nixfiles/pkgs/build-worker-oci/default.nix

121 lines
5.5 KiB
Nix

# I hate this so much aaa
{
lib,
callPackage,
dockerTools,
openssh,
bash,
gnused,
util-linux,
qemu-user
}:
dockerTools.buildLayeredImage {
name = "build-worker-oci";
tag = "latest";
fromImage = callPackage ./source.nix {};
maxLayers = 110;
passthru.updateScript = ./update.sh;
enableFakechroot = true;
contents = [ openssh util-linux bash gnused qemu-user ];
config.Cmd = [ "/entrypoint.sh" ];
fakeRootCommands = let
system-features = [
"benchmark"
"big-parallel"
"nixos-test"
"uid-range"
"gccarch-x86-64"
"gccarch-x86-64-v2"
"gccarch-x86-64-v3"
"gccarch-armv8-a"
"gccarch-armv8.1-a"
"gccarch-armv8.2-a"
"gccarch-armv8.2-a+fp16+rcpc+dotprod"
"gccarch-rv64imac"
"gccarch-rv64imacfd"
"gccarch-rv64gc"
];
in ''
mkdir -p /root
cat <<EOF > /root/nix.conf
build-users-group = nixbld
experimental-features = nix-command flakes
sandbox = true
substituters = https://cache.kyouma.net https://cache.nixos.org
trusted-public-keys = cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
max-substitution-jobs = 20
max-silent-time = 14400
min-free = ${builtins.toString (49152 * 1024 * 1024)}
max-free = ${builtins.toString (65536 * 1024 * 1024)}
system-features = ${toString system-features}
EOF
mkdir -p /root/.ssh
cat <<EOF > /root/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK397sBHLS66snWNPtmjUy7qZxRJh54N0RRXogKODudl nix@muon
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT0dGyLUjxFnvqUmex+5xUGQ7D4yGHKo267JgApcq0k root@ryuuko
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDTwCSWYODyvTJxwB6Rahuy0j6s/YYwtQta8bjzG/We root@ryuuko-arch
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/RmFnel8pcZT9nh7EAfKfAekt3BoEXy0G7G2GTacN/ aprl@computer
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxsX+lEWkHZt9NOvn9yYFP0Z++186LY4b97C4mwj/f2 aprl@whatever
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpyVefbZLkNVNzdSIlO6x6JohHE1snoHiUB3Qdvl5I2 aprl@idk
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVNo871p97NTefP52KYiwuch+FaVScxvcFd9fg0yykySTq7Y5JsxrJQgTnox/oDa0O87OyHD/GHQljAXkqiHpDkExbiGjDmGXJSKReKH061F4FqBnDIwYRzUu9Cxjl4MNqsU0RqLaz4+F42c/L7GROQwjEPUb8JHThRiI5FJnDvvB+oBLBxeyQA4v3O4i8DaDQayTr/XB+aSlhNwKrb6cjjL93AHT1uE53yY5jn4kZX+RiPQhH7rvt9N6E4Yr3CG6nUgRCUS0L66d9yfrq0XAbAVk9F+viV7Nk9qy4MWHtXZ4h0qUlzrGALPgGsCGiLGd4NvEgeCcV4nvxdmevxTSdKlJP75xlmlLVXGyhqCZkTsxm/png2UvDl+p0pLyrgNaNoXPdE0Jbv7C28WX36Nast1QFSMUhexzuOx8OgaOioeXVfK98AouqWb58iPBCvgreUIH/gJhZcnlB/Foo1KSO+fJNH8hAsLH7w0mnKyHhJjkrjjwUqsnpepB3SOLfZTE= aprl@meow
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD0v3tUBNEUxfoOQBFb+N2DUBQDay0iFggUWa9Nd+BtFLOKkz+RRto3eBF0ZiJZVUxv/hLb8m2s45hcMw8agwuPrXMe5085T1fzkvPdKAPZdsT/cCmBi1OsoLjAKBFIdM4lcV0A2cca8hip+/ZPpjFPUWx73/672gAPHU7co7fP8+8CSf9dx+WIeLx3yaYHYZ/th3dB5auX3VjOazS8MojsAorwTUeBoPamHQ5dFeNafhFUL/hhtGkUI1cNHUn3bJd2V7AKTW3UglK7hVgMJPrzVS31OlpcJEf6S5XgKTWdOSwubn1bs5Lt6YYRDU24NV6CGrwKgCJSRxzNMLwpnFKiSXpO8FzkqWHYWyju141hQcFF31aZIV+7YcwEt5ZukLjFOpVtpbSXvJYigOUzGi34P3/OAGshDXjTQjvM8GIir49gx3b2Nwhg0z4UHBkAKZvDDFPHDMJoclvnhITojaAojfC9zmMCO5ZaEsk8yv7c/lWQumzRpfldWF4mwHvhD5kTADbhRdO7WTdX7AaiAYINooToeWKjFe2wn3rFubPUppptqtP03mmvs7vhhgnEVBbGZRJK3GTVk1XcsfF9rDKzewSa+wb4LsBoZtFRhc8cJqHGlKWSNk7dQ04B1atPyNLKGpGoo/UIPxyZ6bSqFVxY3nhz46VZ6z8XWI48z0/fRQ== aprl@uwu
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAl3/krXJeCcDEJXRuzOdCOrJLG7b6MRqC+a9Xux3mW vika@hydrangea
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQjTy9qqHcs5vgTz+iMAiNNMqdyGtOhEpnpJCReEFfZ vika@rafflesia
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINAgFdk78I4zssUGsAIV01zefLBpwc1W7hfTobbG80XLAAAABHNzaDo= vika@nitrokey
EOF
cat <<EOF > /root/.ssh/environment
PATH=/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin
EOF
cat <<EOF > /root/sshd_config
AcceptEnv GIT_PROTOCOL
AuthenticationMethods publickey
AuthorizedPrincipalsFile none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
GatewayPorts no
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com
KbdInteractiveAuthentication no
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
LogLevel INFO
Macs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
PasswordAuthentication no
PermitRootLogin prohibit-password
PermitUserEnvironment yes
PrintMotd no
PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com
StreamLocalBindUnlink yes
StrictModes yes
UseDns no
UsePAM no
X11Forwarding no
Banner none
AddressFamily any
Port 2222
Subsystem sftp ${openssh}/libexec/sftp-server
AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys.d/%u
HostKey /mnt/data/ssh/ssh_host_ed25519_key
EOF
mkdir -p /etc/keys
mkdir -p /var/empty
mkdir -p /var/log
substitute ${./entrypoint.sh} /entrypoint.sh \
--subst-var-by qemu-aarch64 ${lib.getExe' qemu-user "qemu-aarch64"} \
--subst-var-by qemu-riscv64 ${lib.getExe' qemu-user "qemu-riscv64"}
chmod +x /entrypoint.sh
'';
}