Machines/WinMax2: set up as a nix remote builder

2024-04-24 00:29:40 +02:00 · 2024-04-24 00:29:40 +02:00 · 68628028bd
commit 68628028bd
parent 0aee3539f0
2 changed files with 56 additions and 0 deletions
--- a/machines/WinMax2/default.nix
+++ b/machines/WinMax2/default.nix
@ -2,5 +2,6 @@
  imports = [
    ./configuration.nix
    ./hardware-configuration.nix
+    ./remote-builder.nix
  ];
 }
--- a/machines/WinMax2/remote-builder.nix
+++ b/machines/WinMax2/remote-builder.nix
@ -0,0 +1,55 @@
+{
+  config,
+  flakeSelf,
+  ...
+}: let
+  hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
+  hostKeyPath = "/etc/ssh/winmax2_host_key";
+in {
+  age.secrets = {
+    winmax2-host-key = {
+      file = hostSecrets + "host-private-key.age";
+      path = hostKeyPath;
+      mode = "0400";
+    };
+    "winmax2-host-key.pub" = {
+      file = hostSecrets + "host-public-key.age";
+      path = hostKeyPath + ".pub";
+    };
+  };
+
+  users = {
+    groups.nixrbld = {};
+    users.nixrbld = {
+      isSystemUser = true;
+      group = "nixrbld";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8v+04ZwqHZRG8P8nxdQt+fGJfzlxHXF0F6jzENb+U6 Remote builder access key"
+      ];
+    };
+  };
+
+  nix.settings.trusted-users = ["nixrbld"];
+
+  services.openssh = {
+    enable = true;
+    startWhenNeeded = true;
+    # I only want it to be accesible though tailscale
+    openFirewall = false;
+    allowSFTP = false;
+    settings = {
+      UseDns = true;
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      AllowUsers = ["nixrbld"];
+    };
+    hostKeys = [
+      {
+        path = hostKeyPath;
+        type = "ed25519";
+        comment = "Everest host key";
+      }
+    ];
+  };
+  networking.firewall.interfaces.tailscale0.allowedTCPPorts = [22];
+}