NixBuilder : Use restricted user.

This commit is contained in:
Dmitry Voronin 2024-04-14 06:44:00 +03:00 committed by Dmitry Voronin
parent ad712f79e8
commit 8281c629a8
Signed by: voronind
SSH key fingerprint: SHA256:3kBb4iV2ahufEBNq+vFbUe4QYfHt98DHQjN7QaptY9k
6 changed files with 44 additions and 19 deletions

View file

@ -15,8 +15,8 @@
nix.distributedBuilds = true;
nix.extraOptions = ''
builders-use-substitutes = true
extra-substituters = ssh-ng://home
extra-trusted-substituters = ssh-ng://home
extra-trusted-public-keys = home-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
extra-substituters = ssh-ng://nixbuilder
extra-trusted-substituters = ssh-ng://nixbuilder
extra-trusted-public-keys = nixbuilder-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
'';
}

View file

@ -1,5 +1,5 @@
{ pkgs, ... }: let
keyPath = "/root/.nixcache";
{ pkgs, secret, lib, ... }: let
keyPath = "/root/.nixbuilder";
in {
systemd.services.generate-nix-cache-key = {
wantedBy = [ "multi-user.target" ];
@ -8,12 +8,25 @@ in {
script = ''
[[ -f "${keyPath}/private-key" ]] && exit
mkdir ${keyPath} || true
nix-store --generate-binary-cache-key "$HOSTNAME-1" "${keyPath}/private-key" "${keyPath}/public-key"
nix-store --generate-binary-cache-key "nixbuilder-1" "${keyPath}/private-key" "${keyPath}/public-key"
nix store sign --all -k "${keyPath}/private-key"
'';
};
users.groups.nixbuilder = {};
users.users.nixbuilder = {
openssh.authorizedKeys.keys = secret.ssh.builderKeys;
description = "Nix Remote Builder";
isNormalUser = true;
createHome = lib.mkForce false;
uid = 1234;
home = "/";
group = "nixbuilder";
};
# To apply: nix store sign --all -k /path/to/secret-key-file
nix.extraOptions = ''
trusted-users = nixbuilder
secret-key-files = ${keyPath}/private-key
'';
}

View file

@ -11,7 +11,7 @@
}
];
settings = {
AllowUsers = [ "root" ];
AllowUsers = [ "root" "nixbuilder" ];
LoginGraceTime = "1m";
# MaxAuthTries = 1;
MaxSessions = 10;

View file

@ -195,9 +195,9 @@
open "''${url}"
}
# Resign the old commits. 0 to resign from root.
# Usage: git_resign [COMMIT_COUNT]
function git_resign() {
# Sign the old commits. 0 to resign from root.
# Usage: git_sign [COMMIT_COUNT]
function git_sign() {
local base="''${1}"
# Resign last commit by default.

View file

@ -25,6 +25,12 @@
User root
Port 22143
Host nixbuilder
HostName 192.168.1.2
User nixbuilder
StrictHostKeyChecking=accept-new
Port 22143
Host laptop
Hostname 192.168.1.9
User root

View file

@ -1,14 +1,20 @@
{ ... }: {
ssh.trustedKeys = [
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuuw5ek5wGB9KdBhCTxjV+CBpPU6RIOynHkFYC4dau3 root@dasha"
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop"
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home"
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgiYKFkMfiGOZCZIk+O7LtaoF6A3cHEFCqaPwXOM4rR root@work"
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBL5NAm8S97EtfB/7DPf5Xl3Cqi3PlSO1V0m7fknNzz root@laptop"
ssh = {
trustedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIL2LI1iFDZC223aWqBVz9yusfB/XrRwsBKiL5warIF/ nix-on-droid@phone"
(builtins.readFile ./secret/public/Ssh.key)
];
builderKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuuw5ek5wGB9KdBhCTxjV+CBpPU6RIOynHkFYC4dau3 root@dasha"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgiYKFkMfiGOZCZIk+O7LtaoF6A3cHEFCqaPwXOM4rR root@work"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBA+KKCkFOshUznJlXW/LDie0vZLd4b+KWodSm8N8vM+ root@laptop"
(builtins.readFile ./secret/public/Ssh.key)
];
};
crypto = {
sign = {
format = "ssh";