2023-04-22 23:04:46 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
2023-01-17 00:34:56 +01:00
|
|
|
|
2023-04-22 23:04:46 +02:00
|
|
|
let
|
|
|
|
|
cfg = config.nix;
|
|
|
|
|
in
|
2023-01-17 00:34:56 +01:00
|
|
|
{
|
|
|
|
|
options.nix = {
|
2023-01-17 02:14:18 +01:00
|
|
|
deleteChannels = lib.mkEnableOption "" // { description = "Whether to delete all channels on a system switch."; };
|
2023-01-17 00:34:56 +01:00
|
|
|
|
2023-03-25 16:23:42 +01:00
|
|
|
deleteUserProfiles = lib.mkEnableOption "" // { description = "Whether to delete all user profiles on a system switch."; };
|
2023-04-22 23:04:46 +02:00
|
|
|
|
|
|
|
|
remoteBuilder = {
|
|
|
|
|
enable = lib.mkEnableOption "restricted nix remote builder";
|
|
|
|
|
|
|
|
|
|
sshPublicKeys = lib.mkOption {
|
2023-04-24 17:35:56 +02:00
|
|
|
description = "SSH public keys accepted by the remote build user.";
|
2023-04-22 23:04:46 +02:00
|
|
|
type = lib.types.listOf lib.types.str;
|
|
|
|
|
};
|
2023-04-24 17:35:56 +02:00
|
|
|
|
|
|
|
|
name = lib.mkOption {
|
|
|
|
|
description = "Name of the user used for remote building.";
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
readOnly = true;
|
|
|
|
|
default = "nix-remote-builder";
|
|
|
|
|
};
|
2023-04-22 23:04:46 +02:00
|
|
|
};
|
2023-01-17 00:34:56 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = {
|
2023-04-22 23:04:46 +02:00
|
|
|
# based on https://github.com/numtide/srvos/blob/main/nixos/roles/nix-remote-builder.nix
|
|
|
|
|
# and https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834
|
2023-04-24 17:35:56 +02:00
|
|
|
nix.settings.trusted-users = lib.mkIf cfg.remoteBuilder.enable [ cfg.remoteBuilder.name ];
|
2023-04-22 23:04:46 +02:00
|
|
|
|
2023-04-24 17:35:56 +02:00
|
|
|
users.users.${cfg.remoteBuilder.name} = lib.mkIf cfg.remoteBuilder.enable {
|
2023-04-22 23:04:46 +02:00
|
|
|
group = "nogroup";
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
openssh.authorizedKeys.keys = map
|
|
|
|
|
(key:
|
|
|
|
|
let
|
|
|
|
|
wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" /* bash */ ''
|
|
|
|
|
case $SSH_ORIGINAL_COMMAND in
|
|
|
|
|
"nix-daemon --stdio")
|
2023-06-26 19:03:27 +02:00
|
|
|
exec ${config.nix.package}/bin/nix-daemon --stdio
|
2023-04-22 23:04:46 +02:00
|
|
|
;;
|
|
|
|
|
"nix-store --serve --write")
|
2023-06-26 19:03:27 +02:00
|
|
|
exec ${config.nix.package}/bin/nix-store --serve --write
|
2023-04-22 23:04:46 +02:00
|
|
|
;;
|
|
|
|
|
*)
|
2023-04-23 01:14:28 +02:00
|
|
|
echo "Access is only allowed for the nix remote builder" 1>&2
|
2023-04-22 23:04:46 +02:00
|
|
|
exit 1
|
|
|
|
|
esac
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
in
|
|
|
|
|
"restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" ${key}"
|
|
|
|
|
)
|
|
|
|
|
config.nix.remoteBuilder.sshPublicKeys;
|
|
|
|
|
};
|
|
|
|
|
|
2023-01-17 02:12:16 +01:00
|
|
|
system.activationScripts = {
|
2023-04-22 23:04:46 +02:00
|
|
|
deleteChannels = lib.mkIf cfg.deleteChannels ''
|
2023-01-17 00:34:56 +01:00
|
|
|
echo "Deleting all channels..."
|
2023-05-02 21:50:05 +02:00
|
|
|
rm -rf /root/.nix-channels /home/*/.nix-channels /nix/var/nix/profiles/per-user/*/channels* || true
|
2023-01-17 00:34:56 +01:00
|
|
|
'';
|
|
|
|
|
|
2023-04-22 23:04:46 +02:00
|
|
|
deleteUserProfiles = lib.mkIf cfg.deleteUserProfiles ''
|
2023-01-17 00:34:56 +01:00
|
|
|
echo "Deleting all user profiles..."
|
2023-05-02 21:50:05 +02:00
|
|
|
rm -rf /root/.nix-profile /home/*/.nix-profile /nix/var/nix/profiles/per-user/*/profile* || true
|
2023-01-17 00:34:56 +01:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
