localModules -> local

moved keys to their own module updated nix switching pinning method
2025-12-10 00:43:56 -05:00 · 2023-07-02 00:33:46 -04:00 · 2023-07-02 00:33:46 -04:00 · 160a5c3ffe
commit 160a5c3ffe
parent 2057ff5d17
24 changed files with 187 additions and 109 deletions
--- a/modules/builders.nix
+++ b/modules/builders.nix
@ -3,13 +3,13 @@ _: {
  lib,
  ...
 }: {
-  options.localModules.remoteBuild = {
+  options.local.remoteBuild = {
    enable = lib.mkEnableOption "";
    isBuilder = lib.mkEnableOption "";
  };
  config = lib.mkMerge [
    (
-      lib.mkIf config.localModules.remoteBuild.enable {
+      lib.mkIf config.local.remoteBuild.enable {
        nix = {
          settings = {
            keep-outputs = false;
@ -18,7 +18,6 @@ _: {
            max-jobs = 0;
            substituters = ["ssh-ng://nix-ssh@gerg-desktop" "https://cache.nixos.org/"];
            trusted-public-keys = ["gerg-desktop:6p1+h6jQnb1MOt3ra3PlQpfgEEF4zRrQWiEuAqcjBj8=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="];
-            secret-key-files = "/persist/cache-keys/cache-priv-key.pem";
          };
          distributedBuilds = true;
          buildMachines = [
@ -30,29 +29,24 @@ _: {
              supportedFeatures = ["big-parallel" "nixos-test" "kvm" "benchmark"];
              sshUser = "builder";
              sshKey = "/etc/ssh/ssh_host_ed25519_key";
-              publicHostKey = "BQxvBOWsTw1gdNDR0KzrSRmbVhDrJdG05vYXkVmw8yA";
+              publicHostKey = config.local.keys.gerg-desktop_fingerprint;
            }
          ];
        };
-        programs.ssh.knownHosts = {
-          gerg-desktop = {
-            extraHostNames = ["gerg-desktop.lan"];
-            publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIeHsGcmOdIMzV+SNe4WFcA3CPHCNb1aqxThkXtm7G/1";
-          };
-        };
      }
    )

    (
      let
        keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIq9YTf4jlVCKBKn44m4yJvj94C7pTOyaa4VjZFohNqD root@mom-laptop"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUKHZasYQUAmRBiqtx1drDxfq18/N4rKydCtPHx461I root@game-laptop"
+          config.local.keys.root_moms-laptop
+          config.local.keys.root_game-laptop
        ];
      in
        lib.mkIf
-        config.localModules.remoteBuild.isBuilder
+        config.local.remoteBuild.isBuilder
        {
+          sops.secrets.store_key = {};
          users = {
            groups.builder = {};
            users.builder = {
@ -63,12 +57,22 @@ _: {
              group = "builder";
            };
          };
+          services.openssh.extraConfig = ''
+            Match User builder
+              AllowAgentForwarding no
+              AllowTcpForwarding no
+              PermitTTY no
+              PermitTunnel no
+              X11Forwarding no
+            Match All
+          '';

          nix = {
            settings = {
              trusted-users = ["builder" "nix-ssh"];
              keep-outputs = true;
              keep-derivations = true;
+              secret-key-files = config.sops.secrets.store_key.path;
            };
            sshServe = {
              enable = true;