hercules: unconditional trust [nix]

Ref: https://github.com/hercules-ci/hercules-ci-agent/issues/345#issuecomment-986329977
2026-05-11 17:36:07 +08:00 · 2021-12-05 19:15:07 -05:00 · 2021-12-05 19:15:07 -05:00 · 59d48328f8
commit 59d48328f8
parent e36a0ad6d6
7 changed files with 10 additions and 5 deletions
--- a/containers/hercules.nix
+++ b/containers/hercules.nix
@ -11,6 +11,14 @@
    "https://hercules-ci.cachix.org"
  ];

+  # FIXME: User id of `hercules-ci-agent` won't match that of guest, so we do
+  # this. But it compromises security.  See
+  # https://github.com/hercules-ci/hercules-ci-agent/issues/345#issuecomment-986329977
+  # 
+  # TODO: Find a way to resolve this.
+  nix.allowedUsers = [ "*" ];
+  nix.trustedUsers = [ "*" ];
+
  containers.hercules = {
    ephemeral = false;
    autoStart = true;
@ -20,6 +28,7 @@
      ];
      services.hercules-ci-agent.enable = true;
      services.hercules-ci-agent.settings.concurrentTasks = 4;
+      services.hercules-ci-agent.settings.nixUserIsTrusted = lib.mkForce false;

      networking.firewall.allowedTCPPorts = [ ];
    };
--- a/features/server/harden.nix
+++ b/features/server/harden.nix
@ -20,4 +20,5 @@
    };
  };
  nix.allowedUsers = [ "root" "srid" ];
+  nix.trustedUsers = [ "root" "srid" ];
 }
--- a/hosts/facade.nix
+++ b/hosts/facade.nix
@ -13,7 +13,6 @@
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
-    trustedUsers = [ "root" "srid" ];
  };

  environment.systemPackages = with pkgs; [
--- a/hosts/hetzner/ax101.nix
+++ b/hosts/hetzner/ax101.nix
@ -105,7 +105,6 @@
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
-    trustedUsers = [ "root" "srid" ];
  };

  services.netdata.enable = true;
--- a/hosts/hetzner/ax61-nvme.nix
+++ b/hosts/hetzner/ax61-nvme.nix
@ -104,7 +104,6 @@
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
-    trustedUsers = [ "root" "srid" ];
  };

  services.netdata.enable = true;
--- a/hosts/thick.nix
+++ b/hosts/thick.nix
@ -57,7 +57,6 @@
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
-    trustedUsers = [ "root" "srid" ];
  };

  networking.hostName = "thick"; # Define your hostname.
--- a/hosts/thin.nix
+++ b/hosts/thin.nix
@ -41,7 +41,6 @@
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
-    trustedUsers = [ "root" "srid" ];
  };

  networking.hostName = "thin";