feat: unlock script for remot builders
This commit is contained in:
parent
0bd4036cd5
commit
4bc86e57c9
GPG key ID:
451F95EFB8BECD0F
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
../../config/basic
|
../../config/basic
|
||||||
|
|
@ -28,32 +28,9 @@
|
||||||
users.users.build = {
|
users.users.build = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
shell = pkgs.bash;
|
shell = pkgs.bash;
|
||||||
group = "build";
|
group = "nogroup";
|
||||||
extraGroups = [ "nix-build" ];
|
extraGroups = [ "nix-build" ];
|
||||||
createHome = false;
|
createHome = false;
|
||||||
openssh.authorizedKeys.keyFiles = [
|
|
||||||
./secrets/generated/buildSSHKey.pub
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
age.secrets.buildSSHKey = {
|
|
||||||
generator.script =
|
|
||||||
{
|
|
||||||
lib,
|
|
||||||
name,
|
|
||||||
pkgs,
|
|
||||||
file,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
''
|
|
||||||
key=$(exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -C ${lib.escapeShellArg "${config.networking.hostName}:${name}"} -f /proc/self/fd/3 <<<y >/dev/null 2>&1; true)
|
|
||||||
(exec 3<&0; ${pkgs.openssh}/bin/ssh-keygen -f /proc/self/fd/3 -y) <<< "$key" > ${
|
|
||||||
lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")
|
|
||||||
}
|
|
||||||
echo "$key"
|
|
||||||
'';
|
|
||||||
intermediary = true;
|
|
||||||
};
|
|
||||||
users.groups.build = { };
|
|
||||||
users.groups.nix-build = { };
|
users.groups.nix-build = { };
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -35,6 +35,10 @@
|
||||||
package = pkgs.scripts.deploy;
|
package = pkgs.scripts.deploy;
|
||||||
help = "deploy nix configurations";
|
help = "deploy nix configurations";
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
package = pkgs.scripts.unlock;
|
||||||
|
help = "build nix configurations";
|
||||||
|
}
|
||||||
{
|
{
|
||||||
package = pkgs.scripts.build;
|
package = pkgs.scripts.build;
|
||||||
help = "build nix configurations";
|
help = "build nix configurations";
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,3 @@
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
function die {
|
function die {
|
||||||
echo "error: $*" >&2
|
echo "error: $*" >&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,11 @@ _final: prev: {
|
||||||
runtimeInputs = [ prev.nix-output-monitor ];
|
runtimeInputs = [ prev.nix-output-monitor ];
|
||||||
text = builtins.readFile ./build.sh;
|
text = builtins.readFile ./build.sh;
|
||||||
};
|
};
|
||||||
|
unlock = prev.writeShellApplication {
|
||||||
|
name = "unlock-builders";
|
||||||
|
runtimeInputs = [ prev.nix-output-monitor ];
|
||||||
|
text = builtins.readFile ./unlock.sh;
|
||||||
|
};
|
||||||
update = prev.writeShellApplication {
|
update = prev.writeShellApplication {
|
||||||
name = "update";
|
name = "update";
|
||||||
runtimeInputs = [ ];
|
runtimeInputs = [ ];
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,3 @@
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
function die {
|
function die {
|
||||||
echo "error: $*" >&2
|
echo "error: $*" >&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
|
||||||
25
pkgs/scripts/unlock.sh
Normal file
25
pkgs/scripts/unlock.sh
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
function die {
|
||||||
|
echo "error: $*" >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
while read -r -a i; do
|
||||||
|
path=${i[2]}
|
||||||
|
if [[ ! $path == /run/builder-unlock/* ]]; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
host=${i[0]#*'://'}
|
||||||
|
user=${host%'@'*}
|
||||||
|
host=${host#*'@'}
|
||||||
|
echo "Generating secret key for $user at $host"
|
||||||
|
dirname=$(dirname "$path")
|
||||||
|
pubkey=$(ssh -n root@localhost -- bash -c "umask 077 &>/dev/null ; mkdir -p ${dirname@Q} ;
|
||||||
|
ssh-keygen -q -t ed25519 -N '' -C 'Automatically generated key for nix remote builders.' -f ${path@Q} <<<y &>/dev/null ;
|
||||||
|
cat ${path@Q}.pub")
|
||||||
|
echo "Uploading public key: $pubkey"
|
||||||
|
path=$(sha256sum <(echo "$pubkey") | cut -d" " -f1)
|
||||||
|
a=(bash -c "mkdir -p /run/builder-unlock ;
|
||||||
|
echo 'restrict,command=\"nix-daemon --stdio\" '${pubkey@Q} > /run/builder-unlock/${path@Q} ;
|
||||||
|
ln -s -f /run/builder-unlock/${path@Q} /etc/ssh/authorized_keys.d/${user@Q}")
|
||||||
|
ssh -n root"@$host" -- "${a[*]@Q}"
|
||||||
|
done </etc/nix/machines
|
||||||
|
|
@ -36,10 +36,6 @@ lib.optionalAttrs (!minimal) {
|
||||||
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
|
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
|
||||||
umask 077
|
umask 077
|
||||||
'';
|
'';
|
||||||
age.secrets.mailnixSSHKey = {
|
|
||||||
inherit (nodes.mailnix.config.age.secrets.buildSSHKey) rekeyFile;
|
|
||||||
mode = "400";
|
|
||||||
};
|
|
||||||
nix = {
|
nix = {
|
||||||
distributedBuilds = true;
|
distributedBuilds = true;
|
||||||
buildMachines = [
|
buildMachines = [
|
||||||
|
|
@ -48,7 +44,7 @@ lib.optionalAttrs (!minimal) {
|
||||||
protocol = "ssh-ng";
|
protocol = "ssh-ng";
|
||||||
sshUser = "build";
|
sshUser = "build";
|
||||||
system = "aarch64-linux";
|
system = "aarch64-linux";
|
||||||
sshKey = config.age.secrets.mailnixSSHKey.path;
|
sshKey = "/run/builder-unlock/mailnix";
|
||||||
supportedFeatures = [
|
supportedFeatures = [
|
||||||
"big-parallel"
|
"big-parallel"
|
||||||
#"kvm"
|
#"kvm"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue