feat: use seperate keys for remotebuild auth
This commit is contained in:
parent
20952f4c82
commit
2995d7f504
1 changed files with 29 additions and 9 deletions
|
|
@ -1,8 +1,8 @@
|
||||||
{
|
{
|
||||||
config,
|
|
||||||
clan-core,
|
|
||||||
self,
|
|
||||||
lib,
|
lib,
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
self,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
|
|
||||||
|
|
@ -22,6 +22,8 @@ let
|
||||||
|
|
||||||
others = filterAttrs (n: v: n != config.networking.hostName) self.nixosConfigurations;
|
others = filterAttrs (n: v: n != config.networking.hostName) self.nixosConfigurations;
|
||||||
|
|
||||||
|
max = a: b: if a > b then a else b;
|
||||||
|
|
||||||
mkBuilder =
|
mkBuilder =
|
||||||
hostName: attrs:
|
hostName: attrs:
|
||||||
let
|
let
|
||||||
|
|
@ -40,7 +42,7 @@ let
|
||||||
protocol = "ssh-ng";
|
protocol = "ssh-ng";
|
||||||
# default is 1 but may keep the builder idle in between builds
|
# default is 1 but may keep the builder idle in between builds
|
||||||
maxJobs = 3;
|
maxJobs = 3;
|
||||||
speedFactor = cfg'.speedFactor - (cfg.speedFactor) + 1;
|
speedFactor = max (cfg'.speedFactor - cfg.speedFactor + 1) 1;
|
||||||
supportedFeatures = cfg'.supportedFeatures;
|
supportedFeatures = cfg'.supportedFeatures;
|
||||||
mandatoryFeatures = [ ];
|
mandatoryFeatures = [ ];
|
||||||
};
|
};
|
||||||
|
|
@ -48,8 +50,16 @@ let
|
||||||
buildMachines = mapAttrsToList mkBuilder others;
|
buildMachines = mapAttrsToList mkBuilder others;
|
||||||
|
|
||||||
remotebuildKeys = mapAttrsToList (
|
remotebuildKeys = mapAttrsToList (
|
||||||
_name: attrs: attrs.config.clan.core.vars.generators.openssh.files."ssh.id_ed25519.pub".value
|
_name: attrs: attrs.config.clan.core.vars.generators.remotebuild.files."ssh.id_ed25519.pub".value
|
||||||
) others;
|
) others;
|
||||||
|
|
||||||
|
mkMatch = host:
|
||||||
|
''
|
||||||
|
Match User remotebuild Host ${host}
|
||||||
|
IdentityFile ${config.clan.core.vars.generators.remotebuild.files."ssh.id_ed25519".path}
|
||||||
|
'';
|
||||||
|
othersName = attrNames others;
|
||||||
|
sshConfig = concatLines (map mkMatch othersName);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.our.buildMachines = {
|
options.our.buildMachines = {
|
||||||
|
|
@ -88,10 +98,20 @@ in
|
||||||
|
|
||||||
users.groups.remotebuild = { };
|
users.groups.remotebuild = { };
|
||||||
|
|
||||||
programs.ssh.extraConfig = ''
|
clan.core.vars.generators.remotebuild = {
|
||||||
Match User remotebuild
|
files."ssh.id_ed25519" = { };
|
||||||
IdentityFile ${config.clan.core.vars.generators.openssh.files."ssh.id_ed25519".path}
|
files."ssh.id_ed25519.pub".secret = false;
|
||||||
'';
|
runtimeInputs = [
|
||||||
|
pkgs.coreutils
|
||||||
|
pkgs.openssh
|
||||||
|
];
|
||||||
|
script = ''
|
||||||
|
ssh-keygen -t ed25519 -N "" -f "$out"/ssh.id_ed25519
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
programs.ssh.extraConfig = sshConfig;
|
||||||
|
|
||||||
nix = {
|
nix = {
|
||||||
buildMachines = buildMachines;
|
buildMachines = buildMachines;
|
||||||
# required, otherwise remote buildMachines above aren't used
|
# required, otherwise remote buildMachines above aren't used
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue