diff --git a/hosts/build04/configuration.nix b/hosts/build04/configuration.nix index 2a4a563..9e0254a 100644 --- a/hosts/build04/configuration.nix +++ b/hosts/build04/configuration.nix @@ -9,6 +9,8 @@ inputs.self.nixosModules.remote-builder ]; + nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder"; + nixCommunity.disko.raidLevel = 0; # more disk space, we don't have much state to restore anyway networking.hostName = "build04"; diff --git a/hosts/darwin02/configuration.nix b/hosts/darwin02/configuration.nix index 447dda0..84f1d93 100644 --- a/hosts/darwin02/configuration.nix +++ b/hosts/darwin02/configuration.nix @@ -8,6 +8,9 @@ inputs.self.darwinModules.remote-builder ]; + # on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d + nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder"; + nix.settings.sandbox = "relaxed"; nix.settings.extra-platforms = [ "x86_64-darwin" ]; diff --git a/modules/shared/remote-builder.nix b/modules/shared/remote-builder.nix index 9a7ce27..d253e66 100644 --- a/modules/shared/remote-builder.nix +++ b/modules/shared/remote-builder.nix @@ -1,8 +1,5 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: let - # on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d - key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder"; - # https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834 nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" '' case $SSH_ORIGINAL_COMMAND in @@ -19,10 +16,16 @@ let ''; in { - users.users.nix.openssh.authorizedKeys.keys = [ + options.nixCommunity.remote-builder.key = lib.mkOption { + type = lib.types.singleLineStr; + default = null; + description = "ssh public key for the remote build user"; + }; + + config.users.users.nix.openssh.authorizedKeys.keys = [ # use nix-store for hydra which doesn't support ssh-ng - ''restrict,command="${nix-ssh-wrapper}" ${key}'' + ''restrict,command="${nix-ssh-wrapper}" ${config.nixCommunity.remote-builder.key}'' ]; - nix.settings.trusted-users = [ "nix" ]; + config.nix.settings.trusted-users = [ "nix" ]; }