Various minor fixes
This commit is contained in:
@@ -240,15 +240,25 @@ in {
|
||||
|
||||
boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
|
||||
|
||||
fudo.secrets.host-secrets.${hostname} = {
|
||||
host-keytab = mkIf (fudo.secrets.files.host-keytabs.${hostname} != null) {
|
||||
source-file = fudo.secrets.files.host-keytabs.${hostname};
|
||||
fudo.secrets.host-secrets.${hostname} = let
|
||||
keytab-file =
|
||||
if (hasAttr hostname config.fudo.secrets.files.host-keytabs) then
|
||||
config.fudo.secrets.files.host-keytabs.${hostname}
|
||||
else null;
|
||||
|
||||
build-private-key-file =
|
||||
if (hasAttr hostname config.fudo.secrets.files.build-keypairs) then
|
||||
config.fudo.secrets.files.build-keypairs.${hostname}
|
||||
else null;
|
||||
in {
|
||||
host-keytab = mkIf (keytab-file != null) {
|
||||
source-file = keytab-file;
|
||||
target-file = "/etc/krb5.keytab";
|
||||
user = "root";
|
||||
};
|
||||
|
||||
build-private-key = mkIf (fudo.secrets.files.build-keypairs.${hostname} != null) {
|
||||
source-file = fudo.secrets.files.build-keypairs.${hostname}.private-key;
|
||||
build-private-key = mkIf (build-private-key-file != null) {
|
||||
source-file = build-private-key-file;
|
||||
target-file = "/var/run/nix-build/host.key";
|
||||
user = "root";
|
||||
};
|
||||
|
||||
@@ -124,6 +124,7 @@ let
|
||||
my-build-host = {
|
||||
port = 22;
|
||||
systems = [ "i686-linux" "x86_64-linux" ];
|
||||
build-user = "my-builder";
|
||||
};
|
||||
};
|
||||
};
|
||||
@@ -194,6 +195,12 @@ let
|
||||
description = "List of features supported by this server.";
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
build-user = mkOption {
|
||||
type = str;
|
||||
description = "User as which to run distributed builds.";
|
||||
default = "site-builder";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
@@ -2,9 +2,13 @@
|
||||
|
||||
with lib;
|
||||
let
|
||||
hostname = config.fudo.instance.hostname;
|
||||
hostname = config.instance.hostname;
|
||||
has-attrs = set: length (attrNames set) > 0;
|
||||
host-keypairs = config.fudo.secrets.files.host-ssh-keypairs.${hostname};
|
||||
host-keypairs =
|
||||
if (hasAttr hostname config.fudo.secrets.files.host-ssh-keypairs) then
|
||||
config.fudo.secrets.files.host-ssh-keypairs.${hostname}
|
||||
else [];
|
||||
|
||||
|
||||
sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record";
|
||||
|
||||
@@ -25,14 +29,14 @@ let
|
||||
in {
|
||||
config = {
|
||||
fudo = {
|
||||
secrets.host-secrets.${hostname} = mkIf (host-keypairs != [])
|
||||
map (keypair: {
|
||||
"host-${keypair.key-type}-private-key" = {
|
||||
secrets.host-secrets.${hostname} = listToAttrs
|
||||
(map
|
||||
(keypair: nameValuePair "host-${keypair.key-type}-private-key" {
|
||||
source-file = keypair.private-key;
|
||||
target-file = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
|
||||
user = "root";
|
||||
};
|
||||
});
|
||||
})
|
||||
host-keypairs);
|
||||
|
||||
hosts = mapAttrs (hostname: keypairs: {
|
||||
ssh-pubkeys = map (keypair: keypair.public-key) keypairs;
|
||||
@@ -41,16 +45,15 @@ in {
|
||||
fingerprint-derivation = dns-sshfp-records hostname keypair.public-key;
|
||||
filename = sshfp-filename hostname keypair;
|
||||
in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs;
|
||||
} config.fudo.secrets.files.host-ssh-keypairs);
|
||||
}) config.fudo.secrets.files.host-ssh-keypairs;
|
||||
|
||||
|
||||
};
|
||||
|
||||
services.openssh.hostKeys = mkIf (host-keypairs != [])
|
||||
(map (keypair: {
|
||||
path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
|
||||
type = keypair.key-type;
|
||||
}) host-keypairs);
|
||||
services.openssh.hostKeys = map (keypair: {
|
||||
path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
|
||||
type = keypair.key-type;
|
||||
}) host-keypairs;
|
||||
|
||||
programs.ssh.knownHosts = mapAttrs (hostname: keypairs: {
|
||||
publicKeyFile = keypairs.public-key;
|
||||
|
||||
Reference in New Issue
Block a user