From 292f54b28f9237dcd21d52193f0851dff4a0f1ac Mon Sep 17 00:00:00 2001 From: arcnmx Date: Tue, 9 Apr 2024 14:47:50 -0700 Subject: [PATCH] chore(extern): nix improvements --- modules/extern/nixos/nix.nix | 31 +++++++++++++--- modules/extern/secrets/nix.yaml | 66 +++++++++++++++++++++++++++++++++ nixos/base/nix.nix | 1 + nixos/github-runner/zone.nix | 3 ++ nixos/nixbld.nix | 13 +++++++ nixos/users/groups.nix | 11 ++++++ systems/aya/nixos.nix | 1 + 7 files changed, 120 insertions(+), 6 deletions(-) create mode 100644 modules/extern/secrets/nix.yaml create mode 100644 nixos/nixbld.nix diff --git a/modules/extern/nixos/nix.nix b/modules/extern/nixos/nix.nix index b99f4ee9..b6306dc4 100644 --- a/modules/extern/nixos/nix.nix +++ b/modules/extern/nixos/nix.nix @@ -1,20 +1,23 @@ { config, + options, lib, gensokyo-zone, ... }: let inherit (lib.options) mkOption mkEnableOption; inherit (lib.modules) mkIf mkMerge mkDefault; - inherit (gensokyo-zone.lib) unmerged; + inherit (gensokyo-zone.lib) unmerged mkAlmostOptionDefault; cfg = config.gensokyo-zone.nix; nixModule = { gensokyo-zone, nixosConfig, + nixosOptions, config, ... }: let inherit (gensokyo-zone.lib) unmerged domain; + inherit (nixosConfig.gensokyo-zone) access; in { options = with lib.types; { enable = mkEnableOption "nix settings"; @@ -37,6 +40,9 @@ default = "ssh"; }; ssh = { + commonKey = mkEnableOption "shared secret nixbld key" // { + default = true; + }; user = mkOption { type = str; default = "nixbld"; @@ -64,7 +70,7 @@ }; }; setNixSettings = mkOption { - type = unmerged.types.attrs; + type = unmerged.type; default = {}; }; setNixBuildMachines = mkOption { @@ -92,9 +98,14 @@ }) ]; builder = { - domain = mkIf nixosConfig.services.tailscale.enable ( - mkDefault - "nixbld.tail.${domain}" + domain = mkMerge [ + (mkIf access.tail.enabled (mkAlmostOptionDefault "nixbld.tail.${domain}")) + (mkIf access.local.enable (mkDefault "nixbld.local.${domain}")) + ]; + ssh.key = let + inherit (nixosConfig.sops) secrets; + in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-nix-bld-key) (mkAlmostOptionDefault + nixosConfig.sops.secrets.gensokyo-zone-nix-bld-key.path ); setBuildMachine = { hostName = config.builder.domain; @@ -121,6 +132,7 @@ in { inherit gensokyo-zone; inherit (gensokyo-zone) inputs; nixosConfig = config; + nixosOptions = options; }; }; default = { }; @@ -128,9 +140,16 @@ in { config = { nix = mkIf cfg.enable { - settings = unmerged.mergeAttrs cfg.setNixSettings; + settings = unmerged.merge cfg.setNixSettings; buildMachines = unmerged.merge cfg.setNixBuildMachines; }; + ${if options ? sops.secrets then "sops" else null}.secrets = let + sopsFile = mkDefault ../secrets/nix.yaml; + in mkIf cfg.enable { + gensokyo-zone-nix-bld-key = mkIf cfg.builder.ssh.commonKey { + inherit sopsFile; + }; + }; lib.gensokyo-zone.nix = { inherit cfg nixModule; }; diff --git a/modules/extern/secrets/nix.yaml b/modules/extern/secrets/nix.yaml new file mode 100644 index 00000000..991862b9 --- /dev/null +++ b/modules/extern/secrets/nix.yaml @@ -0,0 +1,66 @@ +gensokyo-zone-nix-bld-key: ENC[AES256_GCM,data:/dnuOkFkeI6ozoIXa02xqw/n7aQDp37vLcYJTWm3x4/nPVBbjZY7Wk6nMSzx9zGqrz031Pa1lN6RQRWlUq3SBSK6N72M2qfJrH2rki55s4BoRwadJpUDGvzhEaC4RwRqnOZX4PzYPdPI9ZFQYgWsV/i6VDE/fRnGzYQqGFeEJC5LniS2ASC6zKC5MNPMrPSdqzY8+fMHdpQiwaV4TvyfROQ8ACIe9TYlcsFZYijvsvY++L3h/zU2ex7HMYtMuhJtRIdc6bYU+6P/vD7ojkbhP2D4/5A/CESJbGKzkUFm3yP5fSOg2GLhKJAwIqK/K2IkVD6oQAvTf5cnz1csopTZuZrPfbYq0ZCvpRaHWA4Pmc2RVAWExZ7YlFL4RY+0yqlZsrUn8H/b5AeoUcSlPNzhbmsrE0W2XK/JkSkc5Xme1OCnBPFlnqJ4tVcZqEjFhfB8G6YDE6yco8N9fpvaPG4mvB8+kQxRygUPmkmEZzb0avOexilfDDNwckBxViVMs7g4xjMcET+Clmsuo1PMTyCH,iv:PZZENdazeM59+VFDKp6E5hxOeXYXyci8ELgLO1oOXcw=,tag:HE+UsTODLTuAU3w5pk0sOA==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ua5dukhxsmztpwqrcd25zyvdqhww565dn3uj5mqm7evg9khfjfnq66zywn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYmxJNzZlS0ZPd3gxVHdv + Ynh2RzFaOFFzZzYvdjlreUk2VW9JMksyNVVZCndnWFJwam1kVnBpNGZzWXRraytB + dVp4aHlQdUkwb2tzdUR2eHU3NVNnRWcKLS0tIHZPa2NnbXYyakxrWU15VlVvV2g0 + ei9sc0JXQjR1TFlqZXZUbXljNGIrQ3cKXdw0PNgBaxhMq9xKaLvZxIYZcyR1PAEY + Uw/Si8PePacS+qDBr6w4HdJnZEkp7eXpI2q++l2Ht59uZATPUthjQA== + -----END AGE ENCRYPTED FILE----- + - recipient: age19wwvlh83p4a3t76j8wzcmh2ns9w348ttff5n9h3zwnmxhm3vtgyqg7qh6x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbTJ5aGJmK29McUtDQ0M4 + eStiU213c2czc2w1U0hCaGV6T2lwRHNiZ1RBCjJPaWRzUnNXd3NicXlPL01TSkRF + cVdtV0RwYmpqS1FsSGoxL3hCTDdEc3MKLS0tIGFIQ0I1WEFwNndIZS9POGpMMEtX + amlrWlhwdW5lUDRZcHRtaER0dEJ4azgKncknp1F6GZL5Hq2/E0ggs6ze5QAp3Ehu + HmUIJnHoC4D+bVmDgpDUcT8KBncmnBD8H5au9XuEDeI7jNwyz+EaXA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-09T21:17:22Z" + mac: ENC[AES256_GCM,data:8AClGeAx6VL7h3cU7ucoiKeKFPh/xsQbZuGjx4ip9S+OmqBneT0BKeVPKV4Ntz6RxUWpsTRhf8LakafPE4HEYr7/hSetjobOtd9Bdo6qVIPUSVR6xTQEO9NZ3GoppUAZl3WyCuAjh67FvhbXa+XcsHLA2z6mcNfUNX1Xy21xJxE=,iv:o58Y/dBfA5GHQz6D++o+HJJW9FPymlrWLow3QclCu5U=,tag:dp5vuuYQ2n5TVKsDA/C1GQ==,type:str] + pgp: + - created_at: "2024-04-09T21:16:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ//bSE/YdF7MSEunvClNhwFUmvBSzAW5kgUuZF/u1nUwOAZ + JvZVKUamRPky72gWbDhBfmDCDnmbOxurzsiTB1eEX7DuDJQMmMM/0uO07loNWkD4 + AAHHUOqNfxtatkjKztW5N1RhEfpN44fW1ZVh1Rym7BGnKaJmXRaIxoQLsEBii85J + jUpKJktj+AAxWp4PUUI6T/RBUD51iSCjU6G50JR8oiHBQY1WmLJs1IIN5dF/UOfX + b1D4iqSy3U2VXkjp7moDhpgI9FC475WFSIcIpEEROzfpsX2yu/OOgw66UIyYP7fD + G61HiAJDhB/7xlNjUqR1dEI08w83I6nMQaftSJ9ExHHmnctZkWyZvMhohnvUvtkA + 8kw5R7QCsWJ62pjh+rXmdDY2MUHWWqsGWMjs5C0gPHspqg9VnhYlMDDnI+DqKnpP + tCxeFy/J1vCymtvPcVlG/y13mpScQfqRNuzwnqSIyiSC+vNF9jYwo+DGeOB0yWun + uN6KZAocKrprhnDnz03CAszY14YIekDFnBckukG4x1eztYwag+/eA1E6A3vDww50 + 80iNDXmXveOjfsr0IQP90x3El+EVicNCjejLIooJJu+tUjkTm/P0HE6Q0WvpSKr1 + fjhDqPxeHbeYz+6BhXG8fJQfITJcJ+8KdoDyUVJ5niwCr7Z1pfJD2x8ymcnqeuzS + XAHzeyx6NAoONTXHv0SToH2sH4SihGZUg3mFVIxszIBMsVlJtzb9T7Y+U4HslfOc + C1U+f2hyoj4RMo9YBgroS/T85V8l9sGwxiBLC5DceIXwNjQOyghgOwruTQFG + =Wb8Q + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2024-04-09T21:16:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQf+MCKFoTzDFDPczpur3R0F5UvdRdAXIs0NS95SMmwR+Ro7 + xCCr6KkyPteHzYD8u9OTlNryr67MHJOZMp2RxEC7z34nA+Cu+SMdcr/JYF/z92jE + NCdvfRW1lXIyV1J9OydkXs5LHsbJFgccP9v2p+7Rde/gARZk0aMoW1yW+FF59WOp + 4zO827FUTWW7di87uHQRP9wy6yKLt7nGffTbkFd/a4VV92CXj1XZKD18/w24BjMp + z3TiMhAqdJOgfCqPsWQBZ0S70qCnVwaaLFo0yUF24ljnCvKnHDa/11kje4vxN0Ly + 34rFXUUN0Xm74ddQW8ZgH6bDMYdwqYlkalZ7h33SdtJcAaeVZifvJXN7QiterFaP + wUC6EqOPPS/9xkWA7wiBBMQqScfbpn3SS8P6gmD/BVl7svqGM3PjN5bWno+Sx5r6 + k/iurE9HYwe96oPDH9jFAeQYyuIfSWEljHRSWH4= + =nKrC + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/base/nix.nix b/nixos/base/nix.nix index 8bb4fcf7..0371294b 100644 --- a/nixos/base/nix.nix +++ b/nixos/base/nix.nix @@ -24,6 +24,7 @@ in { arc.flake = inputs.arcexprs; }; settings = { + allowed-users = [ "@nixbuilder" ]; experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes"; substituters = [ "https://gensokyo-infrastructure.cachix.org" diff --git a/nixos/github-runner/zone.nix b/nixos/github-runner/zone.nix index 475ecf4e..70cbaa68 100644 --- a/nixos/github-runner/zone.nix +++ b/nixos/github-runner/zone.nix @@ -122,6 +122,9 @@ in { isSystemUser = true; useDefaultShell = mkDefault true; group = mkIf (cfg.group != null) (mkDefault cfg.group); + extraGroups = [ + "nixbuilder" + ]; createHome = false; home = "/var/lib/github-runner/${cfg.keyPrefix}${toString i}"; }))) diff --git a/nixos/nixbld.nix b/nixos/nixbld.nix new file mode 100644 index 00000000..ccdf0e0b --- /dev/null +++ b/nixos/nixbld.nix @@ -0,0 +1,13 @@ +{ lib, ... }: let + inherit (lib.modules) mkForce; +in { + config.users = { + users.nixbld = { + isNormalUser = true; + isSystemUser = mkForce false; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHV6OZ3JfVwtRhfsxYTNbh6IReZycMmfaRQrKVppX6CB extern@gensokyo-infrastructure" + ]; + }; + }; +} diff --git a/nixos/users/groups.nix b/nixos/users/groups.nix index 682881db..036eb78e 100644 --- a/nixos/users/groups.nix +++ b/nixos/users/groups.nix @@ -29,6 +29,12 @@ in { editors = { gid = 8133; }; + nixbuilder = { + gid = 8134; + members = mapAttrsToList (_: user: user.name) ( + filterAttrs (_: user: userIs "peeps" user) config.users.users + ); + }; admin = { gid = 8126; @@ -53,5 +59,10 @@ in { group = "nogroup"; isSystemUser = true; }; + nixbld = { + uid = config.users.groups.nixbuilder.gid; + group = "nixbuilder"; + isSystemUser = true; + }; }; } diff --git a/systems/aya/nixos.nix b/systems/aya/nixos.nix index 0f365450..f6bc4ea8 100644 --- a/systems/aya/nixos.nix +++ b/systems/aya/nixos.nix @@ -5,6 +5,7 @@ nixos.sops nixos.base nixos.reisen-ct + nixos.nixbld nixos.tailscale nixos.github-runner.zone ];