vidhar/sif: build-server/build-client

author: Gregor Kleen <gkleen@yggdrasil.li> 2021-09-27 23:06:10 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2021-09-27 23:06:10 +0200
commit: 3c33dd66ea59e9b01b05c515c22df11bcaf94194 (patch)
tree: 2894ae9d0486bbb4c4657f67820f247a1052558f
parent: ecf32ed77857e76322394cc53aa37e4d971ddd9d (diff)
download: nixos-3c33dd66ea59e9b01b05c515c22df11bcaf94194.tar
nixos-3c33dd66ea59e9b01b05c515c22df11bcaf94194.tar.gz
nixos-3c33dd66ea59e9b01b05c515c22df11bcaf94194.tar.bz2
nixos-3c33dd66ea59e9b01b05c515c22df11bcaf94194.tar.xz
nixos-3c33dd66ea59e9b01b05c515c22df11bcaf94194.zip
8 files changed, 181 insertions, 3 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 3109d852..4b303d9a 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -272,6 +272,13 @@
      autoOptimiseStore = true;
      daemonNiceLevel = 10;
      daemonIONiceLevel = 3;
+      buildServers.vidhar = {
+        address = "192.168.2.168";
+        system = "x86_64-linux";
+        speedFactor = 4;
+        supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
+      };
    };
    environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index fb4256f6..ae0a8168 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -3,6 +3,7 @@
  imports = with flake.nixosModules.systemProfiles; [
    ./zfs.nix
    initrd-all-crypto-modules default-locale openssh rebuild-machines
+    build-server
    initrd-ssh
  ];
diff --git a/modules/build-client.nix b/modules/build-client.nix
new file mode 100644
index 00000000..763fdb38
--- /dev/null
+++ b/modules/build-client.nix
@@ -0,0 +1,108 @@
+{ flake, config, lib, hostName, ... }:
+with lib;
+let
+  cfg = config.nix.buildServers;
+  secretName = name: "nix-ssh-builder-${name}-private";
+in {
+  options = {
+    nix = {
+      buildServers = mkOption {
+        type = types.attrsOf (types.submodule {
+          options = {
+            address = mkOption {
+              type = types.str;
+            };
+            system = mkOption {
+              type = types.nullOr types.str;
+              default = null;
+              example = "x86_64-linux";
+              description = ''
+                The system type the build machine can execute derivations on.
+                Either this attribute or <varname>systems</varname> must be
+                present, where <varname>system</varname> takes precedence if
+                both are set.
+              '';
+            };
+            systems = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              example = [ "x86_64-linux" "aarch64-linux" ];
+              description = ''
+                The system types the build machine can execute derivations on.
+                Either this attribute or <varname>system</varname> must be
+                present, where <varname>system</varname> takes precedence if
+                both are set.
+              '';
+            };
+            maxJobs = mkOption {
+              type = types.int;
+              default = 1;
+              description = ''
+                The number of concurrent jobs the build machine supports. The
+                build machine will enforce its own limits, but this allows hydra
+                to schedule better since there is no work-stealing between build
+                machines.
+              '';
+            };
+            speedFactor = mkOption {
+              type = types.int;
+              default = 1;
+              description = ''
+                The relative speed of this builder. This is an arbitrary integer
+                that indicates the speed of this builder, relative to other
+                builders. Higher is faster.
+              '';
+            };
+            mandatoryFeatures = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              example = [ "big-parallel" ];
+              description = ''
+                A list of features mandatory for this builder. The builder will
+                be ignored for derivations that don't require all features in
+                this list. All mandatory features are automatically included in
+                <varname>supportedFeatures</varname>.
+              '';
+            };
+            supportedFeatures = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              example = [ "kvm" "big-parallel" ];
+              description = ''
+                A list of features supported by this builder. The builder will
+                be ignored for derivations that require features not in this
+                list.
+              '';
+            };
+          };
+        });
+        default = {};
+      };
+    };
+  };
+  
+  config = mkIf (cfg != {}) {
+    programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: ''
+      Host ${name}
+        User nix-ssh-builder
+        HostName ${value.address}
+        IdentitiesOnly yes
+        IdentityFile ${config.sops.secrets.${secretName name}.path}
+        ControlMaster auto
+        ControlPath /run/nix-ssh-builder-master-%r@%n:%p
+        ControlPersist 30m
+        Compression yes
+        ForwardAgent no
+        ServerAliveInterval 6
+        ServerAliveCountMax 10
+    '') (mapAttrsToList nameValuePair cfg);
+    sops.secrets = mapAttrs' (name: hCfg: nameValuePair (secretName name) { sopsFile = ../system-profiles/build-server/clients + "/${hostName}/private"; format = "binary"; }) cfg;
+    nix.buildMachines = mapAttrsToList (hostName: hCfg: { inherit hostName; inherit (hCfg) system systems maxJobs speedFactor mandatoryFeatures supportedFeatures; }) cfg;
+  };
+}
diff --git a/overlays/uhk-agent.nix b/overlays/uhk-agent.nix
index 3110c835..1b37121f 100644
--- a/overlays/uhk-agent.nix
+++ b/overlays/uhk-agent.nix
@@ -2,13 +2,13 @@ final: prev:
 {
  uhk-agent = 
    let
-      version = "1.5.14";
+      version = "1.5.15";
      image = prev.stdenv.mkDerivation {
        name = "uhk-agent-image";
        src = prev.fetchurl {
          url = "https://github.com/UltimateHackingKeyboard/agent/releases/download/v${version}/UHK.Agent-${version}-linux-x86_64.AppImage";
-          hash = "sha256-D3sLjhWoeFVGgsFJo7/vsx4Dh8RsE+S6AA8z4Hsk8Ps=";
+          hash = "sha256-t2Jwd/x0eTZ4xBaCb/FomH/zSRLt7IIERUF9n9ONCpE=";
        };
        buildCommand = ''
          install -m 0644 $src $out
diff --git a/system-profiles/build-server/clients/sif/private b/system-profiles/build-server/clients/sif/private
new file mode 100644
index 00000000..3b39664f
--- /dev/null
+++ b/system-profiles/build-server/clients/sif/private
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:8CT1qg+/3hvJQyNiy9Xv76dMHv2lGKsYx+w/GAPY+WMQgtUIBzxYv8o2PMHIeZqETJX9xfAfwANweGanVrIM7RVdQSNPPGBiWa/2C1b2K2hJw5RtvmbuuDkIWkINwzvnRwtXwGcCpRt18DGe82SnaUrkqozJND1fVuzvvcb6aR81qvm7wdxQi6tZcCsUduzdZTDlLPqUIdEAq5WBvvXGdlJq2wgPINE0SBeOGFTt/wayl6bMzGlR55+V6MsP46Nvfxjg6md/Wbimyto1aulqQ7mniuWnDBdcfGy5L5y6AIlKlJ09+RkJxhIY2QLZW4Hw0vnROVytATtrmIRcMiAZeAUD7J7Xykw0QnFi3VcxC1QTgMbO+5MNCLggW48/RD/ph2uidBskixFllatFOS1//j9C6Qm6aragcmYVoAGDFoScKt8A90KrbmSO3u50WzXOsA07Fdk/mpyyHhdy7/PrQvnkPygGcag+QwhESFfFGQVQSSW1BPXv7H9N2Jq3RLFWaH9EljcHdCFM6zr0hh111at6Gtj9oy3xSpjr,iv:ztdGapMDwI7XMDLC7cne5PWp42BvsuUjCAbp3R3KGyM=,tag:nMfZ/U4zRs48PZlI4cRGfw==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2021-09-27T18:11:41Z",
+                "mac": "ENC[AES256_GCM,data:LeLaxKnUhMpXXlxiZaRw3pKnd8tzcd8I9CwO2SRuzvzo/Bi8cBHq7IrJUmG6PWrTHhwTEI2Ul4DEF4PygRZybjRYUEVLbnKqYGPf4P0nZPhBBH6Ogpdc0o2C1t7A+HIka99A75oXx81k0bEaj6WuqgtPpOA6JhirCyOCJ7xDQE0=,iv:5XNCFDirM1NzS56AVDiJxP+4IuSMComezM+1pD6rayc=,tag:8ECDILhztr3NAVl0RhiwfQ==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2021-09-27T18:11:40Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA9mZ6ZMwa4Y4QmXMM1nMeFT6grP/xRfoObWlejEHcBC0w\noDm5V5YffnpSqTEKE8AzYbMvZqjme5Xwyxy79pqAbiHaThkQr8YN8HhHyRFIrLIq\n0l4BwKFGlxfxbmEcxx0B4NuUhOzs1S/lMvQhqhr38naFht3Bz9G3GhSrJdDiHVDb\nUwxvqv7GFnacRf9LMgIVCsi6485h2jbOZfx+xB3jT3p11eMyPMgEW1Q5Hwq+NM9k\n=DWiW\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        },
+                        {
+                                "created_at": "2021-09-27T18:11:40Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAt2OVBFZSyyqqZtXnwN2h16edqa70UBrhDGhsID6jpnYw\nSuFSqkEZ7uGe38JDfA4fbhYHCMPIwt2E8o35Sr/UbzanKhjWu9+7R2v92zBBzBcG\n0l4BDU29ZKhQ65In2PhURs+5G3/qB9THB5vKAmP43RtS4pphFGH3uKwY1T7JSDuX\nYytSMKKBG4OnKlbMJd4SMRICD7aBuV6VPTmA6B3p+c8m5qcg7Uh1eDN0AxWJKr5o\n=pUaa\n-----END PGP MESSAGE-----\n",
+                                "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/system-profiles/build-server/clients/sif/public b/system-profiles/build-server/clients/sif/public
new file mode 100644
index 00000000..49d43107
--- /dev/null
+++ b/system-profiles/build-server/clients/sif/public
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICH7/Ni0zaEXqZw/3CewIIe+M55PEUbLCqOd3KpxymkX nix-ssh-builder@sif
diff --git a/system-profiles/build-server/default.nix b/system-profiles/build-server/default.nix
new file mode 100644
index 00000000..9c821f64
--- /dev/null
+++ b/system-profiles/build-server/default.nix
@@ -0,0 +1,35 @@
+{ customUtils, flake, config, lib, ... }:
+{
+  imports = with flake.nixosModules.systemProfiles; [ openssh ];
+  
+  config = {
+    users.groups.nix-ssh-builder = {};
+    users.users.nix-ssh-builder = {
+      description = "Nix build server user";
+      useDefaultShell = true;
+      isSystemUser = true;
+      group = "nix-ssh-builder";
+    };
+    services.openssh = {
+      enable = true;
+      extraConfig = ''
+        Match User nix-ssh-builder
+          AllowAgentForwarding no
+          AllowTcpForwarding no
+          PermitTTY no
+          PermitTunnel no
+          X11Forwarding no
+          ForceCommand ${config.nix.package.out}/bin/nix-store --serve --write
+        Match All
+      '';
+    };
+    users.users.nix-ssh-builder.openssh.authorizedKeys.keys =
+      let
+        importKeys = dir: lib.attrValues (customUtils.mapFilterAttrs (_: v: v == "directory") (n: _: lib.nameValuePair n (importKeys' dir n)) (builtins.readDir dir));
+        importKeys' = dir: host: builtins.readFile (dir + "/${host}/public");
+      in importKeys ./clients;
+  };
+}
diff --git a/utils/default.nix b/utils/default.nix
index 48add212..75d886a3 100644
--- a/utils/default.nix
+++ b/utils/default.nix
@@ -2,7 +2,7 @@
 rec {
  inherit (builtins) readDir;
  inherit (lib) filterAttrs hasSuffix removeSuffix mapAttrs' nameValuePair isFunction functionArgs setFunctionArgs id;
-  mapFilterAttrs = seive: f: attrs: filterAttrs seive (mapAttrs' f attrs);
+  mapFilterAttrs = sieve: f: attrs: filterAttrs sieve (mapAttrs' f attrs);
  nixImport = { dir, _import ? name: _base: import "${toString dir}/${name}" }:
    mapFilterAttrs
      (_: v: v != null)
author	Gregor Kleen <gkleen@yggdrasil.li>	2021-09-27 23:06:10 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2021-09-27 23:06:10 +0200
commit	3c33dd66ea59e9b01b05c515c22df11bcaf94194 (patch)
tree	2894ae9d0486bbb4c4657f67820f247a1052558f
parent	ecf32ed77857e76322394cc53aa37e4d971ddd9d (diff)
download	nixos-3c33dd66ea59e9b01b05c515c22df11bcaf94194.tar nixos-3c33dd66ea59e9b01b05c515c22df11bcaf94194.tar.gz nixos-3c33dd66ea59e9b01b05c515c22df11bcaf94194.tar.bz2 nixos-3c33dd66ea59e9b01b05c515c22df11bcaf94194.tar.xz nixos-3c33dd66ea59e9b01b05c515c22df11bcaf94194.zip

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 3109d852..4b303d9a 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -272,6 +272,13 @@
272	autoOptimiseStore = true;	272	autoOptimiseStore = true;
273	daemonNiceLevel = 10;	273	daemonNiceLevel = 10;
274	daemonIONiceLevel = 3;	274	daemonIONiceLevel = 3;
		275
		276	buildServers.vidhar = {
		277	address = "192.168.2.168";
		278	system = "x86_64-linux";
		279	speedFactor = 4;
		280	supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
		281	};
275	};	282	};
276		283
277	environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;	284	environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;


diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index fb4256f6..ae0a8168 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -3,6 +3,7 @@
3	imports = with flake.nixosModules.systemProfiles; [	3	imports = with flake.nixosModules.systemProfiles; [
4	./zfs.nix	4	./zfs.nix
5	initrd-all-crypto-modules default-locale openssh rebuild-machines	5	initrd-all-crypto-modules default-locale openssh rebuild-machines
		6	build-server
6	initrd-ssh	7	initrd-ssh
7	];	8	];
8		9


diff --git a/modules/build-client.nix b/modules/build-client.nix new file mode 100644 index 00000000..763fdb38 --- /dev/null +++ b/modules/build-client.nix
@@ -0,0 +1,108 @@
		1	{ flake, config, lib, hostName, ... }:
		2
		3	with lib;
		4
		5	let
		6	cfg = config.nix.buildServers;
		7
		8	secretName = name: "nix-ssh-builder-${name}-private";
		9	in {
		10	options = {
		11	nix = {
		12	buildServers = mkOption {
		13	type = types.attrsOf (types.submodule {
		14	options = {
		15	address = mkOption {
		16	type = types.str;
		17	};
		18
		19	system = mkOption {
		20	type = types.nullOr types.str;
		21	default = null;
		22	example = "x86_64-linux";
		23	description = ''
		24	The system type the build machine can execute derivations on.
		25	Either this attribute or <varname>systems</varname> must be
		26	present, where <varname>system</varname> takes precedence if
		27	both are set.
		28	'';
		29	};
		30	systems = mkOption {
		31	type = types.listOf types.str;
		32	default = [];
		33	example = [ "x86_64-linux" "aarch64-linux" ];
		34	description = ''
		35	The system types the build machine can execute derivations on.
		36	Either this attribute or <varname>system</varname> must be
		37	present, where <varname>system</varname> takes precedence if
		38	both are set.
		39	'';
		40	};
		41	maxJobs = mkOption {
		42	type = types.int;
		43	default = 1;
		44	description = ''
		45	The number of concurrent jobs the build machine supports. The
		46	build machine will enforce its own limits, but this allows hydra
		47	to schedule better since there is no work-stealing between build
		48	machines.
		49	'';
		50	};
		51	speedFactor = mkOption {
		52	type = types.int;
		53	default = 1;
		54	description = ''
		55	The relative speed of this builder. This is an arbitrary integer
		56	that indicates the speed of this builder, relative to other
		57	builders. Higher is faster.
		58	'';
		59	};
		60	mandatoryFeatures = mkOption {
		61	type = types.listOf types.str;
		62	default = [];
		63	example = [ "big-parallel" ];
		64	description = ''
		65	A list of features mandatory for this builder. The builder will
		66	be ignored for derivations that don't require all features in
		67	this list. All mandatory features are automatically included in
		68	<varname>supportedFeatures</varname>.
		69	'';
		70	};
		71	supportedFeatures = mkOption {
		72	type = types.listOf types.str;
		73	default = [];
		74	example = [ "kvm" "big-parallel" ];
		75	description = ''
		76	A list of features supported by this builder. The builder will
		77	be ignored for derivations that require features not in this
		78	list.
		79	'';
		80	};
		81	};
		82	});
		83	default = {};
		84	};
		85	};
		86	};
		87
		88	config = mkIf (cfg != {}) {
		89	programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: ''
		90	Host ${name}
		91	User nix-ssh-builder
		92	HostName ${value.address}
		93	IdentitiesOnly yes
		94	IdentityFile ${config.sops.secrets.${secretName name}.path}
		95	ControlMaster auto
		96	ControlPath /run/nix-ssh-builder-master-%r@%n:%p
		97	ControlPersist 30m
		98	Compression yes
		99	ForwardAgent no
		100	ServerAliveInterval 6
		101	ServerAliveCountMax 10
		102	'') (mapAttrsToList nameValuePair cfg);
		103
		104	sops.secrets = mapAttrs' (name: hCfg: nameValuePair (secretName name) { sopsFile = ../system-profiles/build-server/clients + "/${hostName}/private"; format = "binary"; }) cfg;
		105
		106	nix.buildMachines = mapAttrsToList (hostName: hCfg: { inherit hostName; inherit (hCfg) system systems maxJobs speedFactor mandatoryFeatures supportedFeatures; }) cfg;
		107	};
		108	}


diff --git a/overlays/uhk-agent.nix b/overlays/uhk-agent.nix index 3110c835..1b37121f 100644 --- a/overlays/uhk-agent.nix +++ b/overlays/uhk-agent.nix
@@ -2,13 +2,13 @@ final: prev:
2	{	2	{
3	uhk-agent =	3	uhk-agent =
4	let	4	let
5	version = "1.5.14";	5	version = "1.5.15";
6		6
7	image = prev.stdenv.mkDerivation {	7	image = prev.stdenv.mkDerivation {
8	name = "uhk-agent-image";	8	name = "uhk-agent-image";
9	src = prev.fetchurl {	9	src = prev.fetchurl {
10	url = "https://github.com/UltimateHackingKeyboard/agent/releases/download/v${version}/UHK.Agent-${version}-linux-x86_64.AppImage";	10	url = "https://github.com/UltimateHackingKeyboard/agent/releases/download/v${version}/UHK.Agent-${version}-linux-x86_64.AppImage";
11	hash = "sha256-D3sLjhWoeFVGgsFJo7/vsx4Dh8RsE+S6AA8z4Hsk8Ps=";	11	hash = "sha256-t2Jwd/x0eTZ4xBaCb/FomH/zSRLt7IIERUF9n9ONCpE=";
12	};	12	};
13	buildCommand = ''	13	buildCommand = ''
14	install -m 0644 $src $out	14	install -m 0644 $src $out


diff --git a/system-profiles/build-server/clients/sif/private b/system-profiles/build-server/clients/sif/private new file mode 100644 index 00000000..3b39664f --- /dev/null +++ b/system-profiles/build-server/clients/sif/private
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:8CT1qg+/3hvJQyNiy9Xv76dMHv2lGKsYx+w/GAPY+WMQgtUIBzxYv8o2PMHIeZqETJX9xfAfwANweGanVrIM7RVdQSNPPGBiWa/2C1b2K2hJw5RtvmbuuDkIWkINwzvnRwtXwGcCpRt18DGe82SnaUrkqozJND1fVuzvvcb6aR81qvm7wdxQi6tZcCsUduzdZTDlLPqUIdEAq5WBvvXGdlJq2wgPINE0SBeOGFTt/wayl6bMzGlR55+V6MsP46Nvfxjg6md/Wbimyto1aulqQ7mniuWnDBdcfGy5L5y6AIlKlJ09+RkJxhIY2QLZW4Hw0vnROVytATtrmIRcMiAZeAUD7J7Xykw0QnFi3VcxC1QTgMbO+5MNCLggW48/RD/ph2uidBskixFllatFOS1//j9C6Qm6aragcmYVoAGDFoScKt8A90KrbmSO3u50WzXOsA07Fdk/mpyyHhdy7/PrQvnkPygGcag+QwhESFfFGQVQSSW1BPXv7H9N2Jq3RLFWaH9EljcHdCFM6zr0hh111at6Gtj9oy3xSpjr,iv:ztdGapMDwI7XMDLC7cne5PWp42BvsuUjCAbp3R3KGyM=,tag:nMfZ/U4zRs48PZlI4cRGfw==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2021-09-27T18:11:41Z",
		10	"mac": "ENC[AES256_GCM,data:LeLaxKnUhMpXXlxiZaRw3pKnd8tzcd8I9CwO2SRuzvzo/Bi8cBHq7IrJUmG6PWrTHhwTEI2Ul4DEF4PygRZybjRYUEVLbnKqYGPf4P0nZPhBBH6Ogpdc0o2C1t7A+HIka99A75oXx81k0bEaj6WuqgtPpOA6JhirCyOCJ7xDQE0=,iv:5XNCFDirM1NzS56AVDiJxP+4IuSMComezM+1pD6rayc=,tag:8ECDILhztr3NAVl0RhiwfQ==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2021-09-27T18:11:40Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA9mZ6ZMwa4Y4QmXMM1nMeFT6grP/xRfoObWlejEHcBC0w\noDm5V5YffnpSqTEKE8AzYbMvZqjme5Xwyxy79pqAbiHaThkQr8YN8HhHyRFIrLIq\n0l4BwKFGlxfxbmEcxx0B4NuUhOzs1S/lMvQhqhr38naFht3Bz9G3GhSrJdDiHVDb\nUwxvqv7GFnacRf9LMgIVCsi6485h2jbOZfx+xB3jT3p11eMyPMgEW1Q5Hwq+NM9k\n=DWiW\n-----END PGP MESSAGE-----\n",
		15	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		16	},
		17	{
		18	"created_at": "2021-09-27T18:11:40Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAt2OVBFZSyyqqZtXnwN2h16edqa70UBrhDGhsID6jpnYw\nSuFSqkEZ7uGe38JDfA4fbhYHCMPIwt2E8o35Sr/UbzanKhjWu9+7R2v92zBBzBcG\n0l4BDU29ZKhQ65In2PhURs+5G3/qB9THB5vKAmP43RtS4pphFGH3uKwY1T7JSDuX\nYytSMKKBG4OnKlbMJd4SMRICD7aBuV6VPTmA6B3p+c8m5qcg7Uh1eDN0AxWJKr5o\n=pUaa\n-----END PGP MESSAGE-----\n",
		20	"fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file


diff --git a/system-profiles/build-server/clients/sif/public b/system-profiles/build-server/clients/sif/public new file mode 100644 index 00000000..49d43107 --- /dev/null +++ b/system-profiles/build-server/clients/sif/public
@@ -0,0 +1 @@
			ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICH7/Ni0zaEXqZw/3CewIIe+M55PEUbLCqOd3KpxymkX nix-ssh-builder@sif


diff --git a/system-profiles/build-server/default.nix b/system-profiles/build-server/default.nix new file mode 100644 index 00000000..9c821f64 --- /dev/null +++ b/system-profiles/build-server/default.nix
@@ -0,0 +1,35 @@
		1	{ customUtils, flake, config, lib, ... }:
		2
		3	{
		4	imports = with flake.nixosModules.systemProfiles; [ openssh ];
		5
		6	config = {
		7	users.groups.nix-ssh-builder = {};
		8	users.users.nix-ssh-builder = {
		9	description = "Nix build server user";
		10	useDefaultShell = true;
		11	isSystemUser = true;
		12	group = "nix-ssh-builder";
		13	};
		14
		15	services.openssh = {
		16	enable = true;
		17	extraConfig = ''
		18	Match User nix-ssh-builder
		19	AllowAgentForwarding no
		20	AllowTcpForwarding no
		21	PermitTTY no
		22	PermitTunnel no
		23	X11Forwarding no
		24	ForceCommand ${config.nix.package.out}/bin/nix-store --serve --write
		25	Match All
		26	'';
		27	};
		28
		29	users.users.nix-ssh-builder.openssh.authorizedKeys.keys =
		30	let
		31	importKeys = dir: lib.attrValues (customUtils.mapFilterAttrs (_: v: v == "directory") (n: _: lib.nameValuePair n (importKeys' dir n)) (builtins.readDir dir));
		32	importKeys' = dir: host: builtins.readFile (dir + "/${host}/public");
		33	in importKeys ./clients;
		34	};
		35	}


diff --git a/utils/default.nix b/utils/default.nix index 48add212..75d886a3 100644 --- a/utils/default.nix +++ b/utils/default.nix
@@ -2,7 +2,7 @@
2	rec {	2	rec {
3	inherit (builtins) readDir;	3	inherit (builtins) readDir;
4	inherit (lib) filterAttrs hasSuffix removeSuffix mapAttrs' nameValuePair isFunction functionArgs setFunctionArgs id;	4	inherit (lib) filterAttrs hasSuffix removeSuffix mapAttrs' nameValuePair isFunction functionArgs setFunctionArgs id;
5	mapFilterAttrs = seive: f: attrs: filterAttrs seive (mapAttrs' f attrs);	5	mapFilterAttrs = sieve: f: attrs: filterAttrs sieve (mapAttrs' f attrs);
6	nixImport = { dir, _import ? name: _base: import "${toString dir}/${name}" }:	6	nixImport = { dir, _import ? name: _base: import "${toString dir}/${name}" }:
7	mapFilterAttrs	7	mapFilterAttrs
8	(_: v: v != null)	8	(_: v: v != null)