voronind/nix
0
0
Fork 0
Code Issues 39 Pull requests Packages Projects Releases Wiki Activity

Builder : Specify builder ssh key instead of trustin all.

Browse source
This commit is contained in:
Dmitry Voronin 2024-09-17 23:15:26 +03:00
parent 3d8ef1bf18
commit 62023791fd
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
2 changed files with 48 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
home/config/ssh/default.nix
View file

@ -1,27 +1,26 @@
# SSH client configuration. # SSH client configuration.
{ util, ... }: let { util, ... }: let
mkHost = name: address: port: user: extra: '' mkHost = name: address: port: user: extra: util.trimTabs (''
Host ${name} Host ${name}
HostName ${address} HostName ${address}
User ${user} User ${user}
Port ${toString port} Port ${toString port}
'' + extra; '') + extra;
in { in {
text = util.trimTabs ('' text = util.trimTabs (''
Host * Host *
ControlMaster auto ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p.socket ControlPath ~/.ssh/%r@%h:%p.socket
ControlPersist yes ControlPersist yes
'' '')
+ mkHost "dasha" "10.0.0.7" 22143 "root" "" + mkHost "dasha" "10.0.0.7" 22143 "root" ""
+ mkHost "desktop" "10.0.0.3" 22143 "root" "" + mkHost "desktop" "10.0.0.3" 22143 "root" ""
+ mkHost "fmpmaven" "10.30.22.10" 22 "root" "" + mkHost "fmpmaven" "10.30.22.10" 22 "root" ""
+ mkHost "home" "10.0.0.1" 22143 "root" "" + mkHost "home" "10.0.0.1" 22143 "root" ""
+ mkHost "laptop" "192.168.1.9" 22143 "root" "" + mkHost "laptop" "192.168.1.9" 22143 "root" ""
+ mkHost "nixbuilder" "10.0.0.1" 22143 "nixbuilder" ""
+ mkHost "pi" "192.168.1.6" 22143 "root" "" + mkHost "pi" "192.168.1.6" 22143 "root" ""
+ mkHost "vpn" "194.113.233.38" 22143 "root" "" + mkHost "vpn" "194.113.233.38" 22143 "root" ""
+ mkHost "work" "192.168.1.5" 22143 "root" "" + mkHost "work" "192.168.1.5" 22143 "root" ""
;
+ mkHost "nixbuilder" "10.0.0.1" 22143 "nixbuilder" " StrictHostKeyChecking=accept-new"
);
} }

14
module/RemoteBuild.nix
View file

@ -1,7 +1,7 @@
{ pkgs, lib, config, secret, ... }: with lib; let { pkgs, lib, config, secret, ... }: with lib; let
cfg = config.module.builder; cfg = config.module.builder;
serverKeyPath = "/root/.nixbuilder"; serverKeyPath = "/root/.nixbuilder";
serverSshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqr7zKGOy/2bbAQCD85Ol+NoGGtvdMbSy3jGb98jM+f"; # Use ssh-keyscan.
in { in {
options = { options = {
module.builder = { module.builder = {
@ -48,7 +48,9 @@ in {
(mkIf cfg.client.enable { (mkIf cfg.client.enable {
# NOTE: Requires host public key to be present in secret.ssh.builderKeys. # NOTE: Requires host public key to be present in secret.ssh.builderKeys.
nix.buildMachines = [{ nix = {
distributedBuilds = true;
buildMachines = [{
hostName = "nixbuilder"; hostName = "nixbuilder";
protocol = "ssh-ng"; protocol = "ssh-ng";
systems = [ systems = [
@ -61,8 +63,7 @@ in {
mandatoryFeatures = [ ]; mandatoryFeatures = [ ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}]; }];
nix.distributedBuilds = true; settings = let
nix.settings = let
substituters = [ "ssh-ng://nixbuilder" ]; substituters = [ "ssh-ng://nixbuilder" ];
in { in {
substituters = mkForce substituters; substituters = mkForce substituters;
@ -73,6 +74,11 @@ in {
# require-sigs = false; # require-sigs = false;
# substitute = false; # substitute = false;
}; };
};
services.openssh.knownHosts.nixbuilder = {
publicKey = serverSshPublicKey;
extraHostNames = [ "[10.0.0.1]:22143" ];
};
}) })
]; ];
} }