diff --git a/hosts/mailnix/default.nix b/hosts/mailnix/default.nix index a568ea5..f142d11 100644 --- a/hosts/mailnix/default.nix +++ b/hosts/mailnix/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { imports = [ ../../config/basic @@ -28,32 +28,9 @@ users.users.build = { isSystemUser = true; shell = pkgs.bash; - group = "build"; + group = "nogroup"; extraGroups = [ "nix-build" ]; createHome = false; - openssh.authorizedKeys.keyFiles = [ - ./secrets/generated/buildSSHKey.pub - ]; }; - - age.secrets.buildSSHKey = { - generator.script = - { - lib, - name, - pkgs, - file, - ... - }: - '' - key=$(exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -C ${lib.escapeShellArg "${config.networking.hostName}:${name}"} -f /proc/self/fd/3 <</dev/null 2>&1; true) - (exec 3<&0; ${pkgs.openssh}/bin/ssh-keygen -f /proc/self/fd/3 -y) <<< "$key" > ${ - lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub") - } - echo "$key" - ''; - intermediary = true; - }; - users.groups.build = { }; users.groups.nix-build = { }; } diff --git a/nix/devshell.nix b/nix/devshell.nix index 6a0066c..37c03fa 100644 --- a/nix/devshell.nix +++ b/nix/devshell.nix @@ -35,6 +35,10 @@ package = pkgs.scripts.deploy; help = "deploy nix configurations"; } + { + package = pkgs.scripts.unlock; + help = "build nix configurations"; + } { package = pkgs.scripts.build; help = "build nix configurations"; diff --git a/pkgs/scripts/build.sh b/pkgs/scripts/build.sh index f2379e1..cd1b733 100644 --- a/pkgs/scripts/build.sh +++ b/pkgs/scripts/build.sh @@ -1,5 +1,3 @@ -set -euo pipefail - function die { echo "error: $*" >&2 exit 1 diff --git a/pkgs/scripts/default.nix b/pkgs/scripts/default.nix index 27659fa..7424a03 100644 --- a/pkgs/scripts/default.nix +++ b/pkgs/scripts/default.nix @@ -11,6 +11,11 @@ _final: prev: { runtimeInputs = [ prev.nix-output-monitor ]; text = builtins.readFile ./build.sh; }; + unlock = prev.writeShellApplication { + name = "unlock-builders"; + runtimeInputs = [ prev.nix-output-monitor ]; + text = builtins.readFile ./unlock.sh; + }; update = prev.writeShellApplication { name = "update"; runtimeInputs = [ ]; diff --git a/pkgs/scripts/deploy.sh b/pkgs/scripts/deploy.sh index 78ab17d..6dedf08 100644 --- a/pkgs/scripts/deploy.sh +++ b/pkgs/scripts/deploy.sh @@ -1,5 +1,3 @@ -set -euo pipefail - function die { echo "error: $*" >&2 exit 1 diff --git a/pkgs/scripts/unlock.sh b/pkgs/scripts/unlock.sh new file mode 100644 index 0000000..11706fb --- /dev/null +++ b/pkgs/scripts/unlock.sh @@ -0,0 +1,25 @@ +function die { + echo "error: $*" >&2 + exit 1 +} + +while read -r -a i; do + path=${i[2]} + if [[ ! $path == /run/builder-unlock/* ]]; then + continue + fi + host=${i[0]#*'://'} + user=${host%'@'*} + host=${host#*'@'} + echo "Generating secret key for $user at $host" + dirname=$(dirname "$path") + pubkey=$(ssh -n root@localhost -- bash -c "umask 077 &>/dev/null ; mkdir -p ${dirname@Q} ; + ssh-keygen -q -t ed25519 -N '' -C 'Automatically generated key for nix remote builders.' -f ${path@Q} <</dev/null ; + cat ${path@Q}.pub") + echo "Uploading public key: $pubkey" + path=$(sha256sum <(echo "$pubkey") | cut -d" " -f1) + a=(bash -c "mkdir -p /run/builder-unlock ; + echo 'restrict,command=\"nix-daemon --stdio\" '${pubkey@Q} > /run/builder-unlock/${path@Q} ; + ln -s -f /run/builder-unlock/${path@Q} /etc/ssh/authorized_keys.d/${user@Q}") + ssh -n root"@$host" -- "${a[*]@Q}" +done