Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow makemake to be used for remote builds #307

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

Erethon
Copy link
Collaborator

@Erethon Erethon commented Jun 27, 2024

This patchset changes the ssh-keys.nix structure a bit, adds a new user to makemake and adds some documentation. In particular:

  • Following the reasoning from 5f64f82 and this comment, it removes @delroth's key from ssh-keys.nix to match ssh-keys: cleanup NixOS/infra#427.
  • Add a new regular user called remotebuild to makemake.
  • Change ssh-keys.nix to a rec and create two new lists, one for people that should have root access and one for people that should only have access to the newly created remotebuild user.
  • Add documentation on how to get access to makemake in order to use it as a remote build host.

Following 5f64f82 and assuming we want to be aligned with
NixOS/infra #427 remove delroth's key
Also convert ssh-keys to a rec so we can more easily add people only to
the remotebuild user and not root
users.root.openssh.authorizedKeys.keys = (import ../ssh-keys.nix).root;
users.remotebuild = {
isNormalUser = true;
openssh.authorizedKeys.keys = (import ../ssh-keys.nix).remotebuild;
Copy link
Collaborator

@fricklerhandwerk fricklerhandwerk Jun 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A pattern that is very likely much easier to work with is having the keys in a directory, where each filename is the username. This is just a sketch:

Suggested change
openssh.authorizedKeys.keys = (import ../ssh-keys.nix).remotebuild;
openssh.authorizedKeys.keyFiles = with lib;
map (n: ./keys/${n}) (attrNames (builtins.readDir ./remotebuild));

You probably want to store those key groups in a let binding right here in this file, and combine them as needed for each user on the machine, so whatever logic there is visible at first glance.

Then the instructions to add a key can reduce to

cp ~/.ssh/<key>.pub <path>/ngipkgs/infra/makemake/remotebuild/<name>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants