04/04: hydra: berlin: Specify the complete list of authorized keys.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

04/04: hydra: berlin: Specify the complete list of authorized keys.

From:	Ludovic Court�s
Subject:	04/04: hydra: berlin: Specify the complete list of authorized keys.
Date:	Sat, 24 Oct 2020 18:12:39 -0400 (EDT)

civodul pushed a commit to branch master
in repository maintenance.

commit 0142a54267be4ca034a2a590fb3016b1d8981679
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Sun Oct 25 00:06:01 2020 +0200

    hydra: berlin: Specify the complete list of authorized keys.
    
    This is in preparation of purely declarative ACLs:
    
      https://issues.guix.gnu.org/39819#8
    
    * hydra/berlin.scm (%build-node-key-directory, %build-node-keys): New
    variables.
    <top level>: Pass #:authorized-keys to 'frontend-services'.
---
 hydra/berlin.scm | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/hydra/berlin.scm b/hydra/berlin.scm
index 2b0ffd9..ef63bff 100644
--- a/hydra/berlin.scm
+++ b/hydra/berlin.scm
@@ -4,7 +4,10 @@
 (use-modules (gnu) (guix) (sysadmin services) (sysadmin people) (sysadmin dns)
              (sysadmin web)
              (guix git-download)
-             (srfi srfi-1))
+             ((guix utils) #:select (current-source-directory))
+             ((guix build utils) #:select (find-files))
+             (srfi srfi-1)
+             (ice-9 match))
 (use-service-modules base databases dns monitoring networking admin shepherd
                     ssh)
 (use-package-modules admin certs emacs linux mail monitoring
@@ -128,6 +131,19 @@ Happy hacking!\n"))
                 ,@(alist-delete "guile-fibers" (package-inputs mumi)))))))
 
 
+(define %build-node-key-directory
+  ;; Directory containing the signing keys of build nodes.
+  (string-append (current-source-directory) "/keys/guix/berlin"))
+
+(define %build-node-keys
+  ;; Signing keys of the build nodes.
+  (map (lambda (file)
+         (local-file file (string-map (match-lambda
+                                        (#\: #\-)
+                                        (chr chr))
+                                      (basename file))))
+       (find-files %build-node-key-directory "\\.pub$")))
+
 
 (operating-system
   (host-name "berlin.guix.gnu.org")
@@ -336,6 +352,7 @@ Happy hacking!\n"))
 
              (frontend-services %sysadmins
                                 ;; Make sure we get enough build users.
+                                #:authorized-keys %build-node-keys
                                 #:build-accounts-to-max-jobs-ratio 5
                                 #:gc-threshold (* 3 TiB)
                                 #:systems '("x86_64-linux" "i686-linux"

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (7afe827 -> 0142a54), Ludovic Court�s, 2020/10/24
- 02/04: hydra: services: 'frontend-services' has an #:authorized-keys parameter., Ludovic Court�s, 2020/10/24
- 01/04: hydra: cleanup-cuirass-roots: Add *.qcow2., Ludovic Court�s, 2020/10/24
- 03/04: hydra: Add signing keys of the berlin build nodes., Ludovic Court�s, 2020/10/24
- 04/04: hydra: berlin: Specify the complete list of authorized keys., Ludovic Court�s <=

Prev by Date: 03/04: hydra: Add signing keys of the berlin build nodes.
Next by Date: 01/10: offload: Export <build-machine> accessors.
Previous by thread: 03/04: hydra: Add signing keys of the berlin build nodes.
Next by thread: branch master updated (6a3b476 -> cedb079)
Index(es):
- Date
- Thread