nixremote: define the user as part of the nixserve module
This commit is contained in:
@@ -4,7 +4,6 @@
|
|||||||
imports = [
|
imports = [
|
||||||
./colin.nix
|
./colin.nix
|
||||||
./guest.nix
|
./guest.nix
|
||||||
./nixremote.nix
|
|
||||||
./root.nix
|
./root.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@@ -1,34 +0,0 @@
|
|||||||
# docs: <https://nixos.wiki/wiki/Distributed_build>
|
|
||||||
#
|
|
||||||
# this user exists for any machine on my network to receive build requests from some other machine.
|
|
||||||
# the build request happens from the origin computer's `root` user, so none of this is protected behind a login password.
|
|
||||||
# hence, the `nixremote` user's privileges should be as limited as possible.
|
|
||||||
{ config, ... }:
|
|
||||||
{
|
|
||||||
users.users.nixremote = {
|
|
||||||
isNormalUser = true;
|
|
||||||
home = "/home/nixremote";
|
|
||||||
# remove write permissions everywhere in the home dir.
|
|
||||||
# combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory
|
|
||||||
# (in which case, i'm not actually sure why nixremote needs a home)
|
|
||||||
homeMode = "550";
|
|
||||||
group = "nixremote";
|
|
||||||
subUidRanges = [
|
|
||||||
{ startUid=300000; count=1; }
|
|
||||||
];
|
|
||||||
initialPassword = "";
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
users.groups.nixremote = {};
|
|
||||||
|
|
||||||
sane.users.nixremote = {
|
|
||||||
fs."/".dir.acl = {
|
|
||||||
# don't allow the user to write anywhere
|
|
||||||
user = "root";
|
|
||||||
group = "nixremote";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@@ -1,6 +1,9 @@
|
|||||||
# docs: https://nixos.wiki/wiki/Binary_Cache
|
# docs: <https://nixos.wiki/wiki/Binary_Cache>
|
||||||
# to copy something to this machine's nix cache, do:
|
# to copy something to this machine's nix cache, do:
|
||||||
# nix copy --to ssh://nixcache.uninsane.org PACKAGE
|
# nix copy --to ssh://nixcache.uninsane.org PACKAGE
|
||||||
|
#
|
||||||
|
# docs: <https://nixos.wiki/wiki/Distributed_build>
|
||||||
|
# to use this machine as a remote builder, just build anything with `-j0`.
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
@@ -24,15 +27,44 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
nix.settings.trusted-users = [ "nixremote" ];
|
# act as a substituter
|
||||||
services.nix-serve = {
|
|
||||||
enable = true;
|
|
||||||
inherit (cfg) port secretKeyFile;
|
|
||||||
};
|
|
||||||
sane.ports.ports."${builtins.toString cfg.port}" = {
|
sane.ports.ports."${builtins.toString cfg.port}" = {
|
||||||
visibleTo.lan = true; # not needed for servo; only desko
|
visibleTo.lan = true; # not needed for servo; only desko
|
||||||
protocol = [ "tcp" ];
|
protocol = [ "tcp" ];
|
||||||
description = "colin-nix-serve-cache";
|
description = "colin-nix-serve-cache";
|
||||||
};
|
};
|
||||||
|
services.nix-serve = {
|
||||||
|
enable = true;
|
||||||
|
inherit (cfg) port secretKeyFile;
|
||||||
|
};
|
||||||
|
|
||||||
|
# act as a remote builder
|
||||||
|
nix.settings.trusted-users = [ "nixremote" ];
|
||||||
|
users.users.nixremote = {
|
||||||
|
isNormalUser = true;
|
||||||
|
home = "/home/nixremote";
|
||||||
|
# remove write permissions everywhere in the home dir.
|
||||||
|
# combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory
|
||||||
|
# (in which case, i'm not actually sure why nixremote needs a home)
|
||||||
|
homeMode = "550";
|
||||||
|
group = "nixremote";
|
||||||
|
subUidRanges = [
|
||||||
|
{ startUid=300000; count=1; }
|
||||||
|
];
|
||||||
|
initialPassword = "";
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups.nixremote = {};
|
||||||
|
|
||||||
|
sane.users.nixremote = {
|
||||||
|
fs."/".dir.acl = {
|
||||||
|
# don't allow the user to write anywhere
|
||||||
|
user = "root";
|
||||||
|
group = "nixremote";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user