cst1/infrastructure
1
0
Fork 0
forked from DGNum/infrastructure
Code Pull requests Activity

feat(machines/nixos/build01/nix-builder): enable trusted remote building

Browse source 
This enables any nix-builder to be able to remote build with the trusted
bit in Nix.

This effectively gives root to all these people, I don't think it's a
big deal.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
This commit is contained in:
Ryan Lahfa 2025-02-06 01:24:06 +01:00
parent 5ca85e3430
commit 551c75ac47
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
machines/nixos/build01/nix-builder.nix
View file

@ -5,6 +5,7 @@
{ {
pkgs, pkgs,
lib, lib,
dgn-keys,
meta, meta,
... ...
}: }:
@ -12,6 +13,13 @@
config = { config = {
dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u); dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u);
# FIXME(Raito): this should really go into `dgn-access-control` but I don't
# know what is the desired architecture for it. Leaving it for the people with opinions™.
users.groups.nix-builders = { };
users.users = lib.genAttrs meta.organization.groups.nix-builder (u: {
extraGroups = [ "nix-builders" ];
});
security.pam.loginLimits = [ security.pam.loginLimits = [
{ {
domain = "*"; domain = "*";
@ -43,6 +51,10 @@
nrBuildUsers = 128; nrBuildUsers = 128;
settings = { settings = {
trusted-users = [
"@wheel"
"@nix-builders"
];
keep-outputs = false; keep-outputs = false;
keep-derivations = false; keep-derivations = false;
use-cgroups = true; use-cgroups = true;