add a "nixremote" user for remote bulding (experimental; builds arent actually enabled yet)
This commit is contained in:
parent
3eb6ce6ff6
commit
3ff9c0ad0c
3
TODO.md
3
TODO.md
|
@ -7,6 +7,9 @@
|
|||
|
||||
## REFACTORING:
|
||||
|
||||
- remove modules/data/keys
|
||||
- simplify ssh keys (hosts/common/ssh.nix ; modules/ssh.nix)
|
||||
|
||||
### sops/secrets
|
||||
- attach secrets to the thing they're used by (sane.programs)
|
||||
- rework secrets to leverage `sane.fs`
|
||||
|
|
|
@ -63,6 +63,8 @@
|
|||
sane.ids.systemd-oom.uid = 2005;
|
||||
sane.ids.systemd-oom.gid = 2005;
|
||||
sane.ids.wireshark.gid = 2006;
|
||||
sane.ids.nixremote.uid = 2007;
|
||||
sane.ids.nixremote.gid = 2007;
|
||||
|
||||
# found on graphical hosts
|
||||
sane.ids.nm-iodine.uid = 2101; # desko/moby/lappy
|
||||
|
|
|
@ -6,8 +6,6 @@
|
|||
# sets group to "users" (?)
|
||||
isNormalUser = true;
|
||||
home = "/home/colin";
|
||||
createHome = true;
|
||||
homeMode = "0700";
|
||||
# i don't get exactly what this is, but nixos defaults to this non-deterministically
|
||||
# in /var/lib/nixos/auto-subuid-map and i don't want that.
|
||||
subUidRanges = [
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
imports = [
|
||||
./colin.nix
|
||||
./guest.nix
|
||||
./nixremote.nix
|
||||
./root.nix
|
||||
];
|
||||
|
||||
|
|
30
hosts/common/users/nixremote.nix
Normal file
30
hosts/common/users/nixremote.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
# docs: <https://nixos.wiki/wiki/Distributed_build>
|
||||
#
|
||||
# this user exists for any machine on my network to receive build requests from some other machine.
|
||||
# the build request happens from the origin computer's `root` user, so none of this is protected behind a login password.
|
||||
# hence, the `nixremote` user's privileges should be as limited as possible.
|
||||
{ config, ... }:
|
||||
{
|
||||
users.users.nixremote = {
|
||||
isNormalUser = true;
|
||||
home = "/home/nixremote";
|
||||
group = "nixremote";
|
||||
subUidRanges = [
|
||||
{ startUid=300000; count=1; }
|
||||
];
|
||||
initialPassword = "";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
|
||||
];
|
||||
};
|
||||
|
||||
users.groups.nixremote = {};
|
||||
|
||||
sane.users.nixremote = {
|
||||
fs."/".dir.acl = {
|
||||
# don't allow the user to write anywhere
|
||||
user = "root";
|
||||
group = "root";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ ... }:
|
||||
{ config, ... }:
|
||||
{
|
||||
sane.persist.sys.byStore.cryptClearOnBoot = [
|
||||
# when running commands as root, some things may create ~/.cache entries.
|
||||
|
@ -7,4 +7,24 @@
|
|||
# - `/root/.cache/mesa_shader_cache` takes up 1-2 MB on moby
|
||||
{ path = "/root"; user = "root"; group = "root"; mode = "0700"; }
|
||||
];
|
||||
|
||||
sane.users.root = {
|
||||
home = "/root";
|
||||
fs.".ssh/nixremote".symlink.target = config.sops.secrets."nixremote_ssh_key".path;
|
||||
fs.".ssh/nixremote.pub".symlink.text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf";
|
||||
fs.".ssh/config".symlink.text = ''
|
||||
# root -> <other nix host> happens for remote builds
|
||||
# provide the auth, and instruct which remote user to login as:
|
||||
Host desko
|
||||
# Prevent using ssh-agent or another keyfile
|
||||
IdentitiesOnly yes
|
||||
IdentityFile /root/.ssh/nixremote
|
||||
User nixremote
|
||||
Host servo
|
||||
# Prevent using ssh-agent or another keyfile
|
||||
IdentitiesOnly yes
|
||||
IdentityFile /root/.ssh/nixremote
|
||||
User nixremote
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -95,9 +95,10 @@ let
|
|||
})
|
||||
{
|
||||
fs."/".dir.acl = {
|
||||
user = name;
|
||||
group = nixConfig.users.users."${name}".group;
|
||||
mode = nixConfig.users.users."${name}".homeMode;
|
||||
user = lib.mkDefault name;
|
||||
group = lib.mkDefault nixConfig.users.users."${name}".group;
|
||||
# homeMode defaults to 700; notice: no leading 0
|
||||
mode = "0" + nixConfig.users.users."${name}".homeMode;
|
||||
};
|
||||
fs.".profile".symlink.text =
|
||||
let
|
||||
|
|
48
secrets/common/nixremote_ssh_key.bin
Normal file
48
secrets/common/nixremote_ssh_key.bin
Normal file
|
@ -0,0 +1,48 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:Z3gAd4fuRSYbj/VqItcrFvQZnmaIfrVKbgbN+c9dlT4T7M7uXOe3HwuVgWL+87kpJ7iox2Y7IV5S3l/PrAtucpLAJsKdB6Kdk+kUhDJS80GG7tWDJUsrGPI37qIlcW0ygFjnVSSU1lXknX+MgrJQAqa1TQOGh/EoonEP+h+h3sd4r033uLkot7q5ytF2dFKytRepuBAs8aaruyES/eBfJigtZ8LSbz6Md/vmPt+TE2m6WzBB+hoQ/y0j0zxmVTGIVdWQa2G9q5q4+mEYEInY8KYl3Vk3PqfDyKeVQkLdFvp2Y30zSrmgzljZ4Cv2of2R8Cf4EPZg02PpRXO+G3PNCFzkyJV9UuBkw25cj/2ptLG/2iT0FQzaHlqAbriR9rnE/f22H/gDM67Rmhk0U7Fx2MOpRk6NUBZJL+qSAoRRi3E8r1PGhWA0Vy3q4K+iPHpA9WSnWhpF0APnVhVasyP7WyxM78ojw89aV60o2pZiQnYAukKS4rrGVAY6VQCIMquB9fkIFEvEaGALTVN8D9Lu,iv:15QuTzvB8/MLOwQ1+pa+BHh2UAMngQStn9AOKvRuOLc=,tag:UqOfydAIirQnGXCJx0EH2w==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2QnFzT1FabkJvWVJtbWdH\nWU9nQmp2cUlMNTRWM09HNGtibmNhNTRhT0JNCjNMdm5ScHhlWUN4d0R4cjRNVStz\nd0NLbkJpUHJtY1hYYWdmNjdTcWEwZk0KLS0tIDFmejRkQ2kzbGczc215QTluS1kv\ncHJtTHZZTmFIaDUvZHQ0UkVmNUlmVVkKoDh96fosdZ0W3FmnTkubzn648sSE0bPl\n+6V7njBcitIulPtv7vJS+RRe6CTI0hCATLw4wK08wj6y/QXUbeoI9Q==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeEV4SEhsd2ZTUUtpMDVR\nNXVJYjBIYXlZNFJId3Q5aitmRk5jRExsMkVzCnRoMkQ0VUQ0RmEwWnpSSWd5cUdQ\nZ1dQS1BNM1Z5SW5MS3hvcVcweEdjZ0UKLS0tIElORFRxMWdKZUo3SzhxcHZFdW5D\nemxrYUxUUTQwRkJCSzZuSjd3SVgweHMKNyPLaqWCs6z5CkKin+pOezTQNuoiIqvx\nW5YyrphVL7q08LQLdATSRNRcaImxP0P0N8fhSVw2rvklYKRzTJOa4A==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqT0lQTFVoV3FWenZhbkJ0\nNTlqUS9yV3JpU3VvbVNlSmF5RklFMTQzeHlFClM3K1duVXlkbHkrREQzQmYwYkNj\nU0ZvZEc2YlJxa3hSSFdwM3l3L3EzcnMKLS0tIGdub3d6NjVtaFV1OFhldDRqNnYx\nQ1NsOWxDZEFzZmswTVNmMkU4Qjl5cjAKIzP/HPFcomIOnkRSv6EQOmk2c8onhcxi\nLaG6xIjydye6W8sGRJxatthmRaxA0SsQKROwHj27EiW6GRZodSjKMw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNVR1aWg1N3lnbHNoUlhK\nTjk0QkQ5aFFZMVhXeEtpa2ZQbkU0RkFxTVNjCjJEcjBHVXVLZWRMYVpwTFpMUnNN\naythd3BOdmgvekp0MUZCZmpmblV3UkkKLS0tIFRpZHFRLzhSdjBCN09rSUY5VUNT\nam1vQ3R2VnhUMThCN0dPU0ZlLy80Q28KehP5t4kIwUs9eu+8KWn5SCpvEKVnSHlJ\njR8RhRX7+f6hRP/OvryFxzGFmey3YApdHC3sDhvYjU8qDzs4xj7zAQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVXFRRXNuTVJaUWRyRDIr\nV1FMcWlCUVluNWZZNUJxbU5UNzNsbHRLd1ZVCnlsUEYrWGtWem5DRElGaWxEN3d1\nWVNpT3d6d253RnhDamQ5Mkg0bDBQaWcKLS0tIHBiTDlMQmF4RVhqc2N1bDF5c0p1\nd3FiQjB6ckhJd3pSYVZHNjdhaEZEWnMKWdweoLlZg2CoB3VCjCo2J+injACNNXFp\nMjvWqzfibFetLNtxBpfCZY+7rhDDlT1njUBw1q1Dy1ZaIWOuJPYOwQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVVRFWnVBNVp3Qndyb3p0\naDFnRHUrWlB3akg0WnRuNHNNQWpySFVWUEUwCjRYOWJxRkVEYmpoV2ZSR2RmcGdr\nTk9rN2FJOGIyRWpaMUpFUXJ6YTZmYkkKLS0tIE96djFyeitLM2Z0MjdaUExQS0Fu\nNlRhT21mWHZ4WXBJSDY5MDlKZnhQNTgKzjHbxqT2oiGl5jR1F52CWf4MSICdAJng\ndZwTQbtwUNfwhzxCdQ8a8qWR+mOGsd0WtBlrT3c6Yy83HV+PAePFcQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dTNwNVVmMUpCN1I2M25K\nR2VsY0c0Y0htbE15MktUZEt4bFlHU1BUaVcwCm9BK2EycTZFOEJBZ1VUZVdFZWhl\nY1dORGpXVzZwYml5c0tOUWZDVnEyWkkKLS0tIFdwNFFlVmhtVVZGRytDUWExU3BY\nWXgwbldKREdQUUVWSTRoR1AyNDc2VUEKy+b5IaoHLOha+kgVXlyOf2RuoXGvrMGJ\n1mYms2SLs+3/aUtz+nxGKm5H9aBSIf7wzjam6w9ASFIlQqd2Orpc9A==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaeU5Bdjl6dDFhMXRuL3N1\nMVJ4V0VuQi91ZVZWTW9GbzVJR0FxejMrUEZvCkxxdjFzM3p6cjh1N0NFS3c3NWI3\nOHR0dWpUQ2Q1MzFyU2V6NlN5ajZqc1kKLS0tIGY0bG5BRG9zaVpqdWJZL0FhWS9o\nWi9Tend4c1RUK2QzVCtHalJBQ3l2THcKqUHi7CoHeUqRP/Dr/ZvLT2NgJJV3xC1D\nidZZgCRlrDnbcWnnx16tKyPNk/8pNGdnXbQrlgMMazkZEFqmznRZOg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2023-11-23T00:57:17Z",
|
||||
"mac": "ENC[AES256_GCM,data:IFNjLWSXH8H/zD1wBQQucLNdibx2ILurIZKThA+1W2Iv4uTkSem/QDGUInsjckZPec9HQiRwO3VtZhyRZ6W5c9+SZuQvzdx2CIv+lm/Qz6jaEBVxLerkZi4RRhg4Uf2QsIVMTVT77fh82WUNiGcMtawso991vG+3PfnlJh4YSz0=,iv:9v0uB5KpN0QoqEGtGAjjCgAMPjAaM5BiiulxfW7GC9k=,tag:quF2SwyFLpocOyIMN5lmzQ==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user