From a19e08e2efad158365b0e7ea97d8847dbca7ed62 Mon Sep 17 00:00:00 2001 From: Marko Kaapu Date: Fri, 16 Feb 2024 15:16:21 +0200 Subject: [PATCH] remote x86 hydra builder: Add Yubikey provisioning - Environment for Yubikey provisioning (legacy Hydra builds) - Add Yubikey signer accounts for build3 and build4 Signed-off-by: Marko Kaapu --- hosts/ficolobuild/build3.nix | 11 +++++++++++ hosts/ficolobuild/build4.nix | 11 +++++++++++ hosts/ficolobuild/builder.nix | 7 +++++++ 3 files changed, 29 insertions(+) diff --git a/hosts/ficolobuild/build3.nix b/hosts/ficolobuild/build3.nix index 6158fc9a..96f7d675 100644 --- a/hosts/ficolobuild/build3.nix +++ b/hosts/ficolobuild/build3.nix @@ -19,6 +19,17 @@ networking.hostName = "build3"; + # Yubikey signer + users.users = { + yubimaster = { + isNormalUser = true; + extraGroups = ["docker"]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDfEUoARtE5ZMYofegtm3lECzaQeAktLQ2SqlHcV9jL signer" + ]; + }; + }; + # Trust Themisto Hydra user nix.settings = { trusted-users = ["root" "themisto" "@wheel"]; diff --git a/hosts/ficolobuild/build4.nix b/hosts/ficolobuild/build4.nix index de9829c6..72e9074c 100644 --- a/hosts/ficolobuild/build4.nix +++ b/hosts/ficolobuild/build4.nix @@ -17,6 +17,17 @@ networking.hostName = "build4"; + # Yubikey signer + users.users = { + yubimaster = { + isNormalUser = true; + extraGroups = ["docker"]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA2BcpFzSXOuK9AzN+J1HBVnuVV8D3wgdEwPuILNy2aM signer" + ]; + }; + }; + # Trust Themisto Hydra user nix.settings = { trusted-users = ["root" "themisto"]; diff --git a/hosts/ficolobuild/builder.nix b/hosts/ficolobuild/builder.nix index fe3f1458..0e64f98f 100644 --- a/hosts/ficolobuild/builder.nix +++ b/hosts/ficolobuild/builder.nix @@ -4,6 +4,7 @@ { self, config, + pkgs, inputs, lib, modulesPath, @@ -41,4 +42,10 @@ # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + + # Environment for Yubikey provisioning + environment.systemPackages = with pkgs; [ + usbutils + ]; + virtualisation.docker.enable = true; }