wurzel/fruitbasket
9
1
Fork 0
Code Issues 5 Pull requests Packages Projects Releases Wiki Activity

Allow users to use the server as remote builder #68

Closed
rouven0 wants to merge 1 commit from nix-remote into main
pull from: nix-remote
merge into: wurzel:main
Conversation 3 Commits 1 Files changed 1 +6
rouven0 commented 2023-09-17 22:52:26 +02:00 (Migrated from github.com)
Copy link

Proposal

Allow users who ask for it to use the server as a remote builder for their nix projects.
FSR Infrastructure has a history of being used for private belongings too and there haven't been problems with it. A lot in here follows the fair use principle.

Implementation

Trusted users are managed via an ldap group. And can then use the nix daemon as their local ldap user.

## Proposal Allow users who ask for it to use the server as a remote builder for their nix projects. FSR Infrastructure has a history of being used for private belongings too and there haven't been problems with it. A lot in here follows the fair use principle. ## Implementation Trusted users are managed via an ldap group. And can then use the nix daemon as their local ldap user.
👍 2
bennofs commented 2023-09-18 08:58:13 +02:00 (Migrated from github.com)
Copy link

Note the following warning from the nix.conf man page:

Warning


Adding a user to trusted-users is essentially equivalent to giving that user root access to the system. For example, the user can set sandbox-paths and thereby obtain read access to directories that are otherwise inacessible to them.

So I think access to remote building should be reserved for FSR roots.

Note the following warning from the **nix.conf** man page: > **Warning** > Adding a user to trusted-users is essentially equivalent to giving that user root access to the system. For example, the user can set sandbox-paths and thereby obtain read access to directories that are otherwise inacessible to them. So I think access to remote building should be reserved for FSR roots.
bennofs commented 2023-09-18 09:00:52 +02:00 (Migrated from github.com)
Copy link

Additionally, I wouldn't recommend using a production system as remote builder. Builds tend to be quite resource intensive. For example, disk space can easily fill up as a result of remote building. This will then impact the production infrastructure, which is not nice.

Additionally, I wouldn't recommend using a production system as remote builder. Builds tend to be quite resource intensive. For example, disk space can easily fill up as a result of remote building. This will then impact the production infrastructure, which is not nice.
😕 1
rouven0 commented 2023-09-18 10:09:37 +02:00 (Migrated from github.com)
Copy link

Fair points. I've looked a bit around, https://nixos.wiki/wiki/Distributed_build describes a setup in which no privileged users are needed. But I don't know if this article is still valid.

Fair points. I've looked a bit around, https://nixos.wiki/wiki/Distributed_build describes a setup in which no privileged users are needed. But I don't know if this article is still valid.

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: wurzel/fruitbasket#68
No description provided.
Delete branch "nix-remote"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?