refactor remote builders
This commit is contained in:
@@ -8,63 +8,67 @@ let
|
||||
inherit (builtins) map fromTOML readFile elem attrNames attrValues;
|
||||
inherit (lib) mkIf;
|
||||
|
||||
hosts' = fromTOML (readFile ../hosts/known-hosts.toml); # TODO: eww
|
||||
hosts = lib.pipe hosts' [
|
||||
known-hosts' = fromTOML (readFile ../hosts/known-hosts.toml); # TODO: eww
|
||||
known-hosts = lib.pipe known-hosts' [
|
||||
(lib.filterAttrs (name: host: name != "__default__"))
|
||||
(lib.mapAttrs (name: host:
|
||||
lib.recursiveUpdate (hosts'."__default__" or {}) host
|
||||
lib.recursiveUpdate (known-hosts'."__default__" or {}) host
|
||||
))
|
||||
];
|
||||
hostNames = attrNames hosts;
|
||||
thisHost = hosts.${config.networking.fqdn};
|
||||
hostNames = attrNames known-hosts;
|
||||
thisHost = known-hosts.${config.networking.fqdn};
|
||||
thisHostIsBuilder = thisHost.maxJobs > 0;
|
||||
thisHostIsHopHost = builtins.elem config.networking.fqdn (lib.forEach (attrValues hosts) (host: host.ssh.proxyJump or null));
|
||||
thisHostIsHopHost = builtins.elem config.networking.fqdn (lib.forEach (attrValues known-hosts) (host: host.ssh.proxyJump or null));
|
||||
thisHostIsConsumer = thisHost.ssh ? userPublicKey;
|
||||
|
||||
mkRemoteConfig = fqdn: let
|
||||
host = hosts.${fqdn};
|
||||
jump = hosts.${host.ssh.proxyJump};
|
||||
buildMachine = (lib.filterAttrs (key: _: !elem key ["ssh"]) host) // {
|
||||
thatHost = known-hosts.${fqdn};
|
||||
thatJump = known-hosts.${thatHost.ssh.proxyJump};
|
||||
buildMachine = thatHost.buildMachine // {
|
||||
hostName = fqdn;
|
||||
sshUser = host.ssh.listenUser;
|
||||
sshUser = thatHost.ssh.listenUser;
|
||||
};
|
||||
isBuilder = host.maxJobs > 0;
|
||||
isConsumer = host.ssh ? userPublicKey && thisHostIsBuilder;
|
||||
isThis = fqdn == config.networking.fqdn;
|
||||
in mkIf (!isThis) ( lib.mkMerge [
|
||||
thatHostIsBuilder = thatHost.buildMachine.maxJobs > 0;
|
||||
thatHostIsConsumer = thatHost.ssh ? userPublicKey && thisHostIsBuilder;
|
||||
thatHostIsThis = fqdn == config.networking.fqdn;
|
||||
in mkIf (!thatHostIsThis) ( lib.mkMerge [
|
||||
# out
|
||||
(lib.mkIf (thisHostIsConsumer && isBuilder) {
|
||||
(lib.mkIf (thisHostIsConsumer && thatHostIsBuilder) {
|
||||
|
||||
nix.buildMachines = [ buildMachine ];
|
||||
|
||||
})
|
||||
# out or jump
|
||||
(lib.mkIf (thisHostIsConsumer && host.ssh ? listenPublicKey) {
|
||||
programs.ssh.knownHosts.${fqdn}.publicKey = host.ssh.listenPublicKey;
|
||||
(lib.mkIf (thisHostIsConsumer && thatHost.ssh ? listenPublicKey) {
|
||||
programs.ssh.knownHosts.${fqdn}.publicKey = thatHost.ssh.listenPublicKey;
|
||||
# TODO: use nix.buildMachines.*.publicHostKey ?
|
||||
|
||||
# timeouts are great when remote is unresponsive. nix doesn't care, lix is way and tests each remote only once
|
||||
programs.ssh.extraConfig = ''
|
||||
Host ${fqdn}
|
||||
ConnectTimeout 3
|
||||
Port ${builtins.toString host.ssh.listenPort}
|
||||
${lib.optionalString (host.ssh ? proxyJump) ''
|
||||
ProxyJump ${jump.ssh.listenUser}@${host.ssh.proxyJump}:${builtins.toString jump.ssh.listenPort}
|
||||
Port ${builtins.toString thatHost.ssh.listenPort}
|
||||
${lib.optionalString (thatHost.ssh ? proxyJump) ''
|
||||
ProxyJump ${thatJump.ssh.listenUser}@${thatHost.ssh.proxyJump}:${builtins.toString thatJump.ssh.listenPort}
|
||||
''}
|
||||
${lib.optionalString (host.ssh ? userPrivateKey) ''
|
||||
IdentityFile ${host.ssh.userPrivateKey}
|
||||
${lib.optionalString (thatHost.ssh ? userPrivateKey) ''
|
||||
IdentityFile ${thatHost.ssh.userPrivateKey}
|
||||
''}
|
||||
'';
|
||||
|
||||
sops.secrets = lib.mkIf (lib.hasPrefix "/run/secrets/" (thatHost.ssh.userPrivateKey or "")) {
|
||||
"${lib.removePrefix "/run/secrets/" thatHost.ssh.userPrivateKey}" = {};
|
||||
};
|
||||
})
|
||||
# in
|
||||
(mkIf ((thisHostIsBuilder || thisHostIsHopHost) && isConsumer) {
|
||||
(mkIf ((thisHostIsBuilder || thisHostIsHopHost) && thatHostIsConsumer) {
|
||||
users.users.${thisHost.ssh.listenUser} = {
|
||||
isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser);
|
||||
openssh.authorizedKeys.keys = [ host.ssh.userPublicKey ];
|
||||
openssh.authorizedKeys.keys = [ thatHost.ssh.userPublicKey ];
|
||||
group = lib.mkOptionDefault "nogroup";
|
||||
};
|
||||
})
|
||||
(mkIf (thisHostIsBuilder && isConsumer) {
|
||||
(mkIf (thisHostIsBuilder && thatHostIsConsumer) {
|
||||
nix.settings.allowed-users = [ thisHost.ssh.listenUser ];
|
||||
nix.settings.trusted-users = [ thisHost.ssh.listenUser ];
|
||||
})
|
||||
@@ -82,7 +86,4 @@ in {
|
||||
|
||||
imports = lib.forEach hostNames mkRemoteConfig;
|
||||
|
||||
# TODO: derive this one from known-hosts.toml
|
||||
sops.secrets.nix-community-builders-ssh-key = {};
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user