From 23f4b2e2e403043e4c47877df1fe50929768bfc4 Mon Sep 17 00:00:00 2001 From: Colin Date: Thu, 23 Nov 2023 02:14:18 +0000 Subject: [PATCH] nixserve: dependency-inject the pubkey this is in modules/ dir; shouldn't have that kind of data in it --- hosts/modules/roles/build-machine.nix | 1 + modules/services/nixserve.nix | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/hosts/modules/roles/build-machine.nix b/hosts/modules/roles/build-machine.nix index aee123dfc..54a4136dc 100644 --- a/hosts/modules/roles/build-machine.nix +++ b/hosts/modules/roles/build-machine.nix @@ -28,6 +28,7 @@ in sane.programs.qemu.enableFor.user.colin = true; # serve packages to other machines that ask for them sane.services.nixserve.enable = true; + sane.services.nixserve.remoteBuilderPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"; # each concurrent derivation realization uses a different nix build user. # default is 32 build users, limiting us to that many concurrent jobs. diff --git a/modules/services/nixserve.nix b/modules/services/nixserve.nix index 5be97eb99..cafca0e7d 100644 --- a/modules/services/nixserve.nix +++ b/modules/services/nixserve.nix @@ -24,6 +24,9 @@ in type = types.path; description = "path to file that contains the nix_serve_privkey secret (should not be in the store)"; }; + sane.services.nixserve.remoteBuilderPubkey = mkOption { + type = types.str; + }; }; config = mkIf cfg.enable { @@ -53,7 +56,7 @@ in ]; initialPassword = ""; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote" + cfg.remoteBuilderPubkey ]; };