From 551c75ac478a11e0e1d8efda74b160f4ff996dad Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Thu, 6 Feb 2025 01:24:06 +0100 Subject: [PATCH] feat(machines/nixos/build01/nix-builder): enable trusted remote building This enables any nix-builder to be able to remote build with the trusted bit in Nix. This effectively gives root to all these people, I don't think it's a big deal. Signed-off-by: Ryan Lahfa --- machines/nixos/build01/nix-builder.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/machines/nixos/build01/nix-builder.nix b/machines/nixos/build01/nix-builder.nix index e8dcfcd..27cfc7f 100644 --- a/machines/nixos/build01/nix-builder.nix +++ b/machines/nixos/build01/nix-builder.nix @@ -5,6 +5,7 @@ { pkgs, lib, + dgn-keys, meta, ... }: @@ -12,6 +13,13 @@ config = { dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u); + # FIXME(Raito): this should really go into `dgn-access-control` but I don't + # know what is the desired architecture for it. Leaving it for the people with opinions™. + users.groups.nix-builders = { }; + users.users = lib.genAttrs meta.organization.groups.nix-builder (u: { + extraGroups = [ "nix-builders" ]; + }); + security.pam.loginLimits = [ { domain = "*"; @@ -43,6 +51,10 @@ nrBuildUsers = 128; settings = { + trusted-users = [ + "@wheel" + "@nix-builders" + ]; keep-outputs = false; keep-derivations = false; use-cgroups = true;