Allow users to use the server as remote builder #68

Closed
rouven0 wants to merge 1 commit from nix-remote into main
rouven0 commented 2023-09-17 22:52:26 +02:00 (Migrated from github.com)

Proposal

Allow users who ask for it to use the server as a remote builder for their nix projects.
FSR Infrastructure has a history of being used for private belongings too and there haven't been problems with it. A lot in here follows the fair use principle.

Implementation

Trusted users are managed via an ldap group. And can then use the nix daemon as their local ldap user.

## Proposal Allow users who ask for it to use the server as a remote builder for their nix projects. FSR Infrastructure has a history of being used for private belongings too and there haven't been problems with it. A lot in here follows the fair use principle. ## Implementation Trusted users are managed via an ldap group. And can then use the nix daemon as their local ldap user.
bennofs commented 2023-09-18 08:58:13 +02:00 (Migrated from github.com)

Note the following warning from the nix.conf man page:

Warning


Adding a user to trusted-users is essentially equivalent to giving that user root access to the system. For example, the user can set sandbox-paths and thereby obtain read access to directories that are otherwise inacessible to them.

So I think access to remote building should be reserved for FSR roots.

Note the following warning from the **nix.conf** man page: > **Warning** > Adding a user to trusted-users is essentially equivalent to giving that user root access to the system. For example, the user can set sandbox-paths and thereby obtain read access to directories that are otherwise inacessible to them. So I think access to remote building should be reserved for FSR roots.
bennofs commented 2023-09-18 09:00:52 +02:00 (Migrated from github.com)

Additionally, I wouldn't recommend using a production system as remote builder. Builds tend to be quite resource intensive. For example, disk space can easily fill up as a result of remote building. This will then impact the production infrastructure, which is not nice.

Additionally, I wouldn't recommend using a production system as remote builder. Builds tend to be quite resource intensive. For example, disk space can easily fill up as a result of remote building. This will then impact the production infrastructure, which is not nice.
rouven0 commented 2023-09-18 10:09:37 +02:00 (Migrated from github.com)

Fair points. I've looked a bit around, https://nixos.wiki/wiki/Distributed_build describes a setup in which no privileged users are needed. But I don't know if this article is still valid.

Fair points. I've looked a bit around, https://nixos.wiki/wiki/Distributed_build describes a setup in which no privileged users are needed. But I don't know if this article is still valid.

Pull request closed

Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: wurzel/fruitbasket#68
No description provided.