First attempt at making declarative VMs

In order to make buildbot more secure, the builds need to happen inside
VMs so that they can be thrown out on demand when not needed.

This commit implements this facility on dilion, and also defines
declaratively some previous VMs which used to run on the machine.

1 files changed, 15 insertions, 3 deletions

diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
index be8269e..a59d607 100644
--- a/modules/private/system/dilion.nix
+++ b/modules/private/system/dilion.nix
@@ -76,12 +76,24 @@
   };
 
   myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
-  imports = builtins.attrValues (import ../..);
+  imports = builtins.attrValues (import ../..) ++ [ ./dilion/vms.nix ];
 
   system.nssModules = [ pkgs.libvirt ];
   system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
   programs.zsh.enable = true;
 
+  users.users.libvirt = {
+    hashedPassword = "!";
+    shell = pkgs.bashInteractive;
+    isSystemUser = true;
+    group = "libvirtd";
+    packages = [ pkgs.netcat-openbsd ];
+    openssh.authorizedKeys.keyFiles = [
+      "${privateFiles}/buildbot_ssh_key.pub"
+    ];
+    openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.ismael_flony ];
+  };
+
   users.users.backup = {
     hashedPassword = "!";
     isSystemUser = true;
@@ -118,7 +130,7 @@
     after = [ "network.target" ];
 
     serviceConfig = {
-      ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:22";
+      ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:caldance:22";
     };
   };
 
@@ -170,7 +182,7 @@
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
     upstreams = {
-      caldance.servers."nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:3031" = {};
+      caldance.servers."caldance:3031" = {};
     };
     virtualHosts = {
       "dev.immae.eu" = {