sercanto/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

modules/shared/remote-builder: add option to use different keys for the builders

Browse source
This commit is contained in:
zowoq 2024-03-09 09:58:34 +10:00
parent a49acde26b
commit 9fe39f8ba2
3 changed files with 15 additions and 7 deletions

2
hosts/build04/configuration.nix
View file

@ -9,6 +9,8 @@
inputs.self.nixosModules.remote-builder inputs.self.nixosModules.remote-builder
]; ];
nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
nixCommunity.disko.raidLevel = 0; # more disk space, we don't have much state to restore anyway nixCommunity.disko.raidLevel = 0; # more disk space, we don't have much state to restore anyway
networking.hostName = "build04"; networking.hostName = "build04";

3
hosts/darwin02/configuration.nix
View file

@ -8,6 +8,9 @@
inputs.self.darwinModules.remote-builder inputs.self.darwinModules.remote-builder
]; ];
# on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
nixCommunity.remote-builder.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
nix.settings.sandbox = "relaxed"; nix.settings.sandbox = "relaxed";
nix.settings.extra-platforms = [ "x86_64-darwin" ]; nix.settings.extra-platforms = [ "x86_64-darwin" ];

17
modules/shared/remote-builder.nix
View file

@ -1,8 +1,5 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
let let
# on nix-darwin if user is removed the keys need to be removed manually from /etc/ssh/authorized_keys.d
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEmdo1x1QkRepZf7nSe+OdEWX+wOjkBLF70vX9F+xf68 builder";
# https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834 # https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834
nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" '' nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" ''
case $SSH_ORIGINAL_COMMAND in case $SSH_ORIGINAL_COMMAND in
@ -19,10 +16,16 @@ let
''; '';
in in
{ {
users.users.nix.openssh.authorizedKeys.keys = [ options.nixCommunity.remote-builder.key = lib.mkOption {
type = lib.types.singleLineStr;
default = null;
description = "ssh public key for the remote build user";
};
config.users.users.nix.openssh.authorizedKeys.keys = [
# use nix-store for hydra which doesn't support ssh-ng # use nix-store for hydra which doesn't support ssh-ng
''restrict,command="${nix-ssh-wrapper}" ${key}'' ''restrict,command="${nix-ssh-wrapper}" ${config.nixCommunity.remote-builder.key}''
]; ];
nix.settings.trusted-users = [ "nix" ]; config.nix.settings.trusted-users = [ "nix" ];
} }