desko: disable nix-serve
This commit is contained in:
@@ -23,9 +23,7 @@
|
|||||||
sane.services.wg-home.enable = true;
|
sane.services.wg-home.enable = true;
|
||||||
sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
|
sane.services.wg-home.ip = config.sane.hosts.by-name."desko".wg-home.ip;
|
||||||
sane.services.duplicity.enable = true;
|
sane.services.duplicity.enable = true;
|
||||||
sane.services.nixserve.secretKeyFile = config.sops.secrets.nix_serve_privkey.path;
|
|
||||||
|
|
||||||
sane.nixcache.substituters.desko = false;
|
|
||||||
sane.nixcache.remote-builders.desko = false;
|
sane.nixcache.remote-builders.desko = false;
|
||||||
|
|
||||||
sane.programs.cups.enableFor.user.colin = true;
|
sane.programs.cups.enableFor.user.colin = true;
|
||||||
|
|||||||
@@ -25,10 +25,6 @@
|
|||||||
sane.services.wg-home.enable = true;
|
sane.services.wg-home.enable = true;
|
||||||
sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
|
sane.services.wg-home.ip = config.sane.hosts.by-name."moby".wg-home.ip;
|
||||||
|
|
||||||
# for some reason desko -> moby deploys are super flaky when desko is also a nixcache (not true of desko -> lappy deploys, though!)
|
|
||||||
# > unable to download 'http://desko:5001/<hash>.narinfo': Server returned nothing (no headers, no data) (52)
|
|
||||||
sane.nixcache.substituters.desko = false;
|
|
||||||
|
|
||||||
# XXX colin: phosh doesn't work well with passwordless login,
|
# XXX colin: phosh doesn't work well with passwordless login,
|
||||||
# so set this more reliable default password should anything go wrong
|
# so set this more reliable default password should anything go wrong
|
||||||
users.users.colin.initialPassword = "147147";
|
users.users.colin.initialPassword = "147147";
|
||||||
|
|||||||
@@ -29,7 +29,6 @@
|
|||||||
sane.services.wg-home.routeThroughServo = false;
|
sane.services.wg-home.routeThroughServo = false;
|
||||||
sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
|
sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
|
||||||
sane.nixcache.substituters.servo = false;
|
sane.nixcache.substituters.servo = false;
|
||||||
sane.nixcache.substituters.desko = false;
|
|
||||||
sane.nixcache.remote-builders.desko = false;
|
sane.nixcache.remote-builders.desko = false;
|
||||||
sane.nixcache.remote-builders.servo = false;
|
sane.nixcache.remote-builders.servo = false;
|
||||||
# sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade
|
# sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade
|
||||||
|
|||||||
@@ -41,7 +41,6 @@ in
|
|||||||
cachix = subOpt true;
|
cachix = subOpt true;
|
||||||
# the interaction particularly between moby and nixcache.uninsane.org is just too finicky.
|
# the interaction particularly between moby and nixcache.uninsane.org is just too finicky.
|
||||||
servo = subOpt false;
|
servo = subOpt false;
|
||||||
desko = subOpt false;
|
|
||||||
};
|
};
|
||||||
sane.nixcache.remote-builders.desko = mkOption {
|
sane.nixcache.remote-builders.desko = mkOption {
|
||||||
default = true;
|
default = true;
|
||||||
@@ -57,17 +56,15 @@ in
|
|||||||
# use our own binary cache
|
# use our own binary cache
|
||||||
# to explicitly build from a specific cache (in case others are down):
|
# to explicitly build from a specific cache (in case others are down):
|
||||||
# - `nixos-rebuild ... --option substituters https://cache.nixos.org`
|
# - `nixos-rebuild ... --option substituters https://cache.nixos.org`
|
||||||
# - `nix build ... --substituters http://desko:5000`
|
# - `nix build ... --substituters ""`
|
||||||
nix.settings.substituters = mkIf cfg.enable (lib.flatten [
|
nix.settings.substituters = mkIf cfg.enable (lib.flatten [
|
||||||
(lib.optional cfg.substituters.servo "https://nixcache.uninsane.org")
|
(lib.optional cfg.substituters.servo "https://nixcache.uninsane.org")
|
||||||
(lib.optional cfg.substituters.desko "http://desko:${builtins.toString config.sane.services.nixserve.port}")
|
|
||||||
(lib.optional cfg.substituters.nixos "https://cache.nixos.org/")
|
(lib.optional cfg.substituters.nixos "https://cache.nixos.org/")
|
||||||
(lib.optional cfg.substituters.cachix "https://nix-community.cachix.org")
|
(lib.optional cfg.substituters.cachix "https://nix-community.cachix.org")
|
||||||
]);
|
]);
|
||||||
# always trust our keys (so one can explicitly use a substituter even if it's not the default
|
# always trust our keys (so one can explicitly use a substituter even if it's not the default
|
||||||
nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
|
nix.settings.trusted-public-keys = mkIf cfg.enable-trusted-keys [
|
||||||
"nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
|
"nixcache.uninsane.org:r3WILM6+QrkmsLgqVQcEdibFD7Q/4gyzD9dGT33GP70="
|
||||||
"desko:Q7mjjqoBMgNQ5P0e63sLur65A+D4f3Sv4QiycDIKxiI="
|
|
||||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|||||||
@@ -22,9 +22,35 @@ in
|
|||||||
# enable opt-in emulation of any package at runtime.
|
# enable opt-in emulation of any package at runtime.
|
||||||
# i.e. `nix build '.#hostPkgs.moby.bash' ; qemu-aarch64 ./result/bin/bash`.
|
# i.e. `nix build '.#hostPkgs.moby.bash' ; qemu-aarch64 ./result/bin/bash`.
|
||||||
sane.programs.qemu.enableFor.user.colin = true;
|
sane.programs.qemu.enableFor.user.colin = true;
|
||||||
# serve packages to other machines that ask for them
|
|
||||||
sane.services.nixserve.enable = true;
|
# act as a remote builder
|
||||||
sane.services.nixserve.remoteBuilderPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote";
|
nix.settings.trusted-users = [ "nixremote" ];
|
||||||
|
users.users.nixremote = {
|
||||||
|
isNormalUser = true;
|
||||||
|
home = "/home/nixremote";
|
||||||
|
# remove write permissions everywhere in the home dir.
|
||||||
|
# combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory
|
||||||
|
# (in which case, i'm not actually sure why nixremote needs a home)
|
||||||
|
homeMode = "550";
|
||||||
|
group = "nixremote";
|
||||||
|
subUidRanges = [
|
||||||
|
{ startUid=300000; count=1; }
|
||||||
|
];
|
||||||
|
initialPassword = "";
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4KI7I2w5SvXRgUrXYiuBXPuTL+ZZsPoru5a2YkIuCf root@nixremote"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups.nixremote = {};
|
||||||
|
|
||||||
|
sane.users.nixremote = {
|
||||||
|
fs."/".dir.acl = {
|
||||||
|
# don't allow the user to write anywhere
|
||||||
|
user = "root";
|
||||||
|
group = "nixremote";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# each concurrent derivation realization uses a different nix build user.
|
# each concurrent derivation realization uses a different nix build user.
|
||||||
# default is 32 build users, limiting us to that many concurrent jobs.
|
# default is 32 build users, limiting us to that many concurrent jobs.
|
||||||
|
|||||||
@@ -24,9 +24,6 @@ in
|
|||||||
type = types.path;
|
type = types.path;
|
||||||
description = "path to file that contains the nix_serve_privkey secret (should not be in the store)";
|
description = "path to file that contains the nix_serve_privkey secret (should not be in the store)";
|
||||||
};
|
};
|
||||||
sane.services.nixserve.remoteBuilderPubkey = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
@@ -48,34 +45,5 @@ in
|
|||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
users.groups.nix-serve = {};
|
users.groups.nix-serve = {};
|
||||||
|
|
||||||
# act as a remote builder
|
|
||||||
nix.settings.trusted-users = [ "nixremote" ];
|
|
||||||
users.users.nixremote = {
|
|
||||||
isNormalUser = true;
|
|
||||||
home = "/home/nixremote";
|
|
||||||
# remove write permissions everywhere in the home dir.
|
|
||||||
# combined with an ownership of root:nixremote, that means not even nixremote can write anything below this directory
|
|
||||||
# (in which case, i'm not actually sure why nixremote needs a home)
|
|
||||||
homeMode = "550";
|
|
||||||
group = "nixremote";
|
|
||||||
subUidRanges = [
|
|
||||||
{ startUid=300000; count=1; }
|
|
||||||
];
|
|
||||||
initialPassword = "";
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
cfg.remoteBuilderPubkey
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
users.groups.nixremote = {};
|
|
||||||
|
|
||||||
sane.users.nixremote = {
|
|
||||||
fs."/".dir.acl = {
|
|
||||||
# don't allow the user to write anywhere
|
|
||||||
user = "root";
|
|
||||||
group = "nixremote";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,5 +1,3 @@
|
|||||||
- nix_serve_privkey.bin:
|
|
||||||
- generate with `nix-store --generate-binary-cache-key desko cache-priv-key.pem cache-pub-key.pem`
|
|
||||||
- colin-passwd.bin:
|
- colin-passwd.bin:
|
||||||
- see <https://search.nixos.org/options?channel=unstable&show=users.users.%3Cname%3E.hashedPasswordFile&from=0&size=50&sort=relevance&type=packages&query=users.users>
|
- see <https://search.nixos.org/options?channel=unstable&show=users.users.%3Cname%3E.hashedPasswordFile&from=0&size=50&sort=relevance&type=packages&query=users.users>
|
||||||
- update by running `sudo passwd colin` and then taking the 2nd item from the colin: line in /etc/shadow
|
- update by running `sudo passwd colin` and then taking the 2nd item from the colin: line in /etc/shadow
|
||||||
|
|||||||
@@ -1,28 +0,0 @@
|
|||||||
{
|
|
||||||
"data": "ENC[AES256_GCM,data:H47rSAxO2ktohfFRlmbB4qNEZGECfMg3SJSrhLNFXKSkboYRsqgQXmrnPHy7QphRlD6WnN+ocBGMVw0W9n5UJUOFJQTEG3a9xltRQuKSoLV05OzMkpU3jY2MfKWtIDo=,iv:2sDvuIBVskHhCgo3iAkyjrbBj4IQbOFEAOEekYEsaSI=,tag:veoxWv02bNL0meR1zwyS2Q==,type:str]",
|
|
||||||
"sops": {
|
|
||||||
"kms": null,
|
|
||||||
"gcp_kms": null,
|
|
||||||
"azure_kv": null,
|
|
||||||
"hc_vault": null,
|
|
||||||
"age": [
|
|
||||||
{
|
|
||||||
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZVVkanlzSmRkdlFIdnJi\nOVZNV05mZWczTDI0T2YraENBNXVqc0s3SHgwCjFHdkpGTnV2N0RySnc5L2VBMGMx\nMFRKQ1ZEV1Ywc3c4aUhkbjlkdktOTWMKLS0tIHg4K1RDMklmcXg5ZWwvbEhZTFZm\nejdHQmFQTklicmRwUkZ2b2J0TnVtZDgKx7/9IMIGA1pVAgJxrjsaWIUmJzrMhWC+\nPQvXgIfr8xIzMPV0EeDbLQGMnGuulfvp6WYO2uCb/DjMtzfO0jHKwg==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTFJnTGJ5NGJRNkdOTEI1\nMDJKUFZsSjVrbmNySWpPU3Q3WGgxV2ZncVVvCmF3T3lrUkVweDB0cVVpNzA3Sk9m\nUXZYQTJnc3V1eldkZ2dHLzlXNFkvWEUKLS0tIFk0VG1ackY0ekFBVkR5V2t4aS9C\nMVA3YmZQR1FBUVpSQlNuM3BiQVBoN0UKugMq88tUmi8iP3qvJsCblL4hX1HUFn3V\nb7JzeSw4mvRxRsys6uao/EuCI2af+AW1ugzxAZDHHGH+B8lzaeeN9g==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
|
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MVc2QjZpQ3Z2SjdQNVlo\nSmkwanVDcU5Sd2JpYkp4Vk5pdTFuUWRrZVZZCnBnaGVZN0xmSnFRdWNwYVVjT2Nu\nMUYrVDdEWm1ETk1hYXBndXJKQkhhK28KLS0tIC9CeXBVKzZyUDd1QnF0MDRMYmtR\nSXMyY3VCTjEvMjZ2UFlSa1dMM0FyTDgKzyHEStZL4AxvGdiCg/hy56ebWCoCHrdL\nhWcmg9YMIBDeC/vER+Den8XS+YTDZLGv8rMUF5mwhpLWXtuQUnljnw==\n-----END AGE ENCRYPTED FILE-----\n"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"lastmodified": "2023-05-14T02:12:39Z",
|
|
||||||
"mac": "ENC[AES256_GCM,data:GRu1gxVi2zqgYUJkV0f3rQ6CPTPzxSd/oxWM5tEbTLqki7WflTNTvn2R2U/2bHwq85JuXvKcBoCsC7kGaGR/kVF4j2YA9jGp1EmUUVpooU2+s1noQHObu1OT1DG46jKlUP8QTzIYrZZ4sIKi1zAyqDDFYs5recJEBEY2goEcApU=,iv:/2pvHmiM7hTydB5g//RJiyF521BCRWNEBD5hR4+t1d8=,tag:jrIQN/Xu6VhNZ/uiy5oBHA==,type:str]",
|
|
||||||
"pgp": null,
|
|
||||||
"unencrypted_suffix": "_unencrypted",
|
|
||||||
"version": "3.7.3"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Reference in New Issue
Block a user