add a "nixremote" user for remote bulding (experimental; builds arent actually enabled yet)

2023-11-23 01:27:28 +00:00 · 2023-11-23 01:27:28 +00:00 · 3ff9c0ad0c
commit 3ff9c0ad0c
parent 3eb6ce6ff6
8 changed files with 109 additions and 6 deletions
--- a/TODO.md
+++ b/TODO.md
@ -7,6 +7,9 @@

 ## REFACTORING:

+- remove modules/data/keys
+- simplify ssh keys (hosts/common/ssh.nix ; modules/ssh.nix)
+
 ### sops/secrets
 - attach secrets to the thing they're used by (sane.programs)
 - rework secrets to leverage `sane.fs`
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@ -63,6 +63,8 @@
  sane.ids.systemd-oom.uid = 2005;
  sane.ids.systemd-oom.gid = 2005;
  sane.ids.wireshark.gid = 2006;
+  sane.ids.nixremote.uid = 2007;
+  sane.ids.nixremote.gid = 2007;

  # found on graphical hosts
  sane.ids.nm-iodine.uid = 2101;  # desko/moby/lappy
--- a/hosts/common/users/colin.nix
+++ b/hosts/common/users/colin.nix
@ -6,8 +6,6 @@
    # sets group to "users" (?)
    isNormalUser = true;
    home = "/home/colin";
-    createHome = true;
-    homeMode = "0700";
    # i don't get exactly what this is, but nixos defaults to this non-deterministically
    # in /var/lib/nixos/auto-subuid-map and i don't want that.
    subUidRanges = [
--- a/hosts/common/users/default.nix
+++ b/hosts/common/users/default.nix
@ -4,6 +4,7 @@
  imports = [
    ./colin.nix
    ./guest.nix
+    ./nixremote.nix
    ./root.nix
  ];

--- a/hosts/common/users/nixremote.nix
+++ b/hosts/common/users/nixremote.nix
@ -0,0 +1,30 @@
+# docs: <https://nixos.wiki/wiki/Distributed_build>
+#
+# this user exists for any machine on my network to receive build requests from some other machine.
+# the build request happens from the origin computer's `root` user, so none of this is protected behind a login password.
+# hence, the `nixremote` user's privileges should be as limited as possible.
+{ config, ... }:
+{
+  users.users.nixremote = {
+    isNormalUser = true;
+    home = "/home/nixremote";
+    group = "nixremote";
+    subUidRanges = [
+      { startUid=300000; count=1; }
+    ];
+    initialPassword = "";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
+    ];
+  };
+
+  users.groups.nixremote = {};
+
+  sane.users.nixremote = {
+    fs."/".dir.acl = {
+      # don't allow the user to write anywhere
+      user = "root";
+      group = "root";
+    };
+  };
+}
--- a/hosts/common/users/root.nix
+++ b/hosts/common/users/root.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
  sane.persist.sys.byStore.cryptClearOnBoot = [
    # when running commands as root, some things may create ~/.cache entries.
@ -7,4 +7,24 @@
    # - `/root/.cache/mesa_shader_cache` takes up 1-2 MB on moby
    { path = "/root"; user = "root"; group = "root"; mode = "0700"; }
  ];
+
+  sane.users.root = {
+    home = "/root";
+    fs.".ssh/nixremote".symlink.target = config.sops.secrets."nixremote_ssh_key".path;
+    fs.".ssh/nixremote.pub".symlink.text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf";
+    fs.".ssh/config".symlink.text = ''
+      # root -> <other nix host> happens for remote builds
+      # provide the auth, and instruct which remote user to login as:
+      Host desko
+        # Prevent using ssh-agent or another keyfile
+        IdentitiesOnly yes
+        IdentityFile /root/.ssh/nixremote
+        User nixremote
+      Host servo
+        # Prevent using ssh-agent or another keyfile
+        IdentitiesOnly yes
+        IdentityFile /root/.ssh/nixremote
+        User nixremote
+    '';
+  };
 }
--- a/modules/users.nix
+++ b/modules/users.nix
@ -95,9 +95,10 @@ let
      })
      {
        fs."/".dir.acl = {
-          user = name;
-          group = nixConfig.users.users."${name}".group;
-          mode = nixConfig.users.users."${name}".homeMode;
+          user = lib.mkDefault name;
+          group = lib.mkDefault nixConfig.users.users."${name}".group;
+          # homeMode defaults to 700; notice: no leading 0
+          mode = "0" + nixConfig.users.users."${name}".homeMode;
        };
        fs.".profile".symlink.text =
          let
--- a/secrets/common/nixremote_ssh_key.bin
+++ b/secrets/common/nixremote_ssh_key.bin
@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:Z3gAd4fuRSYbj/VqItcrFvQZnmaIfrVKbgbN+c9dlT4T7M7uXOe3HwuVgWL+87kpJ7iox2Y7IV5S3l/PrAtucpLAJsKdB6Kdk+kUhDJS80GG7tWDJUsrGPI37qIlcW0ygFjnVSSU1lXknX+MgrJQAqa1TQOGh/EoonEP+h+h3sd4r033uLkot7q5ytF2dFKytRepuBAs8aaruyES/eBfJigtZ8LSbz6Md/vmPt+TE2m6WzBB+hoQ/y0j0zxmVTGIVdWQa2G9q5q4+mEYEInY8KYl3Vk3PqfDyKeVQkLdFvp2Y30zSrmgzljZ4Cv2of2R8Cf4EPZg02PpRXO+G3PNCFzkyJV9UuBkw25cj/2ptLG/2iT0FQzaHlqAbriR9rnE/f22H/gDM67Rmhk0U7Fx2MOpRk6NUBZJL+qSAoRRi3E8r1PGhWA0Vy3q4K+iPHpA9WSnWhpF0APnVhVasyP7WyxM78ojw89aV60o2pZiQnYAukKS4rrGVAY6VQCIMquB9fkIFEvEaGALTVN8D9Lu,iv:15QuTzvB8/MLOwQ1+pa+BHh2UAMngQStn9AOKvRuOLc=,tag:UqOfydAIirQnGXCJx0EH2w==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2QnFzT1FabkJvWVJtbWdH\nWU9nQmp2cUlMNTRWM09HNGtibmNhNTRhT0JNCjNMdm5ScHhlWUN4d0R4cjRNVStz\nd0NLbkJpUHJtY1hYYWdmNjdTcWEwZk0KLS0tIDFmejRkQ2kzbGczc215QTluS1kv\ncHJtTHZZTmFIaDUvZHQ0UkVmNUlmVVkKoDh96fosdZ0W3FmnTkubzn648sSE0bPl\n+6V7njBcitIulPtv7vJS+RRe6CTI0hCATLw4wK08wj6y/QXUbeoI9Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeEV4SEhsd2ZTUUtpMDVR\nNXVJYjBIYXlZNFJId3Q5aitmRk5jRExsMkVzCnRoMkQ0VUQ0RmEwWnpSSWd5cUdQ\nZ1dQS1BNM1Z5SW5MS3hvcVcweEdjZ0UKLS0tIElORFRxMWdKZUo3SzhxcHZFdW5D\nemxrYUxUUTQwRkJCSzZuSjd3SVgweHMKNyPLaqWCs6z5CkKin+pOezTQNuoiIqvx\nW5YyrphVL7q08LQLdATSRNRcaImxP0P0N8fhSVw2rvklYKRzTJOa4A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqT0lQTFVoV3FWenZhbkJ0\nNTlqUS9yV3JpU3VvbVNlSmF5RklFMTQzeHlFClM3K1duVXlkbHkrREQzQmYwYkNj\nU0ZvZEc2YlJxa3hSSFdwM3l3L3EzcnMKLS0tIGdub3d6NjVtaFV1OFhldDRqNnYx\nQ1NsOWxDZEFzZmswTVNmMkU4Qjl5cjAKIzP/HPFcomIOnkRSv6EQOmk2c8onhcxi\nLaG6xIjydye6W8sGRJxatthmRaxA0SsQKROwHj27EiW6GRZodSjKMw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNVR1aWg1N3lnbHNoUlhK\nTjk0QkQ5aFFZMVhXeEtpa2ZQbkU0RkFxTVNjCjJEcjBHVXVLZWRMYVpwTFpMUnNN\naythd3BOdmgvekp0MUZCZmpmblV3UkkKLS0tIFRpZHFRLzhSdjBCN09rSUY5VUNT\nam1vQ3R2VnhUMThCN0dPU0ZlLy80Q28KehP5t4kIwUs9eu+8KWn5SCpvEKVnSHlJ\njR8RhRX7+f6hRP/OvryFxzGFmey3YApdHC3sDhvYjU8qDzs4xj7zAQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVXFRRXNuTVJaUWRyRDIr\nV1FMcWlCUVluNWZZNUJxbU5UNzNsbHRLd1ZVCnlsUEYrWGtWem5DRElGaWxEN3d1\nWVNpT3d6d253RnhDamQ5Mkg0bDBQaWcKLS0tIHBiTDlMQmF4RVhqc2N1bDF5c0p1\nd3FiQjB6ckhJd3pSYVZHNjdhaEZEWnMKWdweoLlZg2CoB3VCjCo2J+injACNNXFp\nMjvWqzfibFetLNtxBpfCZY+7rhDDlT1njUBw1q1Dy1ZaIWOuJPYOwQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVVRFWnVBNVp3Qndyb3p0\naDFnRHUrWlB3akg0WnRuNHNNQWpySFVWUEUwCjRYOWJxRkVEYmpoV2ZSR2RmcGdr\nTk9rN2FJOGIyRWpaMUpFUXJ6YTZmYkkKLS0tIE96djFyeitLM2Z0MjdaUExQS0Fu\nNlRhT21mWHZ4WXBJSDY5MDlKZnhQNTgKzjHbxqT2oiGl5jR1F52CWf4MSICdAJng\ndZwTQbtwUNfwhzxCdQ8a8qWR+mOGsd0WtBlrT3c6Yy83HV+PAePFcQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dTNwNVVmMUpCN1I2M25K\nR2VsY0c0Y0htbE15MktUZEt4bFlHU1BUaVcwCm9BK2EycTZFOEJBZ1VUZVdFZWhl\nY1dORGpXVzZwYml5c0tOUWZDVnEyWkkKLS0tIFdwNFFlVmhtVVZGRytDUWExU3BY\nWXgwbldKREdQUUVWSTRoR1AyNDc2VUEKy+b5IaoHLOha+kgVXlyOf2RuoXGvrMGJ\n1mYms2SLs+3/aUtz+nxGKm5H9aBSIf7wzjam6w9ASFIlQqd2Orpc9A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaeU5Bdjl6dDFhMXRuL3N1\nMVJ4V0VuQi91ZVZWTW9GbzVJR0FxejMrUEZvCkxxdjFzM3p6cjh1N0NFS3c3NWI3\nOHR0dWpUQ2Q1MzFyU2V6NlN5ajZqc1kKLS0tIGY0bG5BRG9zaVpqdWJZL0FhWS9o\nWi9Tend4c1RUK2QzVCtHalJBQ3l2THcKqUHi7CoHeUqRP/Dr/ZvLT2NgJJV3xC1D\nidZZgCRlrDnbcWnnx16tKyPNk/8pNGdnXbQrlgMMazkZEFqmznRZOg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-11-23T00:57:17Z",
+		"mac": "ENC[AES256_GCM,data:IFNjLWSXH8H/zD1wBQQucLNdibx2ILurIZKThA+1W2Iv4uTkSem/QDGUInsjckZPec9HQiRwO3VtZhyRZ6W5c9+SZuQvzdx2CIv+lm/Qz6jaEBVxLerkZi4RRhg4Uf2QsIVMTVT77fh82WUNiGcMtawso991vG+3PfnlJh4YSz0=,iv:9v0uB5KpN0QoqEGtGAjjCgAMPjAaM5BiiulxfW7GC9k=,tag:quF2SwyFLpocOyIMN5lmzQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}