remote x86 hydra builder: add Yubikey provisioning

- Environment for Yubikey provisioning (legacy Hydra builds) - Add Yubikey signer accounts for build3 and build4 Signed-off-by: Marko Kaapu <marko.kaapu@unikie.com>
tiiuae · Feb 20, 2024 · e9bd921 · e9bd921
1 parent ee91375
commit e9bd921
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 0 deletions.
diff --git a/hosts/ficolobuild/build3.nix b/hosts/ficolobuild/build3.nix
@@ -19,6 +19,17 @@
 
   networking.hostName = "build3";
 
+  # Yubikey signer
+  users.users = {
+    yubimaster = {
+      isNormalUser = true;
+      extraGroups = ["docker"];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDfEUoARtE5ZMYofegtm3lECzaQeAktLQ2SqlHcV9jL signer"
+      ];
+    };
+  };
+
   # Trust Themisto Hydra user
   nix.settings = {
     trusted-users = ["root" "themisto" "@wheel"];

diff --git a/hosts/ficolobuild/build4.nix b/hosts/ficolobuild/build4.nix
@@ -17,6 +17,17 @@
 
   networking.hostName = "build4";
 
+  # Yubikey signer
+  users.users = {
+    yubimaster = {
+      isNormalUser = true;
+      extraGroups = ["docker"];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA2BcpFzSXOuK9AzN+J1HBVnuVV8D3wgdEwPuILNy2aM signer"
+      ];
+    };
+  };
+
   # Trust Themisto Hydra user
   nix.settings = {
     trusted-users = ["root" "themisto"];

diff --git a/hosts/ficolobuild/builder.nix b/hosts/ficolobuild/builder.nix
@@ -4,6 +4,7 @@
 {
   self,
   config,
+  pkgs,
   inputs,
   lib,
   modulesPath,
@@ -41,4 +42,10 @@
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
+
+  # Environment for Yubikey provisioning
+  environment.systemPackages = with pkgs; [
+    usbutils
+  ];
+  virtualisation.docker.enable = true;
 }