fix nixbld-remote
This commit is contained in:
parent
11ae1097de
commit
6e6df72eb2
@ -191,6 +191,8 @@ ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key"
|
||||
# ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM";
|
||||
# ssh.userPrivateKey = "/run/secrets/nixbuild-dot-net-ssh-key"
|
||||
|
||||
# TODO: https://exozy.me/about
|
||||
|
||||
|
||||
["clab01.idi.ntnu.no"] # gtx 4090
|
||||
# buildMachine.maxJobs = 1 # 24 threads 64GB
|
||||
|
@ -1,7 +1,4 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
# TODO: make a remote-build user on nixos boxes, instead of giving access to pbsds
|
||||
# TODO: https://exozy.me/about
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (builtins)
|
||||
@ -14,6 +11,22 @@ let
|
||||
attrValues
|
||||
;
|
||||
|
||||
# TODO: test ssh-ng
|
||||
# https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834
|
||||
nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" ''
|
||||
case $SSH_ORIGINAL_COMMAND in
|
||||
"nix-daemon --stdio")
|
||||
exec ${config.nix.package}/bin/nix-daemon --stdio
|
||||
;;
|
||||
"nix-store --serve --write")
|
||||
exec ${config.nix.package}/bin/nix-store --serve --write
|
||||
;;
|
||||
*)
|
||||
echo "Access only allowed for using the nix remote builder" 1>&2
|
||||
exit
|
||||
esac
|
||||
'';
|
||||
|
||||
known-hosts = let
|
||||
known-hosts' = lib.importTOML ../hosts/known-hosts.toml; # TODO: eww
|
||||
in
|
||||
@ -91,14 +104,21 @@ let
|
||||
|
||||
})
|
||||
# in
|
||||
(lib.mkIf ((thisHostIsBuilder || thisHostIsHopHost) && thatHostIsBuildee) {
|
||||
(lib.mkIf ((thisHostIsBuilder || thisHostIsHopHost) && thatHostIsBuildee && !thatHost.isAlias) {
|
||||
# TODO: ensure the user is "nixbld-remote"?
|
||||
users.groups.${thisHost.ssh.listenUser} = { };
|
||||
users.users.${thisHost.ssh.listenUser} = {
|
||||
isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser);
|
||||
openssh.authorizedKeys.keys = [ thatHost.ssh.userPublicKey ];
|
||||
group = lib.mkOptionDefault "nogroup";
|
||||
useDefaultShell = lib.mkDefault true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
# https://man.archlinux.org/man/core/openssh/sshd.8.en#AUTHORIZED_KEYS_FILE_FORMAT
|
||||
# TODO: lib.getExe
|
||||
''restrict,pty,command="${nix-ssh-wrapper}" ${thatHost.ssh.userPublicKey}''
|
||||
];
|
||||
group = lib.mkOverride 1499 "${thisHost.ssh.listenUser}"; # mkOptionDefault - 1,
|
||||
};
|
||||
})
|
||||
(lib.mkIf (thisHostIsBuilder && thatHostIsBuildee) {
|
||||
(lib.mkIf (thisHostIsBuilder && thatHostIsBuildee && !thatHost.isAlias) {
|
||||
nix.settings.allowed-users = [ thisHost.ssh.listenUser ];
|
||||
nix.settings.trusted-users = [ thisHost.ssh.listenUser ];
|
||||
})
|
||||
|
Loading…
Reference in New Issue
Block a user