lets test it, remote-builders
This commit is contained in:
@@ -1,5 +1,3 @@
|
||||
{}
|
||||
/** /
|
||||
{ config, lib, ... }:
|
||||
|
||||
# TODO: make a remote-build user on nixos boxes, instead of giving access to pbsds
|
||||
@@ -10,16 +8,17 @@ let
|
||||
inherit (builtins) map fromTOML readFile elem attrNames;
|
||||
inherit (lib) mkIf;
|
||||
|
||||
hosts' = fromTOML (readFile ../../hosts/known-hosts.toml); # eww
|
||||
hosts' = fromTOML (readFile ../hosts/known-hosts.toml); # TODO: eww
|
||||
hosts = lib.pipe hosts' [
|
||||
(lib.filterAttrs (name: host: name != "default"))
|
||||
(lib.filterAttrs (name: host: name != "__default__"))
|
||||
(lib.mapAttrs (name: host:
|
||||
lib.recursiveUpdate (hosts'."default" or {}) host
|
||||
lib.recursiveUpdate (hosts'."__default__" or {}) host
|
||||
))
|
||||
];
|
||||
hostNames = attrNames hosts;
|
||||
thisHost = hosts.${config.networking.fqdn};
|
||||
thisHostIsBuilder = thisHost.maxJobs > 0;
|
||||
thisHostIsHopHost = builtins.elem config.networking.fqdn (lib.forEach hosts (host: host.ssh.proxyJump or null));
|
||||
|
||||
mkRemoteConfig = fqdn: let
|
||||
host = hosts.${fqdn};
|
||||
@@ -29,37 +28,42 @@ let
|
||||
sshUser = host.ssh.listenUser;
|
||||
};
|
||||
isBuilder = host.maxJobs > 0;
|
||||
isConsumer = host.ssh ? publicKeyUser && thisHostIsBuilder;
|
||||
isConsumer = host.ssh ? userPublicKey && thisHostIsBuilder;
|
||||
isThis = fqdn == config.networking.fqdn;
|
||||
in mkIf (!isThis) {
|
||||
|
||||
in mkIf (!isThis) ( lib.mkMerge [
|
||||
# out
|
||||
nix.buildMachines = mkIf isBuilder [ buildMachine ];
|
||||
programs.ssh.knownHosts.${fqdn}.publicKey = mkIf isBuilder host.ssh.listenPublicKey;
|
||||
(lib.mkIf isBuilder {
|
||||
|
||||
# timeout is great when remote is unresponsive. nix doesn't care
|
||||
programs.ssh.extraConfig = ''
|
||||
Host ${fqdn}
|
||||
ConnectTimeout 3
|
||||
Port ${builtins.toString (host.ssh.listenPort or 22)}
|
||||
${lib.optionalString (host.ssh ? proxyJump) ''
|
||||
ProxyJump ${host.ssh.proxyJump}
|
||||
''}
|
||||
'';
|
||||
nix.buildMachines = [ buildMachine ];
|
||||
|
||||
})
|
||||
# out or jump
|
||||
(lib.mkIf (host.ssh ? listenPublicKey) {
|
||||
programs.ssh.knownHosts.${fqdn}.publicKey = host.ssh.listenPublicKey;
|
||||
|
||||
# timeouts are great when remote is unresponsive. nix doesn't care
|
||||
programs.ssh.extraConfig = ''
|
||||
Host ${fqdn}
|
||||
ConnectTimeout 3
|
||||
Port ${builtins.toString host.ssh.listenPort}
|
||||
${lib.optionalString (host.ssh ? proxyJump) ''
|
||||
ProxyJump ${host.ssh.proxyJump}
|
||||
''}
|
||||
'';
|
||||
})
|
||||
# in
|
||||
users = mkIf isConsumer {
|
||||
users.${thisHost.ssh.listenUser} = {
|
||||
(mkIf (isConsumer && (thisHostIsBuilder || thisHostIsHopHost) ) {
|
||||
|
||||
nix.settings.allowed-users = [ thisHost.ssh.listenUser ];
|
||||
nix.settings.trusted-users = [ thisHost.ssh.listenUser ];
|
||||
users.users.${thisHost.ssh.listenUser} = {
|
||||
isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser);
|
||||
openssh.authorizedKeys.keys = [
|
||||
host.ssh.userPublicKey
|
||||
];
|
||||
group = lib.mkDefault "nogroup";
|
||||
openssh.authorizedKeys.keys = [ host.ssh.userPublicKey ];
|
||||
group = lib.mkOptionDefault "nogroup";
|
||||
};
|
||||
};
|
||||
nix.settings.allowed-users = mkIf isConsumer [ thisHost.ssh.listenUser ];
|
||||
nix.settings.trusted-users = mkIf isConsumer [ thisHost.ssh.listenUser ];
|
||||
};
|
||||
|
||||
})
|
||||
]);
|
||||
|
||||
in {
|
||||
|
||||
@@ -74,4 +78,3 @@ in {
|
||||
imports = lib.forEach hostNames mkRemoteConfig;
|
||||
|
||||
}
|
||||
/**/
|
||||
|
||||
Reference in New Issue
Block a user