nixremote: define the user as part of the nixserve module

2023-11-23 02:08:45 +00:00 · 2023-11-23 02:08:45 +00:00 · 2d65282643
commit 2d65282643
parent 0bd9125484
3 changed files with 38 additions and 41 deletions
--- a/hosts/common/users/default.nix
+++ b/hosts/common/users/default.nix
@ -4,7 +4,6 @@
  imports = [
    ./colin.nix
    ./guest.nix
-    ./nixremote.nix
    ./root.nix
  ];

--- a/hosts/common/users/nixremote.nix
+++ b/hosts/common/users/nixremote.nix
@ -1,34 +0,0 @@
-# docs: <https://nixos.wiki/wiki/Distributed_build>
-#
-# this user exists for any machine on my network to receive build requests from some other machine.
-# the build request happens from the origin computer's `root` user, so none of this is protected behind a login password.
-# hence, the `nixremote` user's privileges should be as limited as possible.
-{ config, ... }:
-{
-  users.users.nixremote = {
-    isNormalUser = true;
-    home = "/home/nixremote";
-    # remove write permissions everywhere in the home dir.
-    # combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory
-    # (in which case, i'm not actually sure why nixremote needs a home)
-    homeMode = "550";
-    group = "nixremote";
-    subUidRanges = [
-      { startUid=300000; count=1; }
-    ];
-    initialPassword = "";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
-    ];
-  };
-
-  users.groups.nixremote = {};
-
-  sane.users.nixremote = {
-    fs."/".dir.acl = {
-      # don't allow the user to write anywhere
-      user = "root";
-      group = "nixremote";
-    };
-  };
-}
--- a/modules/services/nixserve.nix
+++ b/modules/services/nixserve.nix
@ -1,6 +1,9 @@
-# docs: https://nixos.wiki/wiki/Binary_Cache
+# docs: <https://nixos.wiki/wiki/Binary_Cache>
 # to copy something to this machine's nix cache, do:
 #   nix copy --to ssh://nixcache.uninsane.org PACKAGE
+#
+# docs: <https://nixos.wiki/wiki/Distributed_build>
+# to use this machine as a remote builder, just build anything with `-j0`.
 { config, lib, ... }:

 with lib;
@ -24,15 +27,44 @@ in
  };

  config = mkIf cfg.enable {
-    nix.settings.trusted-users = [ "nixremote" ];
-    services.nix-serve = {
-      enable = true;
-      inherit (cfg) port secretKeyFile;
-    };
+    # act as a substituter
    sane.ports.ports."${builtins.toString cfg.port}" = {
      visibleTo.lan = true;  # not needed for servo; only desko
      protocol = [ "tcp" ];
      description = "colin-nix-serve-cache";
    };
+    services.nix-serve = {
+      enable = true;
+      inherit (cfg) port secretKeyFile;
+    };
+
+    # act as a remote builder
+    nix.settings.trusted-users = [ "nixremote" ];
+    users.users.nixremote = {
+      isNormalUser = true;
+      home = "/home/nixremote";
+      # remove write permissions everywhere in the home dir.
+      # combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory
+      # (in which case, i'm not actually sure why nixremote needs a home)
+      homeMode = "550";
+      group = "nixremote";
+      subUidRanges = [
+        { startUid=300000; count=1; }
+      ];
+      initialPassword = "";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
+      ];
+    };
+
+    users.groups.nixremote = {};
+
+    sane.users.nixremote = {
+      fs."/".dir.acl = {
+        # don't allow the user to write anywhere
+        user = "root";
+        group = "nixremote";
+      };
+    };
  };
 }