Various minor fixes

2021-09-29 18:44:33 -07:00 · 2021-09-29 18:44:33 -07:00 · 4df4d2e7db
commit 4df4d2e7db
parent 3dc5986134
5 changed files with 43 additions and 22 deletions
--- a/flake.lock
+++ b/flake.lock
@ -46,7 +46,7 @@
        "ssh-keypairs": "ssh-keypairs"
      },
      "locked": {
-        "narHash": "sha256-i3c+gzSJO/YckvPXsncOYdrrBoq5WvoHeaB/X2lWr3I=",
+        "narHash": "sha256-fCEml2rFMgJboI7EN0QQLsAYSKdKegnu23IwRK5GBdE=",
        "path": "/state/secrets",
        "type": "path"
      },
@ -90,11 +90,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1632291606,
-        "narHash": "sha256-oEN24XJYAFK9tsD13TzLEizpgQigEfgC6i9x1b/1pVU=",
+        "lastModified": 1632918953,
+        "narHash": "sha256-XY3TKBfhP7wCu/SeqrwIkTWkyYHy5W1yRR8pxyzRY9Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "83413f47809790e4ca012e314e7782adeae36cf2",
+        "rev": "ee90403e147b181300dffca5b0afa405e14f1945",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -38,6 +38,7 @@
      system = hostOpts.arch;

      modules = [
+        fudo-secrets.nixosModule
        "${home-manager}/nixos"
        (import ./initialize.nix {
          inherit hostname pkgs build-timestamp fudo-secrets;
--- a/lib/fudo/hosts.nix
+++ b/lib/fudo/hosts.nix
@ -240,15 +240,25 @@ in {

    boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;

-    fudo.secrets.host-secrets.${hostname} = {
-      host-keytab = mkIf (fudo.secrets.files.host-keytabs.${hostname} != null) {
-        source-file = fudo.secrets.files.host-keytabs.${hostname};
+    fudo.secrets.host-secrets.${hostname} = let
+      keytab-file =
+        if (hasAttr hostname config.fudo.secrets.files.host-keytabs) then
+          config.fudo.secrets.files.host-keytabs.${hostname}
+        else null;
+
+      build-private-key-file =
+        if (hasAttr hostname config.fudo.secrets.files.build-keypairs) then
+          config.fudo.secrets.files.build-keypairs.${hostname}
+        else null;
+    in {
+      host-keytab = mkIf (keytab-file != null) {
+        source-file = keytab-file;
        target-file = "/etc/krb5.keytab";
        user = "root";
      };

-      build-private-key = mkIf (fudo.secrets.files.build-keypairs.${hostname} != null) {
-        source-file = fudo.secrets.files.build-keypairs.${hostname}.private-key;
+      build-private-key = mkIf (build-private-key-file != null) {
+        source-file = build-private-key-file;
        target-file = "/var/run/nix-build/host.key";
        user = "root";
      };
--- a/lib/fudo/sites.nix
+++ b/lib/fudo/sites.nix
@ -124,6 +124,7 @@ let
          my-build-host = {
            port = 22;
            systems = [ "i686-linux" "x86_64-linux" ];
+            build-user = "my-builder";
          };
        };
      };
@ -194,6 +195,12 @@ let
        description = "List of features supported by this server.";
        default = [ ];
      };
+
+      build-user = mkOption {
+        type = str;
+        description = "User as which to run distributed builds.";
+        default = "site-builder";
+      };
    };
  };

--- a/lib/fudo/ssh.nix
+++ b/lib/fudo/ssh.nix
@ -2,9 +2,13 @@

 with lib;
 let
-  hostname = config.fudo.instance.hostname;
+  hostname = config.instance.hostname;
  has-attrs = set: length (attrNames set) > 0;
-  host-keypairs = config.fudo.secrets.files.host-ssh-keypairs.${hostname};
+  host-keypairs =
+    if (hasAttr hostname config.fudo.secrets.files.host-ssh-keypairs) then
+      config.fudo.secrets.files.host-ssh-keypairs.${hostname}
+    else [];
+

  sshfp-filename = host: keypair: "ssh-${host}-${keypair.key-type}.sshfp-record";

@ -25,14 +29,14 @@ let
 in {
  config = {
    fudo = {
-      secrets.host-secrets.${hostname} = mkIf (host-keypairs != [])
-        map (keypair: {
-          "host-${keypair.key-type}-private-key" = {
+      secrets.host-secrets.${hostname} = listToAttrs
+        (map
+          (keypair: nameValuePair "host-${keypair.key-type}-private-key" {
            source-file = keypair.private-key;
            target-file = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
            user = "root";
-          };
-        });
+          })
+          host-keypairs);

      hosts = mapAttrs (hostname: keypairs: {
        ssh-pubkeys = map (keypair: keypair.public-key) keypairs;
@ -41,16 +45,15 @@ in {
            fingerprint-derivation = dns-sshfp-records hostname keypair.public-key;
            filename = sshfp-filename hostname keypair;
          in builtins.readFile "${fingerprint-derivation}/${filename}") keypairs;
-      } config.fudo.secrets.files.host-ssh-keypairs);
+      }) config.fudo.secrets.files.host-ssh-keypairs;


    };

-    services.openssh.hostKeys = mkIf (host-keypairs != [])
-      (map (keypair: {
-        path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
-        type = keypair.key-type;
-      }) host-keypairs);
+    services.openssh.hostKeys = map (keypair: {
+      path = "/var/run/ssh/private/host-${keypair.key-type}-private-key";
+      type = keypair.key-type;
+    }) host-keypairs;

    programs.ssh.knownHosts = mapAttrs (hostname: keypairs: {
      publicKeyFile = keypairs.public-key;