diff options
Diffstat (limited to 'system-profiles')
-rw-r--r-- | system-profiles/build-server/clients/sif/private | 26 | ||||
-rw-r--r-- | system-profiles/build-server/clients/sif/public | 1 | ||||
-rw-r--r-- | system-profiles/build-server/default.nix | 35 |
3 files changed, 62 insertions, 0 deletions
diff --git a/system-profiles/build-server/clients/sif/private b/system-profiles/build-server/clients/sif/private new file mode 100644 index 00000000..3b39664f --- /dev/null +++ b/system-profiles/build-server/clients/sif/private | |||
@@ -0,0 +1,26 @@ | |||
1 | { | ||
2 | "data": "ENC[AES256_GCM,data:8CT1qg+/3hvJQyNiy9Xv76dMHv2lGKsYx+w/GAPY+WMQgtUIBzxYv8o2PMHIeZqETJX9xfAfwANweGanVrIM7RVdQSNPPGBiWa/2C1b2K2hJw5RtvmbuuDkIWkINwzvnRwtXwGcCpRt18DGe82SnaUrkqozJND1fVuzvvcb6aR81qvm7wdxQi6tZcCsUduzdZTDlLPqUIdEAq5WBvvXGdlJq2wgPINE0SBeOGFTt/wayl6bMzGlR55+V6MsP46Nvfxjg6md/Wbimyto1aulqQ7mniuWnDBdcfGy5L5y6AIlKlJ09+RkJxhIY2QLZW4Hw0vnROVytATtrmIRcMiAZeAUD7J7Xykw0QnFi3VcxC1QTgMbO+5MNCLggW48/RD/ph2uidBskixFllatFOS1//j9C6Qm6aragcmYVoAGDFoScKt8A90KrbmSO3u50WzXOsA07Fdk/mpyyHhdy7/PrQvnkPygGcag+QwhESFfFGQVQSSW1BPXv7H9N2Jq3RLFWaH9EljcHdCFM6zr0hh111at6Gtj9oy3xSpjr,iv:ztdGapMDwI7XMDLC7cne5PWp42BvsuUjCAbp3R3KGyM=,tag:nMfZ/U4zRs48PZlI4cRGfw==,type:str]", | ||
3 | "sops": { | ||
4 | "kms": null, | ||
5 | "gcp_kms": null, | ||
6 | "azure_kv": null, | ||
7 | "hc_vault": null, | ||
8 | "age": null, | ||
9 | "lastmodified": "2021-09-27T18:11:41Z", | ||
10 | "mac": "ENC[AES256_GCM,data:LeLaxKnUhMpXXlxiZaRw3pKnd8tzcd8I9CwO2SRuzvzo/Bi8cBHq7IrJUmG6PWrTHhwTEI2Ul4DEF4PygRZybjRYUEVLbnKqYGPf4P0nZPhBBH6Ogpdc0o2C1t7A+HIka99A75oXx81k0bEaj6WuqgtPpOA6JhirCyOCJ7xDQE0=,iv:5XNCFDirM1NzS56AVDiJxP+4IuSMComezM+1pD6rayc=,tag:8ECDILhztr3NAVl0RhiwfQ==,type:str]", | ||
11 | "pgp": [ | ||
12 | { | ||
13 | "created_at": "2021-09-27T18:11:40Z", | ||
14 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA9mZ6ZMwa4Y4QmXMM1nMeFT6grP/xRfoObWlejEHcBC0w\noDm5V5YffnpSqTEKE8AzYbMvZqjme5Xwyxy79pqAbiHaThkQr8YN8HhHyRFIrLIq\n0l4BwKFGlxfxbmEcxx0B4NuUhOzs1S/lMvQhqhr38naFht3Bz9G3GhSrJdDiHVDb\nUwxvqv7GFnacRf9LMgIVCsi6485h2jbOZfx+xB3jT3p11eMyPMgEW1Q5Hwq+NM9k\n=DWiW\n-----END PGP MESSAGE-----\n", | ||
15 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
16 | }, | ||
17 | { | ||
18 | "created_at": "2021-09-27T18:11:40Z", | ||
19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAt2OVBFZSyyqqZtXnwN2h16edqa70UBrhDGhsID6jpnYw\nSuFSqkEZ7uGe38JDfA4fbhYHCMPIwt2E8o35Sr/UbzanKhjWu9+7R2v92zBBzBcG\n0l4BDU29ZKhQ65In2PhURs+5G3/qB9THB5vKAmP43RtS4pphFGH3uKwY1T7JSDuX\nYytSMKKBG4OnKlbMJd4SMRICD7aBuV6VPTmA6B3p+c8m5qcg7Uh1eDN0AxWJKr5o\n=pUaa\n-----END PGP MESSAGE-----\n", | ||
20 | "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8" | ||
21 | } | ||
22 | ], | ||
23 | "unencrypted_suffix": "_unencrypted", | ||
24 | "version": "3.7.1" | ||
25 | } | ||
26 | } \ No newline at end of file | ||
diff --git a/system-profiles/build-server/clients/sif/public b/system-profiles/build-server/clients/sif/public new file mode 100644 index 00000000..49d43107 --- /dev/null +++ b/system-profiles/build-server/clients/sif/public | |||
@@ -0,0 +1 @@ | |||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICH7/Ni0zaEXqZw/3CewIIe+M55PEUbLCqOd3KpxymkX nix-ssh-builder@sif | |||
diff --git a/system-profiles/build-server/default.nix b/system-profiles/build-server/default.nix new file mode 100644 index 00000000..9c821f64 --- /dev/null +++ b/system-profiles/build-server/default.nix | |||
@@ -0,0 +1,35 @@ | |||
1 | { customUtils, flake, config, lib, ... }: | ||
2 | |||
3 | { | ||
4 | imports = with flake.nixosModules.systemProfiles; [ openssh ]; | ||
5 | |||
6 | config = { | ||
7 | users.groups.nix-ssh-builder = {}; | ||
8 | users.users.nix-ssh-builder = { | ||
9 | description = "Nix build server user"; | ||
10 | useDefaultShell = true; | ||
11 | isSystemUser = true; | ||
12 | group = "nix-ssh-builder"; | ||
13 | }; | ||
14 | |||
15 | services.openssh = { | ||
16 | enable = true; | ||
17 | extraConfig = '' | ||
18 | Match User nix-ssh-builder | ||
19 | AllowAgentForwarding no | ||
20 | AllowTcpForwarding no | ||
21 | PermitTTY no | ||
22 | PermitTunnel no | ||
23 | X11Forwarding no | ||
24 | ForceCommand ${config.nix.package.out}/bin/nix-store --serve --write | ||
25 | Match All | ||
26 | ''; | ||
27 | }; | ||
28 | |||
29 | users.users.nix-ssh-builder.openssh.authorizedKeys.keys = | ||
30 | let | ||
31 | importKeys = dir: lib.attrValues (customUtils.mapFilterAttrs (_: v: v == "directory") (n: _: lib.nameValuePair n (importKeys' dir n)) (builtins.readDir dir)); | ||
32 | importKeys' = dir: host: builtins.readFile (dir + "/${host}/public"); | ||
33 | in importKeys ./clients; | ||
34 | }; | ||
35 | } | ||