hand-written YAML at any stage! 💛🤍💜🖤
By the wonderful Kinu; base from DeviantArt.
