2024-11-28 15:32:52 +01:00
|
|
|
function die {
|
|
|
|
echo "error: $*" >&2
|
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
|
|
|
while read -r -a i; do
|
|
|
|
path=${i[2]}
|
|
|
|
if [[ ! $path == /run/builder-unlock/* ]]; then
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
host=${i[0]#*'://'}
|
|
|
|
user=${host%'@'*}
|
|
|
|
host=${host#*'@'}
|
|
|
|
dirname=$(dirname "$path")
|
2024-11-28 16:07:39 +01:00
|
|
|
echo "Generating secret key for $user at $host"
|
2024-11-28 15:32:52 +01:00
|
|
|
pubkey=$(ssh -n root@localhost -- bash -c "umask 077 &>/dev/null ; mkdir -p ${dirname@Q} ;
|
|
|
|
ssh-keygen -q -t ed25519 -N '' -C 'Automatically generated key for nix remote builders.' -f ${path@Q} <<<y &>/dev/null ;
|
|
|
|
cat ${path@Q}.pub")
|
|
|
|
echo "Uploading public key: $pubkey"
|
|
|
|
path=$(sha256sum <(echo "$pubkey") | cut -d" " -f1)
|
|
|
|
a=(bash -c "mkdir -p /run/builder-unlock ;
|
|
|
|
echo 'restrict,command=\"nix-daemon --stdio\" '${pubkey@Q} > /run/builder-unlock/${path@Q} ;
|
|
|
|
ln -s -f /run/builder-unlock/${path@Q} /etc/ssh/authorized_keys.d/${user@Q}")
|
|
|
|
ssh -n root"@$host" -- "${a[*]@Q}"
|
|
|
|
done </etc/nix/machines
|