desko: disable nix-serve

2024-05-16 02:35:27 +00:00
parent 3bb5546aaf
commit df4ef0ce5a
8 changed files with 30 additions and 76 deletions
--- a/hosts/by-name/desko/default.nix
+++ b/hosts/by-name/desko/default.nix
@@ -23,9 +23,7 @@
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
  sane.services.duplicity.enable = true;
-  sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;

-  sane.nixcache.substituters.desko = false;
  sane.nixcache.remote-builders.desko = false;

  sane.programs.cups.enableFor.user.colin = true;
--- a/hosts/by-name/moby/default.nix
+++ b/hosts/by-name/moby/default.nix
@@ -25,10 +25,6 @@
  sane.services.wg-home.enable = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;

-  # for some reason desko -> moby deploys are super flaky when desko is also a nixcache (not true of desko -> lappy deploys, though!)
-  # > unable to download 'http://desko:5001/<hash>.narinfo': Server returned nothing (no headers, no data) (52)
-  sane.nixcache.substituters.desko = false;
-
  # XXX colin: phosh doesn't work well with passwordless login,
  # so set this more reliable default password should anything go wrong
  users.users.colin.initialPassword = "147147";
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@@ -29,7 +29,6 @@
  sane.services.wg-home.routeThroughServo = false;
  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
  sane.nixcache.substituters.servo = false;
-  sane.nixcache.substituters.desko = false;
  sane.nixcache.remote-builders.desko = false;
  sane.nixcache.remote-builders.servo = false;
  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
--- a/hosts/modules/nixcache.nix
+++ b/hosts/modules/nixcache.nix
@@ -41,7 +41,6 @@ in
      cachix = subOpt true;
      # the interaction particularly between moby and nixcache.uninsane.org is just too finicky.
      servo = subOpt false;
-      desko = subOpt false;
    };
    sane.nixcache.remote-builders.desko = mkOption {
      default = true;
@@ -57,17 +56,15 @@ in
    # use our own binary cache
    # to explicitly build from a specific cache (in case others are down):
    # - `nixos-rebuild ... --option substituters https://cache.nixos.org`
-    # - `nix build ... --substituters http://desko:5000`
+    # - `nix build ... --substituters ""`
    nix.settings.substituters = mkIf cfg.enable (lib.flatten [
      (lib.optional cfg.substituters.servo  "https://nixcache.uninsane.org")
-      (lib.optional cfg.substituters.desko  "http://desko:${builtins.toString config.sane.services.nixserve.port}")
      (lib.optional cfg.substituters.nixos  "https://cache.nixos.org/")
      (lib.optional cfg.substituters.cachix "https://nix-community.cachix.org")
    ]);
    # always trust our keys (so one can explicitly use a substituter even if it's not the default
    nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
      "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
-      "desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    ];

--- a/hosts/modules/roles/build-machine.nix
+++ b/hosts/modules/roles/build-machine.nix
@@ -22,9 +22,35 @@ in
      # enable opt-in emulation of any package at runtime.
      # i.e. `nix build '.#hostPkgs.moby.bash' ; qemu-aarch64 ./result/bin/bash`.
      sane.programs.qemu.enableFor.user.colin = true;
-      # serve packages to other machines that ask for them
-      sane.services.nixserve.enable = true;
-      sane.services.nixserve.remoteBuilderPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote";
+
+      # act as a remote builder
+      nix.settings.trusted-users = [ "nixremote" ];
+      users.users.nixremote = {
+        isNormalUser = true;
+        home = "/home/nixremote";
+        # remove write permissions everywhere in the home dir.
+        # combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory
+        # (in which case, i'm not actually sure why nixremote needs a home)
+        homeMode = "550";
+        group = "nixremote";
+        subUidRanges = [
+          { startUid=300000; count=1; }
+        ];
+        initialPassword = "";
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
+        ];
+      };
+
+      users.groups.nixremote = {};
+
+      sane.users.nixremote = {
+        fs."/".dir.acl = {
+          # don't allow the user to write anywhere
+          user = "root";
+          group = "nixremote";
+        };
+      };

      # each concurrent derivation realization uses a different nix build user.
      # default is 32 build users, limiting us to that many concurrent jobs.
--- a/modules/services/nixserve.nix
+++ b/modules/services/nixserve.nix
@@ -24,9 +24,6 @@ in
      type = types.path;
      description = "path to file that contains the nix_serve_privkey secret (should not be in the store)";
    };
-    sane.services.nixserve.remoteBuilderPubkey = mkOption {
-      type = types.str;
-    };
  };

  config = mkIf cfg.enable {
@@ -48,34 +45,5 @@ in
      isSystemUser = true;
    };
    users.groups.nix-serve = {};
-
-    # act as a remote builder
-    nix.settings.trusted-users = [ "nixremote" ];
-    users.users.nixremote = {
-      isNormalUser = true;
-      home = "/home/nixremote";
-      # remove write permissions everywhere in the home dir.
-      # combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory
-      # (in which case, i'm not actually sure why nixremote needs a home)
-      homeMode = "550";
-      group = "nixremote";
-      subUidRanges = [
-        { startUid=300000; count=1; }
-      ];
-      initialPassword = "";
-      openssh.authorizedKeys.keys = [
-        cfg.remoteBuilderPubkey
-      ];
-    };
-
-    users.groups.nixremote = {};
-
-    sane.users.nixremote = {
-      fs."/".dir.acl = {
-        # don't allow the user to write anywhere
-        user = "root";
-        group = "nixremote";
-      };
-    };
  };
 }
--- a/secrets/desko/README.md
+++ b/secrets/desko/README.md
@@ -1,5 +1,3 @@
- nix_serve_privkey.bin:
-    - generate with `nix-store --generate-binary-cache-key desko cache-priv-key.pem cache-pub-key.pem`
 - colin-passwd.bin:
    - see <https://search.nixos.org/options?channel=unstable&show=users.users.%3Cname%3E.hashedPasswordFile&from=0&size=50&sort=relevance&type=packages&query=users.users>
    - update by running `sudo passwd colin` and then taking the 2nd item from the colin: line in /etc/shadow
--- a/secrets/desko/nix_serve_privkey.bin
+++ b/secrets/desko/nix_serve_privkey.bin
@@ -1,28 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:H47rSAxO2ktohfFRlmbB4qNEZGECfMg3SJSrhLNFXKSkboYRsqgQXmrnPHy7QphRlD6WnN+ocBGMVw0W9n5UJUOFJQTEG3a9xltRQuKSoLV05OzMkpU3jY2MfKWtIDo=,iv:2sDvuIBVskHhCgo3iAkyjrbBj4IQbOFEAOEekYEsaSI=,tag:veoxWv02bNL0meR1zwyS2Q==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZVVkanlzSmRkdlFIdnJi\nOVZNV05mZWczTDI0T2YraENBNXVqc0s3SHgwCjFHdkpGTnV2N0RySnc5L2VBMGMx\nMFRKQ1ZEV1Ywc3c4aUhkbjlkdktOTWMKLS0tIHg4K1RDMklmcXg5ZWwvbEhZTFZm\nejdHQmFQTklicmRwUkZ2b2J0TnVtZDgKx7/9IMIGA1pVAgJxrjsaWIUmJzrMhWC+\nPQvXgIfr8xIzMPV0EeDbLQGMnGuulfvp6WYO2uCb/DjMtzfO0jHKwg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTFJnTGJ5NGJRNkdOTEI1\nMDJKUFZsSjVrbmNySWpPU3Q3WGgxV2ZncVVvCmF3T3lrUkVweDB0cVVpNzA3Sk9m\nUXZYQTJnc3V1eldkZ2dHLzlXNFkvWEUKLS0tIFk0VG1ackY0ekFBVkR5V2t4aS9C\nMVA3YmZQR1FBUVpSQlNuM3BiQVBoN0UKugMq88tUmi8iP3qvJsCblL4hX1HUFn3V\nb7JzeSw4mvRxRsys6uao/EuCI2af+AW1ugzxAZDHHGH+B8lzaeeN9g==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MVc2QjZpQ3Z2SjdQNVlo\nSmkwanVDcU5Sd2JpYkp4Vk5pdTFuUWRrZVZZCnBnaGVZN0xmSnFRdWNwYVVjT2Nu\nMUYrVDdEWm1ETk1hYXBndXJKQkhhK28KLS0tIC9CeXBVKzZyUDd1QnF0MDRMYmtR\nSXMyY3VCTjEvMjZ2UFlSa1dMM0FyTDgKzyHEStZL4AxvGdiCg/hy56ebWCoCHrdL\nhWcmg9YMIBDeC/vER+Den8XS+YTDZLGv8rMUF5mwhpLWXtuQUnljnw==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2023-05-14T02:12:39Z",
-		"mac": "ENC[AES256_GCM,data:GRu1gxVi2zqgYUJkV0f3rQ6CPTPzxSd/oxWM5tEbTLqki7WflTNTvn2R2U/2bHwq85JuXvKcBoCsC7kGaGR/kVF4j2YA9jGp1EmUUVpooU2+s1noQHObu1OT1DG46jKlUP8QTzIYrZZ4sIKi1zAyqDDFYs5recJEBEY2goEcApU=,iv:/2pvHmiM7hTydB5g//RJiyF521BCRWNEBD5hR4+t1d8=,tag:jrIQN/Xu6VhNZ/uiy5oBHA==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.7.3"
-	}
-}