NixBuilder : Use restricted user.
This commit is contained in:
parent
ad712f79e8
commit
8281c629a8
|
@ -15,8 +15,8 @@
|
|||
nix.distributedBuilds = true;
|
||||
nix.extraOptions = ''
|
||||
builders-use-substitutes = true
|
||||
extra-substituters = ssh-ng://home
|
||||
extra-trusted-substituters = ssh-ng://home
|
||||
extra-trusted-public-keys = home-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
|
||||
extra-substituters = ssh-ng://nixbuilder
|
||||
extra-trusted-substituters = ssh-ng://nixbuilder
|
||||
extra-trusted-public-keys = nixbuilder-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{ pkgs, ... }: let
|
||||
keyPath = "/root/.nixcache";
|
||||
{ pkgs, secret, lib, ... }: let
|
||||
keyPath = "/root/.nixbuilder";
|
||||
in {
|
||||
systemd.services.generate-nix-cache-key = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
@ -8,12 +8,25 @@ in {
|
|||
script = ''
|
||||
[[ -f "${keyPath}/private-key" ]] && exit
|
||||
mkdir ${keyPath} || true
|
||||
nix-store --generate-binary-cache-key "$HOSTNAME-1" "${keyPath}/private-key" "${keyPath}/public-key"
|
||||
nix-store --generate-binary-cache-key "nixbuilder-1" "${keyPath}/private-key" "${keyPath}/public-key"
|
||||
nix store sign --all -k "${keyPath}/private-key"
|
||||
'';
|
||||
};
|
||||
|
||||
users.groups.nixbuilder = {};
|
||||
users.users.nixbuilder = {
|
||||
openssh.authorizedKeys.keys = secret.ssh.builderKeys;
|
||||
description = "Nix Remote Builder";
|
||||
isNormalUser = true;
|
||||
createHome = lib.mkForce false;
|
||||
uid = 1234;
|
||||
home = "/";
|
||||
group = "nixbuilder";
|
||||
};
|
||||
|
||||
# To apply: nix store sign --all -k /path/to/secret-key-file
|
||||
nix.extraOptions = ''
|
||||
trusted-users = nixbuilder
|
||||
secret-key-files = ${keyPath}/private-key
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
}
|
||||
];
|
||||
settings = {
|
||||
AllowUsers = [ "root" ];
|
||||
AllowUsers = [ "root" "nixbuilder" ];
|
||||
LoginGraceTime = "1m";
|
||||
# MaxAuthTries = 1;
|
||||
MaxSessions = 10;
|
||||
|
|
|
@ -195,9 +195,9 @@
|
|||
open "''${url}"
|
||||
}
|
||||
|
||||
# Resign the old commits. 0 to resign from root.
|
||||
# Usage: git_resign [COMMIT_COUNT]
|
||||
function git_resign() {
|
||||
# Sign the old commits. 0 to resign from root.
|
||||
# Usage: git_sign [COMMIT_COUNT]
|
||||
function git_sign() {
|
||||
local base="''${1}"
|
||||
|
||||
# Resign last commit by default.
|
||||
|
|
|
@ -25,6 +25,12 @@
|
|||
User root
|
||||
Port 22143
|
||||
|
||||
Host nixbuilder
|
||||
HostName 192.168.1.2
|
||||
User nixbuilder
|
||||
StrictHostKeyChecking=accept-new
|
||||
Port 22143
|
||||
|
||||
Host laptop
|
||||
Hostname 192.168.1.9
|
||||
User root
|
||||
|
|
|
@ -1,14 +1,20 @@
|
|||
{ ... }: {
|
||||
ssh.trustedKeys = [
|
||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuuw5ek5wGB9KdBhCTxjV+CBpPU6RIOynHkFYC4dau3 root@dasha"
|
||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop"
|
||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home"
|
||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgiYKFkMfiGOZCZIk+O7LtaoF6A3cHEFCqaPwXOM4rR root@work"
|
||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDBL5NAm8S97EtfB/7DPf5Xl3Cqi3PlSO1V0m7fknNzz root@laptop"
|
||||
ssh = {
|
||||
trustedKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIL2LI1iFDZC223aWqBVz9yusfB/XrRwsBKiL5warIF/ nix-on-droid@phone"
|
||||
(builtins.readFile ./secret/public/Ssh.key)
|
||||
];
|
||||
|
||||
builderKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuuw5ek5wGB9KdBhCTxjV+CBpPU6RIOynHkFYC4dau3 root@dasha"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgiYKFkMfiGOZCZIk+O7LtaoF6A3cHEFCqaPwXOM4rR root@work"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBA+KKCkFOshUznJlXW/LDie0vZLd4b+KWodSm8N8vM+ root@laptop"
|
||||
(builtins.readFile ./secret/public/Ssh.key)
|
||||
];
|
||||
};
|
||||
|
||||
crypto = {
|
||||
sign = {
|
||||
format = "ssh";
|
||||
|
|
Loading…
Reference in a new issue