From 62023791fd0d8c5c4d14048b278f908d26b251b8 Mon Sep 17 00:00:00 2001 From: Dmitry Voronin Date: Tue, 17 Sep 2024 23:15:26 +0300 Subject: [PATCH] Builder : Specify builder ssh key instead of trustin all. --- home/config/ssh/default.nix | 33 ++++++++++----------- module/RemoteBuild.nix | 58 ++++++++++++++++++++----------------- 2 files changed, 48 insertions(+), 43 deletions(-) diff --git a/home/config/ssh/default.nix b/home/config/ssh/default.nix index 082616c..4b163c8 100644 --- a/home/config/ssh/default.nix +++ b/home/config/ssh/default.nix @@ -1,27 +1,26 @@ # SSH client configuration. { util, ... }: let - mkHost = name: address: port: user: extra: '' + mkHost = name: address: port: user: extra: util.trimTabs ('' Host ${name} HostName ${address} User ${user} Port ${toString port} - '' + extra; + '') + extra; in { text = util.trimTabs ('' Host * - ControlMaster auto - ControlPath ~/.ssh/%r@%h:%p.socket - ControlPersist yes - '' - + mkHost "dasha" "10.0.0.7" 22143 "root" "" - + mkHost "desktop" "10.0.0.3" 22143 "root" "" - + mkHost "fmpmaven" "10.30.22.10" 22 "root" "" - + mkHost "home" "10.0.0.1" 22143 "root" "" - + mkHost "laptop" "192.168.1.9" 22143 "root" "" - + mkHost "pi" "192.168.1.6" 22143 "root" "" - + mkHost "vpn" "194.113.233.38" 22143 "root" "" - + mkHost "work" "192.168.1.5" 22143 "root" "" - - + mkHost "nixbuilder" "10.0.0.1" 22143 "nixbuilder" " StrictHostKeyChecking=accept-new" - ); + ControlMaster auto + ControlPath ~/.ssh/%r@%h:%p.socket + ControlPersist yes + '') + + mkHost "dasha" "10.0.0.7" 22143 "root" "" + + mkHost "desktop" "10.0.0.3" 22143 "root" "" + + mkHost "fmpmaven" "10.30.22.10" 22 "root" "" + + mkHost "home" "10.0.0.1" 22143 "root" "" + + mkHost "laptop" "192.168.1.9" 22143 "root" "" + + mkHost "nixbuilder" "10.0.0.1" 22143 "nixbuilder" "" + + mkHost "pi" "192.168.1.6" 22143 "root" "" + + mkHost "vpn" "194.113.233.38" 22143 "root" "" + + mkHost "work" "192.168.1.5" 22143 "root" "" + ; } diff --git a/module/RemoteBuild.nix b/module/RemoteBuild.nix index 40f9211..60eeccd 100644 --- a/module/RemoteBuild.nix +++ b/module/RemoteBuild.nix @@ -1,7 +1,7 @@ { pkgs, lib, config, secret, ... }: with lib; let cfg = config.module.builder; - - serverKeyPath = "/root/.nixbuilder"; + serverKeyPath = "/root/.nixbuilder"; + serverSshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqr7zKGOy/2bbAQCD85Ol+NoGGtvdMbSy3jGb98jM+f"; # Use ssh-keyscan. in { options = { module.builder = { @@ -48,30 +48,36 @@ in { (mkIf cfg.client.enable { # NOTE: Requires host public key to be present in secret.ssh.builderKeys. - nix.buildMachines = [{ - hostName = "nixbuilder"; - protocol = "ssh-ng"; - systems = [ - "x86_64-linux" - "i686-linux" - "aarch64-linux" - ]; - maxJobs = 16; - speedFactor = 2; - mandatoryFeatures = [ ]; - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - }]; - nix.distributedBuilds = true; - nix.settings = let - substituters = [ "ssh-ng://nixbuilder" ]; - in { - substituters = mkForce substituters; - trusted-substituters = substituters ++ [ "https://cache.nixos.org/" ]; - builders-use-substitutes = true; - max-jobs = 0; - trusted-public-keys = [ secret.ssh.builderKey ]; - # require-sigs = false; - # substitute = false; + nix = { + distributedBuilds = true; + buildMachines = [{ + hostName = "nixbuilder"; + protocol = "ssh-ng"; + systems = [ + "x86_64-linux" + "i686-linux" + "aarch64-linux" + ]; + maxJobs = 16; + speedFactor = 2; + mandatoryFeatures = [ ]; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + }]; + settings = let + substituters = [ "ssh-ng://nixbuilder" ]; + in { + substituters = mkForce substituters; + trusted-substituters = substituters ++ [ "https://cache.nixos.org/" ]; + builders-use-substitutes = true; + max-jobs = 0; + trusted-public-keys = [ secret.ssh.builderKey ]; + # require-sigs = false; + # substitute = false; + }; + }; + services.openssh.knownHosts.nixbuilder = { + publicKey = serverSshPublicKey; + extraHostNames = [ "[10.0.0.1]:22143" ]; }; }) ];