diff --git a/hosts/by-name/desko/default.nix b/hosts/by-name/desko/default.nix index 9ec15d542..5118b5d60 100644 --- a/hosts/by-name/desko/default.nix +++ b/hosts/by-name/desko/default.nix @@ -23,9 +23,7 @@ sane.services.wg-home.enable = true; sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip; sane.services.duplicity.enable = true; - sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path; - sane.nixcache.substituters.desko = false; sane.nixcache.remote-builders.desko = false; sane.programs.cups.enableFor.user.colin = true; diff --git a/hosts/by-name/moby/default.nix b/hosts/by-name/moby/default.nix index d0f9bd6ec..8f55813f4 100644 --- a/hosts/by-name/moby/default.nix +++ b/hosts/by-name/moby/default.nix @@ -25,10 +25,6 @@ sane.services.wg-home.enable = true; sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip; - # for some reason desko -> moby deploys are super flaky when desko is also a nixcache (not true of desko -> lappy deploys, though!) - # > unable to download 'http://desko:5001/.narinfo': Server returned nothing (no headers, no data) (52) - sane.nixcache.substituters.desko = false; - # XXX colin: phosh doesn't work well with passwordless login, # so set this more reliable default password should anything go wrong users.users.colin.initialPassword = "147147"; diff --git a/hosts/by-name/servo/default.nix b/hosts/by-name/servo/default.nix index 76e83ab6d..7fd39af0f 100644 --- a/hosts/by-name/servo/default.nix +++ b/hosts/by-name/servo/default.nix @@ -29,7 +29,6 @@ sane.services.wg-home.routeThroughServo = false; sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip; sane.nixcache.substituters.servo = false; - sane.nixcache.substituters.desko = false; sane.nixcache.remote-builders.desko = false; sane.nixcache.remote-builders.servo = false; # sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade diff --git a/hosts/modules/nixcache.nix b/hosts/modules/nixcache.nix index 316d7f76b..1ff7121b2 100644 --- a/hosts/modules/nixcache.nix +++ b/hosts/modules/nixcache.nix @@ -41,7 +41,6 @@ in cachix = subOpt true; # the interaction particularly between moby and nixcache.uninsane.org is just too finicky. servo = subOpt false; - desko = subOpt false; }; sane.nixcache.remote-builders.desko = mkOption { default = true; @@ -57,17 +56,15 @@ in # use our own binary cache # to explicitly build from a specific cache (in case others are down): # - `nixos-rebuild ... --option substituters https://cache.nixos.org` - # - `nix build ... --substituters http://desko:5000` + # - `nix build ... --substituters ""` nix.settings.substituters = mkIf cfg.enable (lib.flatten [ (lib.optional cfg.substituters.servo "https://nixcache.uninsane.org") - (lib.optional cfg.substituters.desko "http://desko:${builtins.toString config.sane.services.nixserve.port}") (lib.optional cfg.substituters.nixos "https://cache.nixos.org/") (lib.optional cfg.substituters.cachix "https://nix-community.cachix.org") ]); # always trust our keys (so one can explicitly use a substituter even if it's not the default nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [ "nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70=" - "desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; diff --git a/hosts/modules/roles/build-machine.nix b/hosts/modules/roles/build-machine.nix index 7fa2f2cd7..23e8144a6 100644 --- a/hosts/modules/roles/build-machine.nix +++ b/hosts/modules/roles/build-machine.nix @@ -22,9 +22,35 @@ in # enable opt-in emulation of any package at runtime. # i.e. `nix build '.#hostPkgs.moby.bash' ; qemu-aarch64 ./result/bin/bash`. sane.programs.qemu.enableFor.user.colin = true; - # serve packages to other machines that ask for them - sane.services.nixserve.enable = true; - sane.services.nixserve.remoteBuilderPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"; + + # act as a remote builder + nix.settings.trusted-users = [ "nixremote" ]; + users.users.nixremote = { + isNormalUser = true; + home = "/home/nixremote"; + # remove write permissions everywhere in the home dir. + # combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory + # (in which case, i'm not actually sure why nixremote needs a home) + homeMode = "550"; + group = "nixremote"; + subUidRanges = [ + { startUid=300000; count=1; } + ]; + initialPassword = ""; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote" + ]; + }; + + users.groups.nixremote = {}; + + sane.users.nixremote = { + fs."/".dir.acl = { + # don't allow the user to write anywhere + user = "root"; + group = "nixremote"; + }; + }; # each concurrent derivation realization uses a different nix build user. # default is 32 build users, limiting us to that many concurrent jobs. diff --git a/modules/services/nixserve.nix b/modules/services/nixserve.nix index 79b984efd..3ebf78874 100644 --- a/modules/services/nixserve.nix +++ b/modules/services/nixserve.nix @@ -24,9 +24,6 @@ in type = types.path; description = "path to file that contains the nix_serve_privkey secret (should not be in the store)"; }; - sane.services.nixserve.remoteBuilderPubkey = mkOption { - type = types.str; - }; }; config = mkIf cfg.enable { @@ -48,34 +45,5 @@ in isSystemUser = true; }; users.groups.nix-serve = {}; - - # act as a remote builder - nix.settings.trusted-users = [ "nixremote" ]; - users.users.nixremote = { - isNormalUser = true; - home = "/home/nixremote"; - # remove write permissions everywhere in the home dir. - # combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory - # (in which case, i'm not actually sure why nixremote needs a home) - homeMode = "550"; - group = "nixremote"; - subUidRanges = [ - { startUid=300000; count=1; } - ]; - initialPassword = ""; - openssh.authorizedKeys.keys = [ - cfg.remoteBuilderPubkey - ]; - }; - - users.groups.nixremote = {}; - - sane.users.nixremote = { - fs."/".dir.acl = { - # don't allow the user to write anywhere - user = "root"; - group = "nixremote"; - }; - }; }; } diff --git a/secrets/desko/README.md b/secrets/desko/README.md index 2ccad7e5a..1118ab333 100644 --- a/secrets/desko/README.md +++ b/secrets/desko/README.md @@ -1,5 +1,3 @@ -- nix_serve_privkey.bin: - - generate with `nix-store --generate-binary-cache-key desko cache-priv-key.pem cache-pub-key.pem` - colin-passwd.bin: - see - update by running `sudo passwd colin` and then taking the 2nd item from the colin: line in /etc/shadow diff --git a/secrets/desko/nix_serve_privkey.bin b/secrets/desko/nix_serve_privkey.bin deleted file mode 100644 index c5e6e7d4c..000000000 --- a/secrets/desko/nix_serve_privkey.bin +++ /dev/null @@ -1,28 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:H47rSAxO2ktohfFRlmbB4qNEZGECfMg3SJSrhLNFXKSkboYRsqgQXmrnPHy7QphRlD6WnN+ocBGMVw0W9n5UJUOFJQTEG3a9xltRQuKSoLV05OzMkpU3jY2MfKWtIDo=,iv:2sDvuIBVskHhCgo3iAkyjrbBj4IQbOFEAOEekYEsaSI=,tag:veoxWv02bNL0meR1zwyS2Q==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZVVkanlzSmRkdlFIdnJi\nOVZNV05mZWczTDI0T2YraENBNXVqc0s3SHgwCjFHdkpGTnV2N0RySnc5L2VBMGMx\nMFRKQ1ZEV1Ywc3c4aUhkbjlkdktOTWMKLS0tIHg4K1RDMklmcXg5ZWwvbEhZTFZm\nejdHQmFQTklicmRwUkZ2b2J0TnVtZDgKx7/9IMIGA1pVAgJxrjsaWIUmJzrMhWC+\nPQvXgIfr8xIzMPV0EeDbLQGMnGuulfvp6WYO2uCb/DjMtzfO0jHKwg==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTFJnTGJ5NGJRNkdOTEI1\nMDJKUFZsSjVrbmNySWpPU3Q3WGgxV2ZncVVvCmF3T3lrUkVweDB0cVVpNzA3Sk9m\nUXZYQTJnc3V1eldkZ2dHLzlXNFkvWEUKLS0tIFk0VG1ackY0ekFBVkR5V2t4aS9C\nMVA3YmZQR1FBUVpSQlNuM3BiQVBoN0UKugMq88tUmi8iP3qvJsCblL4hX1HUFn3V\nb7JzeSw4mvRxRsys6uao/EuCI2af+AW1ugzxAZDHHGH+B8lzaeeN9g==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MVc2QjZpQ3Z2SjdQNVlo\nSmkwanVDcU5Sd2JpYkp4Vk5pdTFuUWRrZVZZCnBnaGVZN0xmSnFRdWNwYVVjT2Nu\nMUYrVDdEWm1ETk1hYXBndXJKQkhhK28KLS0tIC9CeXBVKzZyUDd1QnF0MDRMYmtR\nSXMyY3VCTjEvMjZ2UFlSa1dMM0FyTDgKzyHEStZL4AxvGdiCg/hy56ebWCoCHrdL\nhWcmg9YMIBDeC/vER+Den8XS+YTDZLGv8rMUF5mwhpLWXtuQUnljnw==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-05-14T02:12:39Z", - "mac": "ENC[AES256_GCM,data:GRu1gxVi2zqgYUJkV0f3rQ6CPTPzxSd/oxWM5tEbTLqki7WflTNTvn2R2U/2bHwq85JuXvKcBoCsC7kGaGR/kVF4j2YA9jGp1EmUUVpooU2+s1noQHObu1OT1DG46jKlUP8QTzIYrZZ4sIKi1zAyqDDFYs5recJEBEY2goEcApU=,iv:/2pvHmiM7hTydB5g//RJiyF521BCRWNEBD5hR4+t1d8=,tag:jrIQN/Xu6VhNZ/uiy5oBHA==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file