Merge branch 'pr/nuc-sgx-permissions' into 'master'

steveej-nuc7pjyh-work: manage /dev/sgx devices via a sgx group & adapt posh to handle groups See merge request steveeJ/infra!31
2020-01-03 15:55:54 +00:00 · 2020-01-03 15:55:54 +00:00 · 0ab8b8ca16
commit 0ab8b8ca16
parent da84d1afe4 7d18610b2f
4 changed files with 37 additions and 41 deletions
--- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix
+++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix
@ -2,6 +2,8 @@

 let
 in {
+  services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"'';
+  users.groups.sgx = {};
  networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname.
  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest;
 }
--- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix
+++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix
@ -12,8 +12,9 @@ in {
    uid = 1001;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
    shell = pkgs.posh { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; };
+    extraGroups = [ "sgx" ];

-    subUidRanges = [{ startUid = 100000; count = 100000; }];
-    subGidRanges = [{ startGid = 100000; count = 100000; }];
+    subUidRanges = [{ startUid = 100000; count = 65536; }];
+    subGidRanges = [{ startGid = 100000; count = 65536; }];
  };
 }