121 lines
5.5 KiB
Nix
121 lines
5.5 KiB
Nix
# I hate this so much aaa
|
|
{
|
|
lib,
|
|
callPackage,
|
|
dockerTools,
|
|
openssh,
|
|
bash,
|
|
gnused,
|
|
util-linux,
|
|
qemu-user
|
|
}:
|
|
|
|
dockerTools.buildLayeredImage {
|
|
name = "build-worker-oci";
|
|
tag = "latest";
|
|
|
|
fromImage = callPackage ./source.nix {};
|
|
|
|
maxLayers = 110;
|
|
|
|
passthru.updateScript = ./update.sh;
|
|
|
|
enableFakechroot = true;
|
|
|
|
contents = [ openssh util-linux bash gnused qemu-user ];
|
|
|
|
config.Cmd = [ "/entrypoint.sh" ];
|
|
|
|
fakeRootCommands = let
|
|
system-features = [
|
|
"benchmark"
|
|
"big-parallel"
|
|
"nixos-test"
|
|
"uid-range"
|
|
"gccarch-x86-64"
|
|
"gccarch-x86-64-v2"
|
|
"gccarch-x86-64-v3"
|
|
"gccarch-armv8-a"
|
|
"gccarch-armv8.1-a"
|
|
"gccarch-armv8.2-a"
|
|
"gccarch-armv8.2-a+fp16+rcpc+dotprod"
|
|
"gccarch-rv64imac"
|
|
"gccarch-rv64imacfd"
|
|
"gccarch-rv64gc"
|
|
];
|
|
in ''
|
|
mkdir -p /root
|
|
cat <<EOF > /root/nix.conf
|
|
build-users-group = nixbld
|
|
experimental-features = nix-command flakes
|
|
sandbox = true
|
|
substituters = https://cache.kyouma.net https://cache.nixos.org
|
|
trusted-public-keys = cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
|
|
max-substitution-jobs = 20
|
|
max-silent-time = 14400
|
|
min-free = ${builtins.toString (49152 * 1024 * 1024)}
|
|
max-free = ${builtins.toString (65536 * 1024 * 1024)}
|
|
system-features = ${toString system-features}
|
|
EOF
|
|
|
|
mkdir -p /root/.ssh
|
|
cat <<EOF > /root/.ssh/authorized_keys
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK397sBHLS66snWNPtmjUy7qZxRJh54N0RRXogKODudl nix@muon
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT0dGyLUjxFnvqUmex+5xUGQ7D4yGHKo267JgApcq0k root@ryuuko
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDTwCSWYODyvTJxwB6Rahuy0j6s/YYwtQta8bjzG/We root@ryuuko-arch
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/RmFnel8pcZT9nh7EAfKfAekt3BoEXy0G7G2GTacN/ aprl@computer
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxsX+lEWkHZt9NOvn9yYFP0Z++186LY4b97C4mwj/f2 aprl@whatever
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpyVefbZLkNVNzdSIlO6x6JohHE1snoHiUB3Qdvl5I2 aprl@idk
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVNo871p97NTefP52KYiwuch+FaVScxvcFd9fg0yykySTq7Y5JsxrJQgTnox/oDa0O87OyHD/GHQljAXkqiHpDkExbiGjDmGXJSKReKH061F4FqBnDIwYRzUu9Cxjl4MNqsU0RqLaz4+F42c/L7GROQwjEPUb8JHThRiI5FJnDvvB+oBLBxeyQA4v3O4i8DaDQayTr/XB+aSlhNwKrb6cjjL93AHT1uE53yY5jn4kZX+RiPQhH7rvt9N6E4Yr3CG6nUgRCUS0L66d9yfrq0XAbAVk9F+viV7Nk9qy4MWHtXZ4h0qUlzrGALPgGsCGiLGd4NvEgeCcV4nvxdmevxTSdKlJP75xlmlLVXGyhqCZkTsxm/png2UvDl+p0pLyrgNaNoXPdE0Jbv7C28WX36Nast1QFSMUhexzuOx8OgaOioeXVfK98AouqWb58iPBCvgreUIH/gJhZcnlB/Foo1KSO+fJNH8hAsLH7w0mnKyHhJjkrjjwUqsnpepB3SOLfZTE= aprl@meow
|
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0v3tUBNEUxfoOQBFb+N2DUBQDay0iFggUWa9Nd+BtFLOKkz+RRto3eBF0ZiJZVUxv/hLb8m2s45hcMw8agwuPrXMe5085T1fzkvPdKAPZdsT/cCmBi1OsoLjAKBFIdM4lcV0A2cca8hip+/ZPpjFPUWx73/672gAPHU7co7fP8+8CSf9dx+WIeLx3yaYHYZ/th3dB5auX3VjOazS8MojsAorwTUeBoPamHQ5dFeNafhFUL/hhtGkUI1cNHUn3bJd2V7AKTW3UglK7hVgMJPrzVS31OlpcJEf6S5XgKTWdOSwubn1bs5Lt6YYRDU24NV6CGrwKgCJSRxzNMLwpnFKiSXpO8FzkqWHYWyju141hQcFF31aZIV+7YcwEt5ZukLjFOpVtpbSXvJYigOUzGi34P3/OAGshDXjTQjvM8GIir49gx3b2Nwhg0z4UHBkAKZvDDFPHDMJoclvnhITojaAojfC9zmMCO5ZaEsk8yv7c/lWQumzRpfldWF4mwHvhD5kTADbhRdO7WTdX7AaiAYINooToeWKjFe2wn3rFubPUppptqtP03mmvs7vhhgnEVBbGZRJK3GTVk1XcsfF9rDKzewSa+wb4LsBoZtFRhc8cJqHGlKWSNk7dQ04B1atPyNLKGpGoo/UIPxyZ6bSqFVxY3nhz46VZ6z8XWI48z0/fRQ== aprl@uwu
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAl3/krXJeCcDEJXRuzOdCOrJLG7b6MRqC+a9Xux3mW vika@hydrangea
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQjTy9qqHcs5vgTz+iMAiNNMqdyGtOhEpnpJCReEFfZ vika@rafflesia
|
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINAgFdk78I4zssUGsAIV01zefLBpwc1W7hfTobbG80XLAAAABHNzaDo= vika@nitrokey
|
|
EOF
|
|
|
|
cat <<EOF > /root/.ssh/environment
|
|
PATH=/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin
|
|
EOF
|
|
|
|
cat <<EOF > /root/sshd_config
|
|
AcceptEnv GIT_PROTOCOL
|
|
AuthenticationMethods publickey
|
|
AuthorizedPrincipalsFile none
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
|
GatewayPorts no
|
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com
|
|
KbdInteractiveAuthentication no
|
|
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
|
|
LogLevel INFO
|
|
Macs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
|
PasswordAuthentication no
|
|
PermitRootLogin prohibit-password
|
|
PermitUserEnvironment yes
|
|
PrintMotd no
|
|
PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com
|
|
StreamLocalBindUnlink yes
|
|
StrictModes yes
|
|
UseDns no
|
|
UsePAM no
|
|
X11Forwarding no
|
|
Banner none
|
|
AddressFamily any
|
|
Port 2222
|
|
|
|
Subsystem sftp ${openssh}/libexec/sftp-server
|
|
AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys.d/%u
|
|
HostKey /mnt/data/ssh/ssh_host_ed25519_key
|
|
EOF
|
|
|
|
mkdir -p /etc/keys
|
|
mkdir -p /var/empty
|
|
mkdir -p /var/log
|
|
|
|
substitute ${./entrypoint.sh} /entrypoint.sh \
|
|
--subst-var-by qemu-aarch64 ${lib.getExe' qemu-user "qemu-aarch64"} \
|
|
--subst-var-by qemu-riscv64 ${lib.getExe' qemu-user "qemu-riscv64"}
|
|
chmod +x /entrypoint.sh
|
|
'';
|
|
}
|