voronind/nix
0
0
Fork 0
Code Issues 39 Pull requests Packages Projects Releases Wiki Activity

Builder : Specify builder ssh key instead of trustin all.

Browse source
This commit is contained in:
Dmitry Voronin 2024-09-17 23:15:26 +03:00
parent 3d8ef1bf18
commit 62023791fd
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
2 changed files with 48 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
home/config/ssh/default.nix
View file

@ -1,27 +1,26 @@
# SSH client configuration.
{ util, ... }: let
mkHost = name: address: port: user: extra: ''
mkHost = name: address: port: user: extra: util.trimTabs (''
Host ${name}
HostName ${address}
User ${user}
Port ${toString port}
'' + extra;
'') + extra;
in {
text = util.trimTabs (''
Host *
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p.socket
ControlPersist yes
''
+ mkHost "dasha" "10.0.0.7" 22143 "root" ""
+ mkHost "desktop" "10.0.0.3" 22143 "root" ""
+ mkHost "fmpmaven" "10.30.22.10" 22 "root" ""
+ mkHost "home" "10.0.0.1" 22143 "root" ""
+ mkHost "laptop" "192.168.1.9" 22143 "root" ""
+ mkHost "pi" "192.168.1.6" 22143 "root" ""
+ mkHost "vpn" "194.113.233.38" 22143 "root" ""
+ mkHost "work" "192.168.1.5" 22143 "root" ""
+ mkHost "nixbuilder" "10.0.0.1" 22143 "nixbuilder" " StrictHostKeyChecking=accept-new"
);
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p.socket
ControlPersist yes
'')
+ mkHost "dasha" "10.0.0.7" 22143 "root" ""
+ mkHost "desktop" "10.0.0.3" 22143 "root" ""
+ mkHost "fmpmaven" "10.30.22.10" 22 "root" ""
+ mkHost "home" "10.0.0.1" 22143 "root" ""
+ mkHost "laptop" "192.168.1.9" 22143 "root" ""
+ mkHost "nixbuilder" "10.0.0.1" 22143 "nixbuilder" ""
+ mkHost "pi" "192.168.1.6" 22143 "root" ""
+ mkHost "vpn" "194.113.233.38" 22143 "root" ""
+ mkHost "work" "192.168.1.5" 22143 "root" ""
;
}

58
module/RemoteBuild.nix
View file

@ -1,7 +1,7 @@
{ pkgs, lib, config, secret, ... }: with lib; let
cfg = config.module.builder;
serverKeyPath = "/root/.nixbuilder";
serverKeyPath = "/root/.nixbuilder";
serverSshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqr7zKGOy/2bbAQCD85Ol+NoGGtvdMbSy3jGb98jM+f"; # Use ssh-keyscan.
in {
options = {
module.builder = {
@ -48,30 +48,36 @@ in {
(mkIf cfg.client.enable {
# NOTE: Requires host public key to be present in secret.ssh.builderKeys.
nix.buildMachines = [{
hostName = "nixbuilder";
protocol = "ssh-ng";
systems = [
"x86_64-linux"
"i686-linux"
"aarch64-linux"
];
maxJobs = 16;
speedFactor = 2;
mandatoryFeatures = [ ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}];
nix.distributedBuilds = true;
nix.settings = let
substituters = [ "ssh-ng://nixbuilder" ];
in {
substituters = mkForce substituters;
trusted-substituters = substituters ++ [ "https://cache.nixos.org/" ];
builders-use-substitutes = true;
max-jobs = 0;
trusted-public-keys = [ secret.ssh.builderKey ];
# require-sigs = false;
# substitute = false;
nix = {
distributedBuilds = true;
buildMachines = [{
hostName = "nixbuilder";
protocol = "ssh-ng";
systems = [
"x86_64-linux"
"i686-linux"
"aarch64-linux"
];
maxJobs = 16;
speedFactor = 2;
mandatoryFeatures = [ ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}];
settings = let
substituters = [ "ssh-ng://nixbuilder" ];
in {
substituters = mkForce substituters;
trusted-substituters = substituters ++ [ "https://cache.nixos.org/" ];
builders-use-substitutes = true;
max-jobs = 0;
trusted-public-keys = [ secret.ssh.builderKey ];
# require-sigs = false;
# substitute = false;
};
};
services.openssh.knownHosts.nixbuilder = {
publicKey = serverSshPublicKey;
extraHostNames = [ "[10.0.0.1]:22143" ];
};
})
];