NixBuilder : Use restricted user.
This commit is contained in:
parent
ad712f79e8
commit
8281c629a8
|
@ -15,8 +15,8 @@
|
||||||
nix.distributedBuilds = true;
|
nix.distributedBuilds = true;
|
||||||
nix.extraOptions = ''
|
nix.extraOptions = ''
|
||||||
builders-use-substitutes = true
|
builders-use-substitutes = true
|
||||||
extra-substituters = ssh-ng://home
|
extra-substituters = ssh-ng://nixbuilder
|
||||||
extra-trusted-substituters = ssh-ng://home
|
extra-trusted-substituters = ssh-ng://nixbuilder
|
||||||
extra-trusted-public-keys = home-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
|
extra-trusted-public-keys = nixbuilder-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{ pkgs, ... }: let
|
{ pkgs, secret, lib, ... }: let
|
||||||
keyPath = "/root/.nixcache";
|
keyPath = "/root/.nixbuilder";
|
||||||
in {
|
in {
|
||||||
systemd.services.generate-nix-cache-key = {
|
systemd.services.generate-nix-cache-key = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
@ -8,12 +8,25 @@ in {
|
||||||
script = ''
|
script = ''
|
||||||
[[ -f "${keyPath}/private-key" ]] && exit
|
[[ -f "${keyPath}/private-key" ]] && exit
|
||||||
mkdir ${keyPath} || true
|
mkdir ${keyPath} || true
|
||||||
nix-store --generate-binary-cache-key "$HOSTNAME-1" "${keyPath}/private-key" "${keyPath}/public-key"
|
nix-store --generate-binary-cache-key "nixbuilder-1" "${keyPath}/private-key" "${keyPath}/public-key"
|
||||||
nix store sign --all -k "${keyPath}/private-key"
|
nix store sign --all -k "${keyPath}/private-key"
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.groups.nixbuilder = {};
|
||||||
|
users.users.nixbuilder = {
|
||||||
|
openssh.authorizedKeys.keys = secret.ssh.builderKeys;
|
||||||
|
description = "Nix Remote Builder";
|
||||||
|
isNormalUser = true;
|
||||||
|
createHome = lib.mkForce false;
|
||||||
|
uid = 1234;
|
||||||
|
home = "/";
|
||||||
|
group = "nixbuilder";
|
||||||
|
};
|
||||||
|
|
||||||
# To apply: nix store sign --all -k /path/to/secret-key-file
|
# To apply: nix store sign --all -k /path/to/secret-key-file
|
||||||
nix.extraOptions = ''
|
nix.extraOptions = ''
|
||||||
|
trusted-users = nixbuilder
|
||||||
secret-key-files = ${keyPath}/private-key
|
secret-key-files = ${keyPath}/private-key
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
settings = {
|
settings = {
|
||||||
AllowUsers = [ "root" ];
|
AllowUsers = [ "root" "nixbuilder" ];
|
||||||
LoginGraceTime = "1m";
|
LoginGraceTime = "1m";
|
||||||
# MaxAuthTries = 1;
|
# MaxAuthTries = 1;
|
||||||
MaxSessions = 10;
|
MaxSessions = 10;
|
||||||
|
|
|
@ -195,9 +195,9 @@
|
||||||
open "''${url}"
|
open "''${url}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Resign the old commits. 0 to resign from root.
|
# Sign the old commits. 0 to resign from root.
|
||||||
# Usage: git_resign [COMMIT_COUNT]
|
# Usage: git_sign [COMMIT_COUNT]
|
||||||
function git_resign() {
|
function git_sign() {
|
||||||
local base="''${1}"
|
local base="''${1}"
|
||||||
|
|
||||||
# Resign last commit by default.
|
# Resign last commit by default.
|
||||||
|
|
|
@ -25,6 +25,12 @@
|
||||||
User root
|
User root
|
||||||
Port 22143
|
Port 22143
|
||||||
|
|
||||||
|
Host nixbuilder
|
||||||
|
HostName 192.168.1.2
|
||||||
|
User nixbuilder
|
||||||
|
StrictHostKeyChecking=accept-new
|
||||||
|
Port 22143
|
||||||
|
|
||||||
Host laptop
|
Host laptop
|
||||||
Hostname 192.168.1.9
|
Hostname 192.168.1.9
|
||||||
User root
|
User root
|
||||||
|
|
|
@ -1,13 +1,19 @@
|
||||||
{ ... }: {
|
{ ... }: {
|
||||||
ssh.trustedKeys = [
|
ssh = {
|
||||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuuw5ek5wGB9KdBhCTxjV+CBpPU6RIOynHkFYC4dau3 root@dasha"
|
trustedKeys = [
|
||||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIL2LI1iFDZC223aWqBVz9yusfB/XrRwsBKiL5warIF/ nix-on-droid@phone"
|
||||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home"
|
(builtins.readFile ./secret/public/Ssh.key)
|
||||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgiYKFkMfiGOZCZIk+O7LtaoF6A3cHEFCqaPwXOM4rR root@work"
|
];
|
||||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBL5NAm8S97EtfB/7DPf5Xl3Cqi3PlSO1V0m7fknNzz root@laptop"
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIL2LI1iFDZC223aWqBVz9yusfB/XrRwsBKiL5warIF/ nix-on-droid@phone"
|
builderKeys = [
|
||||||
(builtins.readFile ./secret/public/Ssh.key)
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuuw5ek5wGB9KdBhCTxjV+CBpPU6RIOynHkFYC4dau3 root@dasha"
|
||||||
];
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgiYKFkMfiGOZCZIk+O7LtaoF6A3cHEFCqaPwXOM4rR root@work"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBA+KKCkFOshUznJlXW/LDie0vZLd4b+KWodSm8N8vM+ root@laptop"
|
||||||
|
(builtins.readFile ./secret/public/Ssh.key)
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
crypto = {
|
crypto = {
|
||||||
sign = {
|
sign = {
|
||||||
|
|
Loading…
Reference in a new issue