commit edd1cbf5d4d3379a123cc138fe9787d67247ac9f · pyrox.dev/nixpkgs

nixos/modules/profiles/keys/ssh_host_ed25519_key

···

       1
       +
       -----BEGIN OPENSSH PRIVATE KEY-----

     

       2
       +
       b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW

     

       3
       +
       QyNTUxOQAAACCQVnMW/wZWqrdWrjrRPhfEFFq1KLYguagSflLhFnVQmwAAAJASuMMnErjD

     

       4
       +
       JwAAAAtzc2gtZWQyNTUxOQAAACCQVnMW/wZWqrdWrjrRPhfEFFq1KLYguagSflLhFnVQmw

     

       5
       +
       AAAEDIN2VWFyggtoSPXcAFy8dtG1uAig8sCuyE21eMDt2GgJBWcxb/Blaqt1auOtE+F8QU

     

       6
       +
       WrUotiC5qBJ+UuEWdVCbAAAACnJvb3RAbml4b3MBAgM=

     

       7
       +
       -----END OPENSSH PRIVATE KEY-----

nixos/modules/profiles/keys/ssh_host_ed25519_key.pub

···

       0

···

       1
       +
       ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBWcxb/Blaqt1auOtE+F8QUWrUotiC5qBJ+UuEWdVCb root@nixos

+134

nixos/modules/profiles/macos-builder.nix

···

       1
       +
       { config, pkgs, ... }:

     

       2
       +
       

     

       3
       +
       let

     

       4
       +
         keysDirectory = "/var/keys";

     

       5
       +
       

     

       6
       +
         user = "builder";

     

       7
       +
       

     

       8
       +
         keyType = "ed25519";

     

       9
       +
       

     

       10
       +
       in

     

       11
       +
       

     

       12
       +
       { imports = [

     

       13
       +
           ../virtualisation/qemu-vm.nix

     

       14
       +
         ];

     

       15
       +
       

     

       16
       +
         # The builder is not intended to be used interactively

     

       17
       +
         documentation.enable = false;

     

       18
       +
       

     

       19
       +
         environment.etc = {

     

       20
       +
           "ssh/ssh_host_ed25519_key" = {

     

       21
       +
             mode = "0600";

     

       22
       +
       

     

       23
       +
             source = ./keys/ssh_host_ed25519_key;

     

       24
       +
           };

     

       25
       +
       

     

       26
       +
           "ssh/ssh_host_ed25519_key.pub" = {

     

       27
       +
             mode = "0644";

     

       28
       +
       

     

       29
       +
             source = ./keys/ssh_host_ed25519_key.pub;

     

       30
       +
           };

     

       31
       +
         };

     

       32
       +
       

     

       33
       +
         # DNS fails for QEMU user networking (SLiRP) on macOS.  See:

     

       34
       +
         #

     

       35
       +
         # https://github.com/utmapp/UTM/issues/2353

     

       36
       +
         #

     

       37
       +
         # This works around that by using a public DNS server other than the DNS

     

       38
       +
         # server that QEMU provides (normally 10.0.2.3)

     

       39
       +
         networking.nameservers = [ "8.8.8.8" ];

     

       40
       +
       

     

       41
       +
         nix.settings = {

     

       42
       +
           auto-optimise-store = true;

     

       43
       +
       

     

       44
       +
           min-free = 1024 * 1024 * 1024;

     

       45
       +
       

     

       46
       +
           max-free = 3 * 1024 * 1024 * 1024;

     

       47
       +
       

     

       48
       +
           trusted-users = [ "root" user ];

     

       49
       +
         };

     

       50
       +
       

     

       51
       +
         services.openssh = {

     

       52
       +
           enable = true;

     

       53
       +
       

     

       54
       +
           authorizedKeysFiles = [ "${keysDirectory}/%u_${keyType}.pub" ];

     

       55
       +
         };

     

       56
       +
       

     

       57
       +
         system.build.macos-builder-installer =

     

       58
       +
           let

     

       59
       +
             privateKey = "/etc/nix/${user}_${keyType}";

     

       60
       +
       

     

       61
       +
             publicKey = "${privateKey}.pub";

     

       62
       +
       

     

       63
       +
             # This installCredentials script is written so that it's as easy as

     

       64
       +
             # possible for a user to audit before confirming the `sudo`

     

       65
       +
             installCredentials = pkgs.writeShellScript "install-credentials" ''

     

       66
       +
               KEYS="''${1}"

     

       67
       +
               INSTALL=${hostPkgs.coreutils}/bin/install

     

       68
       +
               "''${INSTALL}" -g nixbld -m 600 "''${KEYS}/${user}_${keyType}" ${privateKey}

     

       69
       +
               "''${INSTALL}" -g nixbld -m 644 "''${KEYS}/${user}_${keyType}.pub" ${publicKey}

     

       70
       +
             '';

     

       71
       +
       

     

       72
       +
             hostPkgs = config.virtualisation.host.pkgs;

     

       73
       +
       

     

       74
       +
           in

     

       75
       +
             hostPkgs.writeShellScriptBin "create-builder" ''

     

       76
       +
               KEYS="''${KEYS:-./keys}"

     

       77
       +
               ${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}"

     

       78
       +
               PRIVATE_KEY="''${KEYS}/${user}_${keyType}"

     

       79
       +
               PUBLIC_KEY="''${PRIVATE_KEY}.pub"

     

       80
       +
               if [ ! -e "''${PRIVATE_KEY}" ] || [ ! -e "''${PUBLIC_KEY}" ]; then

     

       81
       +
                   ${hostPkgs.coreutils}/bin/rm --force -- "''${PRIVATE_KEY}" "''${PUBLIC_KEY}"

     

       82
       +
                   ${hostPkgs.openssh}/bin/ssh-keygen -q -f "''${PRIVATE_KEY}" -t ${keyType} -N "" -C 'builder@localhost'

     

       83
       +
               fi

     

       84
       +
               if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then

     

       85
       +
                 (set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}")

     

       86
       +
               fi

     

       87
       +
               KEYS="$(nix-store --add "$KEYS")" ${config.system.build.vm}/bin/run-nixos-vm

     

       88
       +
             '';

     

       89
       +
       

     

       90
       +
         system.stateVersion = "22.05";

     

       91
       +
       

     

       92
       +
         users.users."${user}"= {

     

       93
       +
           isNormalUser = true;

     

       94
       +
         };

     

       95
       +
       

     

       96
       +
         virtualisation = {

     

       97
       +
           diskSize = 20 * 1024;

     

       98
       +
       

     

       99
       +
           memorySize = 3 * 1024;

     

       100
       +
       

     

       101
       +
           forwardPorts = [

     

       102
       +
             { from = "host"; guest.port = 22; host.port = 22; }

     

       103
       +
           ];

     

       104
       +
       

     

       105
       +
           # Disable graphics for the builder since users will likely want to run it

     

       106
       +
           # non-interactively in the background.

     

       107
       +
           graphics = false;

     

       108
       +
       

     

       109
       +
           sharedDirectories.keys = {

     

       110
       +
             source = "\"$KEYS\"";

     

       111
       +
             target = keysDirectory;

     

       112
       +
           };

     

       113
       +
       

     

       114
       +
           # If we don't enable this option then the host will fail to delegate builds

     

       115
       +
           # to the guest, because:

     

       116
       +
           #

     

       117
       +
           # - The host will lock the path to build

     

       118
       +
           # - The host will delegate the build to the guest

     

       119
       +
           # - The guest will attempt to lock the same path and fail because

     

       120
       +
           #   the lockfile on the host is visible on the guest

     

       121
       +
           #

     

       122
       +
           # Snapshotting the host's /nix/store as an image isolates the guest VM's

     

       123
       +
           # /nix/store from the host's /nix/store, preventing this problem.

     

       124
       +
           useNixStoreImage = true;

     

       125
       +
       

     

       126
       +
           # Obviously the /nix/store needs to be writable on the guest in order for it

     

       127
       +
           # to perform builds.

     

       128
       +
           writableStore = true;

     

       129
       +
       

     

       130
       +
           # This ensures that anything built on the guest isn't lost when the guest is

     

       131
       +
           # restarted.

     

       132
       +
           writableStoreUseTmpfs = false;

     

       133
       +
         };

     

       134
       +
       }

+18

pkgs/top-level/darwin-packages.nix

···

       205
        
       

     

       206
        
         discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { };

     

       207
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       208
        
       })

···

       205
        
       

     

       206
        
         discrete-scroll = callPackage ../os-specific/darwin/discrete-scroll { };

     

       207
        
       

     

       208
       +
         builder =

     

       209
       +
           let

     

       210
       +
             toGuest = builtins.replaceStrings [ "darwin" ] [ "linux" ];

     

       211
       +
       

     

       212
       +
             nixos = import ../../nixos {

     

       213
       +
               configuration = {

     

       214
       +
                 imports = [

     

       215
       +
                   ../../nixos/modules/profiles/macos-builder.nix

     

       216
       +
                 ];

     

       217
       +
       

     

       218
       +
                 virtualisation.host = { inherit pkgs; };

     

       219
       +
               };

     

       220
       +
       

     

       221
       +
               system = toGuest stdenv.hostPlatform.system;

     

       222
       +
             };

     

       223
       +
       

     

       224
       +
           in

     

       225
       +
             nixos.config.system.build.macos-builder-installer;

     

       226
        
       })