From 3c33dd66ea59e9b01b05c515c22df11bcaf94194 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 27 Sep 2021 23:06:10 +0200 Subject: vidhar/sif: build-server/build-client --- system-profiles/build-server/clients/sif/private | 26 ++++++++++++++++++ system-profiles/build-server/clients/sif/public | 1 + system-profiles/build-server/default.nix | 35 ++++++++++++++++++++++++ 3 files changed, 62 insertions(+) create mode 100644 system-profiles/build-server/clients/sif/private create mode 100644 system-profiles/build-server/clients/sif/public create mode 100644 system-profiles/build-server/default.nix (limited to 'system-profiles/build-server') diff --git a/system-profiles/build-server/clients/sif/private b/system-profiles/build-server/clients/sif/private new file mode 100644 index 00000000..3b39664f --- /dev/null +++ b/system-profiles/build-server/clients/sif/private @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:8CT1qg+/3hvJQyNiy9Xv76dMHv2lGKsYx+w/GAPY+WMQgtUIBzxYv8o2PMHIeZqETJX9xfAfwANweGanVrIM7RVdQSNPPGBiWa/2C1b2K2hJw5RtvmbuuDkIWkINwzvnRwtXwGcCpRt18DGe82SnaUrkqozJND1fVuzvvcb6aR81qvm7wdxQi6tZcCsUduzdZTDlLPqUIdEAq5WBvvXGdlJq2wgPINE0SBeOGFTt/wayl6bMzGlR55+V6MsP46Nvfxjg6md/Wbimyto1aulqQ7mniuWnDBdcfGy5L5y6AIlKlJ09+RkJxhIY2QLZW4Hw0vnROVytATtrmIRcMiAZeAUD7J7Xykw0QnFi3VcxC1QTgMbO+5MNCLggW48/RD/ph2uidBskixFllatFOS1//j9C6Qm6aragcmYVoAGDFoScKt8A90KrbmSO3u50WzXOsA07Fdk/mpyyHhdy7/PrQvnkPygGcag+QwhESFfFGQVQSSW1BPXv7H9N2Jq3RLFWaH9EljcHdCFM6zr0hh111at6Gtj9oy3xSpjr,iv:ztdGapMDwI7XMDLC7cne5PWp42BvsuUjCAbp3R3KGyM=,tag:nMfZ/U4zRs48PZlI4cRGfw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2021-09-27T18:11:41Z", + "mac": "ENC[AES256_GCM,data:LeLaxKnUhMpXXlxiZaRw3pKnd8tzcd8I9CwO2SRuzvzo/Bi8cBHq7IrJUmG6PWrTHhwTEI2Ul4DEF4PygRZybjRYUEVLbnKqYGPf4P0nZPhBBH6Ogpdc0o2C1t7A+HIka99A75oXx81k0bEaj6WuqgtPpOA6JhirCyOCJ7xDQE0=,iv:5XNCFDirM1NzS56AVDiJxP+4IuSMComezM+1pD6rayc=,tag:8ECDILhztr3NAVl0RhiwfQ==,type:str]", + "pgp": [ + { + "created_at": "2021-09-27T18:11:40Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA9mZ6ZMwa4Y4QmXMM1nMeFT6grP/xRfoObWlejEHcBC0w\noDm5V5YffnpSqTEKE8AzYbMvZqjme5Xwyxy79pqAbiHaThkQr8YN8HhHyRFIrLIq\n0l4BwKFGlxfxbmEcxx0B4NuUhOzs1S/lMvQhqhr38naFht3Bz9G3GhSrJdDiHVDb\nUwxvqv7GFnacRf9LMgIVCsi6485h2jbOZfx+xB3jT3p11eMyPMgEW1Q5Hwq+NM9k\n=DWiW\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + }, + { + "created_at": "2021-09-27T18:11:40Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAt2OVBFZSyyqqZtXnwN2h16edqa70UBrhDGhsID6jpnYw\nSuFSqkEZ7uGe38JDfA4fbhYHCMPIwt2E8o35Sr/UbzanKhjWu9+7R2v92zBBzBcG\n0l4BDU29ZKhQ65In2PhURs+5G3/qB9THB5vKAmP43RtS4pphFGH3uKwY1T7JSDuX\nYytSMKKBG4OnKlbMJd4SMRICD7aBuV6VPTmA6B3p+c8m5qcg7Uh1eDN0AxWJKr5o\n=pUaa\n-----END PGP MESSAGE-----\n", + "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/system-profiles/build-server/clients/sif/public b/system-profiles/build-server/clients/sif/public new file mode 100644 index 00000000..49d43107 --- /dev/null +++ b/system-profiles/build-server/clients/sif/public @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICH7/Ni0zaEXqZw/3CewIIe+M55PEUbLCqOd3KpxymkX nix-ssh-builder@sif diff --git a/system-profiles/build-server/default.nix b/system-profiles/build-server/default.nix new file mode 100644 index 00000000..9c821f64 --- /dev/null +++ b/system-profiles/build-server/default.nix @@ -0,0 +1,35 @@ +{ customUtils, flake, config, lib, ... }: + +{ + imports = with flake.nixosModules.systemProfiles; [ openssh ]; + + config = { + users.groups.nix-ssh-builder = {}; + users.users.nix-ssh-builder = { + description = "Nix build server user"; + useDefaultShell = true; + isSystemUser = true; + group = "nix-ssh-builder"; + }; + + services.openssh = { + enable = true; + extraConfig = '' + Match User nix-ssh-builder + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitTunnel no + X11Forwarding no + ForceCommand ${config.nix.package.out}/bin/nix-store --serve --write + Match All + ''; + }; + + users.users.nix-ssh-builder.openssh.authorizedKeys.keys = + let + importKeys = dir: lib.attrValues (customUtils.mapFilterAttrs (_: v: v == "directory") (n: _: lib.nameValuePair n (importKeys' dir n)) (builtins.readDir dir)); + importKeys' = dir: host: builtins.readFile (dir + "/${host}/public"); + in importKeys ./clients; + }; +} -- cgit v1.2.3