feat: use seperate keys for remotebuild auth

2025-04-13 14:04:25 +02:00 · 2025-04-13 14:04:25 +02:00 · 2995d7f504
commit 2995d7f504
parent 20952f4c82
1 changed files with 29 additions and 9 deletions
--- a/modules/remote_builders.nix
+++ b/modules/remote_builders.nix
@ -1,8 +1,8 @@
 {
-  config,
-  clan-core,
-  self,
  lib,
+  config,
+  pkgs,
+  self,
  ...
 }:

@ -22,6 +22,8 @@ let

  others = filterAttrs (n: v: n != config.networking.hostName) self.nixosConfigurations;

+  max = a: b: if a > b then a else b;
+
  mkBuilder =
    hostName: attrs:
    let
@ -40,7 +42,7 @@ let
      protocol = "ssh-ng";
      # default is 1 but may keep the builder idle in between builds
      maxJobs = 3;
-      speedFactor = cfg'.speedFactor - (cfg.speedFactor) + 1;
+      speedFactor = max (cfg'.speedFactor - cfg.speedFactor + 1) 1;
      supportedFeatures = cfg'.supportedFeatures;
      mandatoryFeatures = [ ];
    };
@ -48,8 +50,16 @@ let
  buildMachines = mapAttrsToList mkBuilder others;

  remotebuildKeys = mapAttrsToList (
-    _name: attrs: attrs.config.clan.core.vars.generators.openssh.files."ssh.id_ed25519.pub".value
+    _name: attrs: attrs.config.clan.core.vars.generators.remotebuild.files."ssh.id_ed25519.pub".value
  ) others;
+
+  mkMatch = host:
+    ''
+      Match User remotebuild Host ${host}
+        IdentityFile ${config.clan.core.vars.generators.remotebuild.files."ssh.id_ed25519".path}
+    '';
+  othersName = attrNames others;
+  sshConfig = concatLines (map mkMatch othersName);
 in
 {
  options.our.buildMachines = {
@ -88,10 +98,20 @@ in

    users.groups.remotebuild = { };

-    programs.ssh.extraConfig = ''
-      Match User remotebuild
-        IdentityFile  ${config.clan.core.vars.generators.openssh.files."ssh.id_ed25519".path}
-    '';
+    clan.core.vars.generators.remotebuild = {
+      files."ssh.id_ed25519" = { };
+      files."ssh.id_ed25519.pub".secret = false;
+      runtimeInputs = [
+        pkgs.coreutils
+        pkgs.openssh
+      ];
+      script = ''
+        ssh-keygen -t ed25519 -N "" -f "$out"/ssh.id_ed25519
+      '';
+    };
+
+    programs.ssh.extraConfig = sshConfig;
+
    nix = {
      buildMachines = buildMachines;
      # required, otherwise remote buildMachines above aren't used