From 7c2630f80aecda21d9019a9fa81e711299c5e60a Mon Sep 17 00:00:00 2001 From: Patrick Date: Thu, 28 Nov 2024 16:07:39 +0100 Subject: [PATCH] feat: add locking script --- nix/devshell.nix | 8 +++++++- pkgs/scripts/default.nix | 7 ++++++- pkgs/scripts/lock.sh | 17 +++++++++++++++++ pkgs/scripts/unlock.sh | 2 +- 4 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 pkgs/scripts/lock.sh diff --git a/nix/devshell.nix b/nix/devshell.nix index 37c03fa..1c956e3 100644 --- a/nix/devshell.nix +++ b/nix/devshell.nix @@ -36,7 +36,13 @@ help = "deploy nix configurations"; } { - package = pkgs.scripts.unlock; + package = pkgs.symlinkJoin { + name = "locker"; + paths = [ + pkgs.scripts.unlock + pkgs.scripts.lock + ]; + }; help = "build nix configurations"; } { diff --git a/pkgs/scripts/default.nix b/pkgs/scripts/default.nix index 7424a03..4b10f10 100644 --- a/pkgs/scripts/default.nix +++ b/pkgs/scripts/default.nix @@ -13,9 +13,14 @@ _final: prev: { }; unlock = prev.writeShellApplication { name = "unlock-builders"; - runtimeInputs = [ prev.nix-output-monitor ]; + runtimeInputs = [ ]; text = builtins.readFile ./unlock.sh; }; + lock = prev.writeShellApplication { + name = "lock-builders"; + runtimeInputs = [ ]; + text = builtins.readFile ./lock.sh; + }; update = prev.writeShellApplication { name = "update"; runtimeInputs = [ ]; diff --git a/pkgs/scripts/lock.sh b/pkgs/scripts/lock.sh new file mode 100644 index 0000000..5fa8978 --- /dev/null +++ b/pkgs/scripts/lock.sh @@ -0,0 +1,17 @@ +function die { + echo "error: $*" >&2 + exit 1 +} + +while read -r -a i; do + path=${i[2]} + if [[ ! $path == /run/builder-unlock/* ]]; then + continue + fi + host=${i[0]#*'://'} + user=${host%'@'*} + host=${host#*'@'} + echo "Deleting public key from: $host" + a=(bash -c "rm /etc/ssh/authorized_keys.d/${user@Q}") + ssh -n root"@$host" -- "${a[*]@Q}" +done /dev/null ; mkdir -p ${dirname@Q} ; ssh-keygen -q -t ed25519 -N '' -C 'Automatically generated key for nix remote builders.' -f ${path@Q} <</dev/null ; cat ${path@Q}.pub")