Compare commits

..

2 commits

Author SHA1 Message Date
Patrick 7c2630f80a
feat: add locking script 2024-11-28 16:07:39 +01:00
Patrick 4bc86e57c9
feat: unlock script for remot builders 2024-11-28 15:44:49 +01:00
8 changed files with 65 additions and 34 deletions

View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ pkgs, ... }:
{
imports = [
../../config/basic
@ -28,32 +28,9 @@
users.users.build = {
isSystemUser = true;
shell = pkgs.bash;
group = "build";
group = "nogroup";
extraGroups = [ "nix-build" ];
createHome = false;
openssh.authorizedKeys.keyFiles = [
./secrets/generated/buildSSHKey.pub
];
};
age.secrets.buildSSHKey = {
generator.script =
{
lib,
name,
pkgs,
file,
...
}:
''
key=$(exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -C ${lib.escapeShellArg "${config.networking.hostName}:${name}"} -f /proc/self/fd/3 <<<y >/dev/null 2>&1; true)
(exec 3<&0; ${pkgs.openssh}/bin/ssh-keygen -f /proc/self/fd/3 -y) <<< "$key" > ${
lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")
}
echo "$key"
'';
intermediary = true;
};
users.groups.build = { };
users.groups.nix-build = { };
}

View file

@ -35,6 +35,16 @@
package = pkgs.scripts.deploy;
help = "deploy nix configurations";
}
{
package = pkgs.symlinkJoin {
name = "locker";
paths = [
pkgs.scripts.unlock
pkgs.scripts.lock
];
};
help = "build nix configurations";
}
{
package = pkgs.scripts.build;
help = "build nix configurations";

View file

@ -1,5 +1,3 @@
set -euo pipefail
function die {
echo "error: $*" >&2
exit 1

View file

@ -11,6 +11,16 @@ _final: prev: {
runtimeInputs = [ prev.nix-output-monitor ];
text = builtins.readFile ./build.sh;
};
unlock = prev.writeShellApplication {
name = "unlock-builders";
runtimeInputs = [ ];
text = builtins.readFile ./unlock.sh;
};
lock = prev.writeShellApplication {
name = "lock-builders";
runtimeInputs = [ ];
text = builtins.readFile ./lock.sh;
};
update = prev.writeShellApplication {
name = "update";
runtimeInputs = [ ];

View file

@ -1,5 +1,3 @@
set -euo pipefail
function die {
echo "error: $*" >&2
exit 1

17
pkgs/scripts/lock.sh Normal file
View file

@ -0,0 +1,17 @@
function die {
echo "error: $*" >&2
exit 1
}
while read -r -a i; do
path=${i[2]}
if [[ ! $path == /run/builder-unlock/* ]]; then
continue
fi
host=${i[0]#*'://'}
user=${host%'@'*}
host=${host#*'@'}
echo "Deleting public key from: $host"
a=(bash -c "rm /etc/ssh/authorized_keys.d/${user@Q}")
ssh -n root"@$host" -- "${a[*]@Q}"
done </etc/nix/machines

25
pkgs/scripts/unlock.sh Normal file
View file

@ -0,0 +1,25 @@
function die {
echo "error: $*" >&2
exit 1
}
while read -r -a i; do
path=${i[2]}
if [[ ! $path == /run/builder-unlock/* ]]; then
continue
fi
host=${i[0]#*'://'}
user=${host%'@'*}
host=${host#*'@'}
dirname=$(dirname "$path")
echo "Generating secret key for $user at $host"
pubkey=$(ssh -n root@localhost -- bash -c "umask 077 &>/dev/null ; mkdir -p ${dirname@Q} ;
ssh-keygen -q -t ed25519 -N '' -C 'Automatically generated key for nix remote builders.' -f ${path@Q} <<<y &>/dev/null ;
cat ${path@Q}.pub")
echo "Uploading public key: $pubkey"
path=$(sha256sum <(echo "$pubkey") | cut -d" " -f1)
a=(bash -c "mkdir -p /run/builder-unlock ;
echo 'restrict,command=\"nix-daemon --stdio\" '${pubkey@Q} > /run/builder-unlock/${path@Q} ;
ln -s -f /run/builder-unlock/${path@Q} /etc/ssh/authorized_keys.d/${user@Q}")
ssh -n root"@$host" -- "${a[*]@Q}"
done </etc/nix/machines

View file

@ -36,10 +36,6 @@ lib.optionalAttrs (!minimal) {
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
umask 077
'';
age.secrets.mailnixSSHKey = {
inherit (nodes.mailnix.config.age.secrets.buildSSHKey) rekeyFile;
mode = "400";
};
nix = {
distributedBuilds = true;
buildMachines = [
@ -48,7 +44,7 @@ lib.optionalAttrs (!minimal) {
protocol = "ssh-ng";
sshUser = "build";
system = "aarch64-linux";
sshKey = config.age.secrets.mailnixSSHKey.path;
sshKey = "/run/builder-unlock/mailnix";
supportedFeatures = [
"big-parallel"
#"kvm"