voronind/nix
0
0
Fork 0
Code Issues 39 Pull requests Packages Projects Releases Wiki Activity

Builder : Specify builder ssh key instead of trustin all.

Browse source
This commit is contained in:
Dmitry Voronin 2024-09-17 23:15:26 +03:00
parent 3d8ef1bf18
commit 62023791fd
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
2 changed files with 48 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
home/config/ssh/default.nix
View file

@ -1,27 +1,26 @@
# SSH client configuration. # SSH client configuration.
{ util, ... }: let { util, ... }: let
mkHost = name: address: port: user: extra: '' mkHost = name: address: port: user: extra: util.trimTabs (''
Host ${name} Host ${name}
HostName ${address} HostName ${address}
User ${user} User ${user}
Port ${toString port} Port ${toString port}
'' + extra; '') + extra;
in { in {
text = util.trimTabs ('' text = util.trimTabs (''
Host * Host *
ControlMaster auto ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p.socket ControlPath ~/.ssh/%r@%h:%p.socket
ControlPersist yes ControlPersist yes
'' '')
+ mkHost "dasha" "10.0.0.7" 22143 "root" "" + mkHost "dasha" "10.0.0.7" 22143 "root" ""
+ mkHost "desktop" "10.0.0.3" 22143 "root" "" + mkHost "desktop" "10.0.0.3" 22143 "root" ""
+ mkHost "fmpmaven" "10.30.22.10" 22 "root" "" + mkHost "fmpmaven" "10.30.22.10" 22 "root" ""
+ mkHost "home" "10.0.0.1" 22143 "root" "" + mkHost "home" "10.0.0.1" 22143 "root" ""
+ mkHost "laptop" "192.168.1.9" 22143 "root" "" + mkHost "laptop" "192.168.1.9" 22143 "root" ""
+ mkHost "pi" "192.168.1.6" 22143 "root" "" + mkHost "nixbuilder" "10.0.0.1" 22143 "nixbuilder" ""
+ mkHost "vpn" "194.113.233.38" 22143 "root" "" + mkHost "pi" "192.168.1.6" 22143 "root" ""
+ mkHost "work" "192.168.1.5" 22143 "root" "" + mkHost "vpn" "194.113.233.38" 22143 "root" ""
+ mkHost "work" "192.168.1.5" 22143 "root" ""
+ mkHost "nixbuilder" "10.0.0.1" 22143 "nixbuilder" " StrictHostKeyChecking=accept-new" ;
);
} }

58
module/RemoteBuild.nix
View file

@ -1,7 +1,7 @@
{ pkgs, lib, config, secret, ... }: with lib; let { pkgs, lib, config, secret, ... }: with lib; let
cfg = config.module.builder; cfg = config.module.builder;
serverKeyPath = "/root/.nixbuilder";
serverKeyPath = "/root/.nixbuilder"; serverSshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqr7zKGOy/2bbAQCD85Ol+NoGGtvdMbSy3jGb98jM+f"; # Use ssh-keyscan.
in { in {
options = { options = {
module.builder = { module.builder = {
@ -48,30 +48,36 @@ in {
(mkIf cfg.client.enable { (mkIf cfg.client.enable {
# NOTE: Requires host public key to be present in secret.ssh.builderKeys. # NOTE: Requires host public key to be present in secret.ssh.builderKeys.
nix.buildMachines = [{ nix = {
hostName = "nixbuilder"; distributedBuilds = true;
protocol = "ssh-ng"; buildMachines = [{
systems = [ hostName = "nixbuilder";
"x86_64-linux" protocol = "ssh-ng";
"i686-linux" systems = [
"aarch64-linux" "x86_64-linux"
]; "i686-linux"
maxJobs = 16; "aarch64-linux"
speedFactor = 2; ];
mandatoryFeatures = [ ]; maxJobs = 16;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; speedFactor = 2;
}]; mandatoryFeatures = [ ];
nix.distributedBuilds = true; supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
nix.settings = let }];
substituters = [ "ssh-ng://nixbuilder" ]; settings = let
in { substituters = [ "ssh-ng://nixbuilder" ];
substituters = mkForce substituters; in {
trusted-substituters = substituters ++ [ "https://cache.nixos.org/" ]; substituters = mkForce substituters;
builders-use-substitutes = true; trusted-substituters = substituters ++ [ "https://cache.nixos.org/" ];
max-jobs = 0; builders-use-substitutes = true;
trusted-public-keys = [ secret.ssh.builderKey ]; max-jobs = 0;
# require-sigs = false; trusted-public-keys = [ secret.ssh.builderKey ];
# substitute = false; # require-sigs = false;
# substitute = false;
};
};
services.openssh.knownHosts.nixbuilder = {
publicKey = serverSshPublicKey;
extraHostNames = [ "[10.0.0.1]:22143" ];
}; };
}) })
]; ];