summaryrefslogtreecommitdiff
path: root/system-profiles/build-server
diff options
context:
space:
mode:
Diffstat (limited to 'system-profiles/build-server')
-rw-r--r--system-profiles/build-server/clients/sif/private26
-rw-r--r--system-profiles/build-server/clients/sif/public1
-rw-r--r--system-profiles/build-server/default.nix35
3 files changed, 62 insertions, 0 deletions
diff --git a/system-profiles/build-server/clients/sif/private b/system-profiles/build-server/clients/sif/private
new file mode 100644
index 00000000..3b39664f
--- /dev/null
+++ b/system-profiles/build-server/clients/sif/private
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:8CT1qg+/3hvJQyNiy9Xv76dMHv2lGKsYx+w/GAPY+WMQgtUIBzxYv8o2PMHIeZqETJX9xfAfwANweGanVrIM7RVdQSNPPGBiWa/2C1b2K2hJw5RtvmbuuDkIWkINwzvnRwtXwGcCpRt18DGe82SnaUrkqozJND1fVuzvvcb6aR81qvm7wdxQi6tZcCsUduzdZTDlLPqUIdEAq5WBvvXGdlJq2wgPINE0SBeOGFTt/wayl6bMzGlR55+V6MsP46Nvfxjg6md/Wbimyto1aulqQ7mniuWnDBdcfGy5L5y6AIlKlJ09+RkJxhIY2QLZW4Hw0vnROVytATtrmIRcMiAZeAUD7J7Xykw0QnFi3VcxC1QTgMbO+5MNCLggW48/RD/ph2uidBskixFllatFOS1//j9C6Qm6aragcmYVoAGDFoScKt8A90KrbmSO3u50WzXOsA07Fdk/mpyyHhdy7/PrQvnkPygGcag+QwhESFfFGQVQSSW1BPXv7H9N2Jq3RLFWaH9EljcHdCFM6zr0hh111at6Gtj9oy3xSpjr,iv:ztdGapMDwI7XMDLC7cne5PWp42BvsuUjCAbp3R3KGyM=,tag:nMfZ/U4zRs48PZlI4cRGfw==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2021-09-27T18:11:41Z",
10 "mac": "ENC[AES256_GCM,data:LeLaxKnUhMpXXlxiZaRw3pKnd8tzcd8I9CwO2SRuzvzo/Bi8cBHq7IrJUmG6PWrTHhwTEI2Ul4DEF4PygRZybjRYUEVLbnKqYGPf4P0nZPhBBH6Ogpdc0o2C1t7A+HIka99A75oXx81k0bEaj6WuqgtPpOA6JhirCyOCJ7xDQE0=,iv:5XNCFDirM1NzS56AVDiJxP+4IuSMComezM+1pD6rayc=,tag:8ECDILhztr3NAVl0RhiwfQ==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2021-09-27T18:11:40Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA9mZ6ZMwa4Y4QmXMM1nMeFT6grP/xRfoObWlejEHcBC0w\noDm5V5YffnpSqTEKE8AzYbMvZqjme5Xwyxy79pqAbiHaThkQr8YN8HhHyRFIrLIq\n0l4BwKFGlxfxbmEcxx0B4NuUhOzs1S/lMvQhqhr38naFht3Bz9G3GhSrJdDiHVDb\nUwxvqv7GFnacRf9LMgIVCsi6485h2jbOZfx+xB3jT3p11eMyPMgEW1Q5Hwq+NM9k\n=DWiW\n-----END PGP MESSAGE-----\n",
15 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
16 },
17 {
18 "created_at": "2021-09-27T18:11:40Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAt2OVBFZSyyqqZtXnwN2h16edqa70UBrhDGhsID6jpnYw\nSuFSqkEZ7uGe38JDfA4fbhYHCMPIwt2E8o35Sr/UbzanKhjWu9+7R2v92zBBzBcG\n0l4BDU29ZKhQ65In2PhURs+5G3/qB9THB5vKAmP43RtS4pphFGH3uKwY1T7JSDuX\nYytSMKKBG4OnKlbMJd4SMRICD7aBuV6VPTmA6B3p+c8m5qcg7Uh1eDN0AxWJKr5o\n=pUaa\n-----END PGP MESSAGE-----\n",
20 "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/system-profiles/build-server/clients/sif/public b/system-profiles/build-server/clients/sif/public
new file mode 100644
index 00000000..49d43107
--- /dev/null
+++ b/system-profiles/build-server/clients/sif/public
@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICH7/Ni0zaEXqZw/3CewIIe+M55PEUbLCqOd3KpxymkX nix-ssh-builder@sif
diff --git a/system-profiles/build-server/default.nix b/system-profiles/build-server/default.nix
new file mode 100644
index 00000000..9c821f64
--- /dev/null
+++ b/system-profiles/build-server/default.nix
@@ -0,0 +1,35 @@
1{ customUtils, flake, config, lib, ... }:
2
3{
4 imports = with flake.nixosModules.systemProfiles; [ openssh ];
5
6 config = {
7 users.groups.nix-ssh-builder = {};
8 users.users.nix-ssh-builder = {
9 description = "Nix build server user";
10 useDefaultShell = true;
11 isSystemUser = true;
12 group = "nix-ssh-builder";
13 };
14
15 services.openssh = {
16 enable = true;
17 extraConfig = ''
18 Match User nix-ssh-builder
19 AllowAgentForwarding no
20 AllowTcpForwarding no
21 PermitTTY no
22 PermitTunnel no
23 X11Forwarding no
24 ForceCommand ${config.nix.package.out}/bin/nix-store --serve --write
25 Match All
26 '';
27 };
28
29 users.users.nix-ssh-builder.openssh.authorizedKeys.keys =
30 let
31 importKeys = dir: lib.attrValues (customUtils.mapFilterAttrs (_: v: v == "directory") (n: _: lib.nameValuePair n (importKeys' dir n)) (builtins.readDir dir));
32 importKeys' = dir: host: builtins.readFile (dir + "/${host}/public");
33 in importKeys ./clients;
34 };
35}