colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

nixserve: dependency-inject the pubkey

Browse Source 
this is in modules/ dir; shouldn't have that kind of data in it
This commit is contained in:
Colin
2023-11-23 02:14:18 +00:00
parent 2d65282643
commit 23f4b2e2e4
2 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/modules/roles/build-machine.nix
View File

@@ -28,6 +28,7 @@ in
sane.programs.qemu.enableFor.user.colin = true;
# serve packages to other machines that ask for them
sane.services.nixserve.enable = true;
sane.services.nixserve.remoteBuilderPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote";
# each concurrent derivation realization uses a different nix build user.
# default is 32 build users, limiting us to that many concurrent jobs.

5
modules/services/nixserve.nix
View File

@@ -24,6 +24,9 @@ in
type = types.path;
description = "path to file that contains the nix_serve_privkey secret (should not be in the store)";
};
sane.services.nixserve.remoteBuilderPubkey = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
@@ -53,7 +56,7 @@ in
];
initialPassword = "";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
cfg.remoteBuilderPubkey
];
};