diff --git a/hosts/known-hosts.toml b/hosts/known-hosts.toml index 8c454b2..ff04125 100644 --- a/hosts/known-hosts.toml +++ b/hosts/known-hosts.toml @@ -191,6 +191,8 @@ ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key" # ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM"; # ssh.userPrivateKey = "/run/secrets/nixbuild-dot-net-ssh-key" +# TODO: https://exozy.me/about + ["clab01.idi.ntnu.no"] # gtx 4090 # buildMachine.maxJobs = 1 # 24 threads 64GB diff --git a/profiles/known-hosts.nix b/profiles/known-hosts.nix index db65661..a0a7cf9 100644 --- a/profiles/known-hosts.nix +++ b/profiles/known-hosts.nix @@ -1,7 +1,4 @@ -{ config, lib, ... }: - -# TODO: make a remote-build user on nixos boxes, instead of giving access to pbsds -# TODO: https://exozy.me/about +{ config, lib, pkgs, ... }: let inherit (builtins) @@ -14,6 +11,22 @@ let attrValues ; + # TODO: test ssh-ng + # https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834 + nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" '' + case $SSH_ORIGINAL_COMMAND in + "nix-daemon --stdio") + exec ${config.nix.package}/bin/nix-daemon --stdio + ;; + "nix-store --serve --write") + exec ${config.nix.package}/bin/nix-store --serve --write + ;; + *) + echo "Access only allowed for using the nix remote builder" 1>&2 + exit + esac + ''; + known-hosts = let known-hosts' = lib.importTOML ../hosts/known-hosts.toml; # TODO: eww in @@ -91,14 +104,21 @@ let }) # in - (lib.mkIf ((thisHostIsBuilder || thisHostIsHopHost) && thatHostIsBuildee) { + (lib.mkIf ((thisHostIsBuilder || thisHostIsHopHost) && thatHostIsBuildee && !thatHost.isAlias) { + # TODO: ensure the user is "nixbld-remote"? + users.groups.${thisHost.ssh.listenUser} = { }; users.users.${thisHost.ssh.listenUser} = { isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser); - openssh.authorizedKeys.keys = [ thatHost.ssh.userPublicKey ]; - group = lib.mkOptionDefault "nogroup"; + useDefaultShell = lib.mkDefault true; + openssh.authorizedKeys.keys = [ + # https://man.archlinux.org/man/core/openssh/sshd.8.en#AUTHORIZED_KEYS_FILE_FORMAT + # TODO: lib.getExe + ''restrict,pty,command="${nix-ssh-wrapper}" ${thatHost.ssh.userPublicKey}'' + ]; + group = lib.mkOverride 1499 "${thisHost.ssh.listenUser}"; # mkOptionDefault - 1, }; }) - (lib.mkIf (thisHostIsBuilder && thatHostIsBuildee) { + (lib.mkIf (thisHostIsBuilder && thatHostIsBuildee && !thatHost.isAlias) { nix.settings.allowed-users = [ thisHost.ssh.listenUser ]; nix.settings.trusted-users = [ thisHost.ssh.listenUser ]; })