pederbs/config
pederbs
/
config
2
1
Fork 0
Code Issues Pull Requests Releases Activity

fix nixbld-remote

This commit is contained in:
Peder Bergebakken Sundt 2024-10-12 16:07:20 +02:00
parent 11ae1097de
commit 6e6df72eb2
2 changed files with 30 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/known-hosts.toml
View File

@ -191,6 +191,8 @@ ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key"
# ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM"; # ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM";
# ssh.userPrivateKey = "/run/secrets/nixbuild-dot-net-ssh-key" # ssh.userPrivateKey = "/run/secrets/nixbuild-dot-net-ssh-key"
# TODO: https://exozy.me/about
["clab01.idi.ntnu.no"] # gtx 4090 ["clab01.idi.ntnu.no"] # gtx 4090
# buildMachine.maxJobs = 1 # 24 threads 64GB # buildMachine.maxJobs = 1 # 24 threads 64GB

36
profiles/known-hosts.nix
View File

@ -1,7 +1,4 @@
{ config, lib, ... }: { config, lib, pkgs, ... }:
# TODO: make a remote-build user on nixos boxes, instead of giving access to pbsds
# TODO: https://exozy.me/about
let let
inherit (builtins) inherit (builtins)
@ -14,6 +11,22 @@ let
attrValues attrValues
; ;
# TODO: test ssh-ng
# https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834
nix-ssh-wrapper = pkgs.writeShellScript "nix-ssh-wrapper" ''
case $SSH_ORIGINAL_COMMAND in
"nix-daemon --stdio")
exec ${config.nix.package}/bin/nix-daemon --stdio
;;
"nix-store --serve --write")
exec ${config.nix.package}/bin/nix-store --serve --write
;;
*)
echo "Access only allowed for using the nix remote builder" 1>&2
exit
esac
'';
known-hosts = let known-hosts = let
known-hosts' = lib.importTOML ../hosts/known-hosts.toml; # TODO: eww known-hosts' = lib.importTOML ../hosts/known-hosts.toml; # TODO: eww
in in
@ -91,14 +104,21 @@ let
}) })
# in # in
(lib.mkIf ((thisHostIsBuilder || thisHostIsHopHost) && thatHostIsBuildee) { (lib.mkIf ((thisHostIsBuilder || thisHostIsHopHost) && thatHostIsBuildee && !thatHost.isAlias) {
# TODO: ensure the user is "nixbld-remote"?
users.groups.${thisHost.ssh.listenUser} = { };
users.users.${thisHost.ssh.listenUser} = { users.users.${thisHost.ssh.listenUser} = {
isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser); isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser);
openssh.authorizedKeys.keys = [ thatHost.ssh.userPublicKey ]; useDefaultShell = lib.mkDefault true;
group = lib.mkOptionDefault "nogroup"; openssh.authorizedKeys.keys = [
# https://man.archlinux.org/man/core/openssh/sshd.8.en#AUTHORIZED_KEYS_FILE_FORMAT
# TODO: lib.getExe
''restrict,pty,command="${nix-ssh-wrapper}" ${thatHost.ssh.userPublicKey}''
];
group = lib.mkOverride 1499 "${thisHost.ssh.listenUser}"; # mkOptionDefault - 1,
}; };
}) })
(lib.mkIf (thisHostIsBuilder && thatHostIsBuildee) { (lib.mkIf (thisHostIsBuilder && thatHostIsBuildee && !thatHost.isAlias) {
nix.settings.allowed-users = [ thisHost.ssh.listenUser ]; nix.settings.allowed-users = [ thisHost.ssh.listenUser ];
nix.settings.trusted-users = [ thisHost.ssh.listenUser ]; nix.settings.trusted-users = [ thisHost.ssh.listenUser ];
}) })