Add Plutus benchmarking machine config #7
Conversation
WalkthroughThe Changes
Sequence Diagram(s) (Beta)sequenceDiagram
participant User
participant NixOS
participant GitHub
participant Disko
participant Nixpkgs
User->>NixOS: Request for `plutus-bench` setup
NixOS->>Nixpkgs: Fetch configuration from updated URL
NixOS->>Disko: Fetch configuration from updated URL
NixOS->>GitHub: Setup GitHub actions for `plutus-benchmark`
GitHub->>NixOS: GitHub actions configured
NixOS->>User: `plutus-bench` setup complete
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments generated: 1
Files ignored due to filter (1)
- flake.lock
Files selected for processing (2)
- flake.nix (2 hunks)
- nixos/ax41-nvme.nix (1 hunks)
Additional comments (Suppressed): 7
flake.nix (2)
7-7: The new dependency
diskohas been added. Ensure that this package is available and accessible from the specified URL, and that it's compatible with the rest of the system.18-63: This is a significant addition to the configuration. It introduces a new NixOS configuration named
plutus-bench. The configuration covers networking setup, SSH authorized keys, DNS servers, system packages, Nix settings, and a GitHub runner specifically for Plutus benchmarking.Ensure that all the IP addresses, MAC address, and SSH keys are correct and secure. Also, verify that the GitHub runner's token file path (
/root/runner-pat) exists and contains a valid token. Lastly, check if the Nix settings, especially theexperimental-features, are compatible with your Nix version and won't cause any issues in your environment.nixos/ax41-nvme.nix (5)
1-5: The assertion
(inputs ? disko)checks ifdiskois present in theinputs. If it's not, the script will fail. This could be a potential issue ifdiskois not always guaranteed to be ininputs. Please ensure thatdiskois always included ininputsor handle the case when it's not.46-57: Ensure that the specified kernel modules and GRUB settings are compatible with the system where this configuration will be deployed. Incompatibility can lead to boot failures or other issues.
60-107: This section defines disk partitions. Ensure that these configurations match the actual hardware setup. Misconfiguration can lead to data loss or other serious issues.
110-113: This sets the MAC address and name of the main network interface. Make sure that the MAC address matches the actual hardware. Incorrect MAC address can cause networking issues.
115-128: This section configures IP addresses and default gateways. Ensure that these settings are correct and compatible with your network infrastructure. Incorrect settings can cause networking issues.
Tips
Chat with CodeRabbit Bot (@coderabbitai)
- Tag the bot with
@coderabbitaiin any review comment to ask it questions. The bot will not respond unless explicitly tagged. - A review comment is a comment on a diff or a file and not a comment on the PR itself.
- You can use the mouse to select multiple lines of code to provide exact context to the bot.
Code suggestions
- The bot may make code suggestions, but please review them carefully before committing since the line number ranges may be misaligned.
- You can edit the comment made by the bot and manually tweak the suggestion if it is slightly off.
Pausing incremental reviews
- Add
@coderabbitai: ignoreanywhere in the PR description to pause further reviews from the bot.
There was a problem hiding this comment.
Actionable comments generated: 2
Files ignored due to filter (1)
- flake.lock
Files selected for processing (2)
- flake.nix (2 hunks)
- nixos/ax41-nvme.nix (1 hunks)
Additional comments (Suppressed): 6
nixos/ax41-nvme.nix (5)
1-5: The assertion
(inputs ? disko)checks if thediskoinput is present. If it's not, the configuration will fail. Ensure that thediskoinput is always provided when using this module.46-57: The boot configuration specifies certain kernel modules and GRUB settings. Make sure these settings are compatible with the hardware and OS version you're deploying to. In particular, check that the device path
/dev/disk/by-path/pci-0000:2c:00.0-nvme-1exists on the target system.60-107: This section defines disk partitions for two disks. It's important to ensure that the specified device paths exist on the target system. Also, verify that the partition sizes (
startandend) are appropriate for your use case.110-113: This section sets the MAC address and name for the main network interface. Ensure that the MAC address matches the actual hardware.
115-128: This section configures IP addresses and default gateways for the main network interface. Make sure the provided IPv4 and IPv6 addresses, netmasks, and gateways are correct and reachable in your network environment.
flake.nix (1)
- 7-7: The new dependency
diskohas been added. Please ensure that this package is maintained and updated regularly to avoid potential security vulnerabilities or outdated packages.
Tips
Chat with CodeRabbit Bot (@coderabbitai)
- Tag the bot with
@coderabbitaiin any review comment to ask it questions. The bot will not respond unless explicitly tagged. - A review comment is a comment on a diff or a file and not a comment on the PR itself.
- You can use the mouse to select multiple lines of code to provide exact context to the bot.
Code suggestions
- The bot may make code suggestions, but please review them carefully before committing since the line number ranges may be misaligned.
- You can edit the comment made by the bot and manually tweak the suggestion if it is slightly off.
Pausing incremental reviews
- Add
@coderabbitai: ignoreanywhere in the PR description to pause further reviews from the bot.
| }; | ||
| }; | ||
|
|
||
| services.openssh.enable = true; |
There was a problem hiding this comment.
Enabling SSH service is a good practice for remote management of the server. However, make sure to secure it properly, for example by disabling password authentication and using key-based authentication instead.
flake.nix
Outdated
| nixosConfigurations.plutus-bench = nixpkgs.lib.nixosSystem { | ||
| system = "x86_64-linux"; | ||
| specialArgs = { inherit inputs; }; | ||
| modules = [ | ||
| ./nixos/ax41-nvme.nix | ||
| { | ||
| system.stateVersion = "23.05"; | ||
| hetzner-dedicated.nic = { | ||
| ipv4 = "65.108.236.230"; | ||
| netmask4 = 26; | ||
| gateway4 = "65.108.236.193"; | ||
| ipv6 = "2a01:4f9:1a:b0de::2"; | ||
| netmask6 = 64; | ||
| mac = "a8:a1:59:a2:95:40"; | ||
| }; | ||
| users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/fJqgjwPG7b5SRPtCovFmtjmAksUSNg3xHWyqBM4Cs shlevy@shlevy-laptop" ]; | ||
| networking.nameservers = [ "185.12.64.1" "185.12.64.2" "2a01:4ff:ff00::add:1" "2a01:4ff:ff00::add:2" ]; | ||
| } | ||
| ({ pkgs, lib, ... }: { | ||
| environment.systemPackages = [ pkgs.git ]; | ||
| nixpkgs.config.permittedInsecurePackages = [ | ||
| "nodejs-16.20.2" | ||
| ]; | ||
| nix.settings = { | ||
| max-jobs = 12; | ||
| cores = 0; | ||
| sandbox = true; | ||
| substituters = lib.mkAfter [ "https://cache.iog.io" ]; | ||
| trusted-public-keys = [ | ||
| "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" | ||
| ]; | ||
| trusted-users = [ "root" ]; | ||
| builders-use-substitutes = true; | ||
| experimental-features = [ "nix-command" "flakes" ]; | ||
| bash-prompt = ''\n\[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w \[\033[01;31m\](dev-shell)\[\033[01;32m\]]\$ \[\033[0m\]''; | ||
| }; | ||
| services.github-runner = { | ||
| enable = true; | ||
| extraLabels = [ "plutus-benchmark" ]; | ||
| name = "plutus-benchmark"; | ||
| tokenFile = "/root/runner-pat"; | ||
| url = "https://github.com/input-output-hk/plutus"; | ||
| }; | ||
| }) | ||
| ]; | ||
| }; |
There was a problem hiding this comment.
A new NixOS configuration named plutus-bench has been introduced. This includes system configurations for networking, SSH authorized keys, DNS servers, system packages, Nix settings, and a GitHub runner setup for Plutus benchmarking.
However, there are a few points to consider:
-
The root user's SSH key is hardcoded (line 33). It would be better to move sensitive data like this out of the codebase and into a secure environment variable or secrets management system.
-
The IP addresses and MAC address are also hardcoded (lines 26-31). If these values need to change in the future, you'll have to modify the codebase. Consider whether it would be more maintainable to externalize these values.
-
The permitted insecure package
nodejs-16.20.2(line 39) might pose a security risk. Ensure that using this package is absolutely necessary and that there are no secure alternatives. -
The bash prompt is customized (line 52). Make sure this change doesn't interfere with any developers' personal settings if they use this configuration.
-
The GitHub runner setup (lines 54-60) includes a token file path. Ensure that this file is securely managed and not exposed.
- users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/fJqgjwPG7b5SRPtCovFmtjmAksUSNg3xHWyqBM4Cs shlevy@shlevy-laptop" ];
+ users.users.root.openssh.authorizedKeys.keys = [ "<SSH_KEY>" ];
- hetzner-dedicated.nic = {
- ipv4 = "65.108.236.230";
- netmask4 = 26;
- gateway4 = "65.108.236.193";
- ipv6 = "2a01:4f9:1a:b0de::2";
- netmask6 = 64;
- mac = "a8:a1:59:a2:95:40";
- };
+ hetzner-dedicated.nic = {
+ ipv4 = "<IPV4_ADDRESS>";
+ netmask4 = <NETMASK4>;
+ gateway4 = "<GATEWAY4>";
+ ipv6 = "<IPV6_ADDRESS>";
+ netmask6 = <NETMASK6>;
+ mac = "<MAC_ADDRESS>";
+ };
- nixpkgs.config.permittedInsecurePackages = [
- "nodejs-16.20.2"
- ];
+ nixpkgs.config.permittedInsecurePackages = [
+ "<PERMITTED_INSECURE_PACKAGES>"
+ ];
- services.github-runner = {
- enable = true;
- extraLabels = [ "plutus-benchmark" ];
- name = "plutus-benchmark";
- tokenFile = "/root/runner-pat";
- url = "https://github.com/input-output-hk/plutus";
- };
+ services.github-runner = {
+ enable = true;
+ extraLabels = [ "plutus-benchmark" ];
+ name = "plutus-benchmark";
+ tokenFile = "<TOKEN_FILE_PATH>";
+ url = "https://github.com/input-output-hk/plutus";
+ };
flake.nix
Outdated
| netmask6 = 64; | ||
| mac = "a8:a1:59:a2:95:40"; | ||
| }; | ||
| users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/fJqgjwPG7b5SRPtCovFmtjmAksUSNg3xHWyqBM4Cs shlevy@shlevy-laptop" ]; |
There was a problem hiding this comment.
Any need to add my machine's key here for access?
There was a problem hiding this comment.
Yes, let's add it for now (in the future would like to use a tf-generated key which is available in the shared state). Which key would you like to use?
There was a problem hiding this comment.
Review Status
Actionable comments generated: 0
Configuration used: CodeRabbit UI
Files ignored due to path filters (1)
flake.lockis excluded by:!**/*.lock
Files selected for processing (1)
- flake.nix (2 hunks)
Additional comments: 7
flake.nix (7)
- 7-8: Added new inputs for
diskoandnixpkgs. Ensure that these repositories are correct and that their versions are compatible with the rest of the system.- 19-33: The
plutus-benchconfiguration includes system settings and networking configuration. Verify that the IP addresses, netmasks, gateways, and MAC address are correctly assigned and do not conflict with existing configurations.- 34-37: SSH authorized keys are hardcoded. Ensure that these keys are meant to be public and that there is no security risk in exposing them in the repository.
- 38-38: DNS servers are hardcoded. Confirm that these are the intended servers for all environments where
plutus-benchwill be deployed.- 40-45: The
environment.systemPackagesincludesgit, and there is a note to remove an insecure package when no longer necessary. Ensure that the insecure package is tracked for removal and that its inclusion is justified.- 47-59: Nix settings are specified with various options. Confirm that these settings are appropriate for the intended use case and that the
sandboxsetting is compatible with the GitHub runner setup.- 60-67: The GitHub runner configuration is set up for
plutus-benchmark. Verify that thetokenFilepath is secure and that theextraLabelsandnodeRuntimesare correctly configured for the intended workflows.
There was a problem hiding this comment.
Review Status
Actionable comments generated: 0
Configuration used: CodeRabbit UI
Files selected for processing (1)
- nixos/ax41-nvme.nix (1 hunks)
Additional comments: 7
nixos/ax41-nvme.nix (7)
- 1-6: The assertion on line 5 ensures that the
diskoinput is present before proceeding with the import on line 6. This is a good practice to avoid runtime errors.- 8-43: The options for configuring the network interface card (NIC) are well-defined with descriptions, types, and examples. However, ensure that the example values provided do not correspond to any real-world IPs or MAC addresses to avoid potential security risks.
- 47-59: The boot configuration specifies kernel modules and GRUB settings. Ensure that the device path used in
loader.grub.devicesis consistent across the system and not specific to a particular hardware setup.Verification successful
The verification process has confirmed that the device path
pci-0000:2c:00.0-nvme-1is only used within thenixos/ax41-nvme.nixfile and is not found in any other.nixfiles in the repository. This suggests that the device path is specific to theax41-nvme.nixconfiguration and not a system-wide setting.Based on this information, the review comment is addressed as the device path does not appear to be inconsistently used across different hardware configurations within the system.
* 62-109: The disk partitioning setup using `disko` is clear and specifies the filesystem types and mount points. Ensure that the partition sizes and filesystem types meet the requirements for the intended use case. * 112-115: The systemd network link configuration is set to match the MAC address and name the main network interface. This is a standard configuration. * 117-129: The networking configuration sets up IPv4 and IPv6 addresses, netmasks, and gateways. It is important to verify that these settings are correct and that they do not conflict with other configurations in the network.Scripts Executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash # Verify that the device path for GRUB is consistent and not hardware-specific. # Expecting consistent device paths across configurations. rg --type nix --glob '*.nix' 'pci-0000:2c:00.0-nvme-1'Length of output: 223
Script:
#!/bin/bash # Search for the device path across all nix files in the repository to ensure it's not used elsewhere # This will help confirm if the path is specific to the ax41-nvme.nix configuration. rg --type nix 'pci-0000:2c:00.0-nvme-1'Length of output: 208
Verification successful
The verification process has not found any conflicts with the networking settings within the
.nixfiles in the repository. The IPv4 and IPv6 addresses appear to be unique to theax41-nvme.nixconfiguration. Therefore, based on the information available, the review comment is verified as accurate within the scope of the repository's.nixfiles.* 132-132: The OpenSSH service is enabled, which is essential for remote management. As previously commented, ensure that it is secured properly, for example, by disabling password authentication and using key-based authentication.Scripts Executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash # Verify that the networking settings do not conflict with other configurations. # Expecting unique and non-conflicting network configurations. rg --type nix --glob '*.nix' 'networking.interfaces'Length of output: 52
Script:
#!/bin/bash # Broaden the search to capture any networking configuration. rg --type nix --glob '*.nix' 'networking' # Check for specific IPv4 and IPv6 addresses to ensure they are unique. rg --type nix --glob '*.nix' 'cfg.ipv4' rg --type nix --glob '*.nix' 'cfg.ipv6'Length of output: 494
There was a problem hiding this comment.
Review Status
Actionable comments generated: 0
Configuration used: CodeRabbit UI
Files ignored due to path filters (1)
flake.lockis excluded by:!**/*.lock
Files selected for processing (1)
- flake.nix (2 hunks)
Additional comments: 2
flake.nix (2)
- 7-8: Added
diskoandnixpkgsas new flake inputs. Ensure that these repositories are stable and their versions are locked to prevent unexpected changes from affecting the benchmarking environment.- 19-76: The
nixosConfigurations.plutus-benchconfiguration includes system and networking settings, power management configurations, Nix settings, and GitHub runner service configurations. A few points to consider:
Networking Configuration (Lines 26-38): Ensure that the IP addresses, netmasks, gateways, and MAC address are correctly configured for the dedicated server. Hardcoding IP addresses and MAC might not be ideal for a configuration that could be reused or shared. Consider parameterizing these values if the configuration is intended to be more generic.
Power Management (Lines 39-44): The CPU frequency governor is set to
userspace, allowing manual control over CPU frequencies. This is suitable for benchmarking to maintain consistent CPU speeds. However, ensure that the specified min and max frequencies are supported by the server's CPU.Nix Settings (Lines 54-66): The Nix settings include customizations for job handling, sandboxing, substituters, and experimental features. Verify that the
max-jobsandcoressettings align with the server's hardware capabilities to optimize build performance without overloading the system.GitHub Runner Service (Lines 67-74): The GitHub runner is enabled with specific labels and configurations for Plutus benchmarking. Ensure that the
tokenFilepath is secure and the token has the necessary permissions for the GitHub repository.Security Consideration: The configuration includes SSH authorized keys (Lines 34-37). Confirm that these keys are intended for use and that their inclusion complies with security policies.
Overall, the configuration is comprehensive and appears well-suited for the intended benchmarking purposes. However, consider the points mentioned above to ensure the setup is secure, efficient, and adaptable.
There was a problem hiding this comment.
Actionable comments posted: 1
Review Details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files ignored due to path filters (1)
flake.lockis excluded by!**/*.lock
Files selected for processing (1)
- flake.nix (2 hunks)
Additional comments not posted (2)
flake.nix (2)
7-7: Ensure thediskorepository is correctly integrated and used in the configurations.Verification successful
The verification process aimed to confirm the correct integration and usage of the
diskorepository in the Nix configurations, as specified in theflake.nixfile. The search results from the executed script provide clear evidence of the repository's integration and usage:
- The
flake.nixfile contains the URL configuration for thediskorepository.- The
nixos/ax41-nvme.nixfile shows multiple references todisko, including an assertion to check its presence, importing modules fromdisko, and specific device configurations usingdisko.These findings confirm that the
diskorepository is not only integrated but also actively used in the configurations, aligning with the expectations set in the review comment.Conclusion:
Thediskorepository is correctly integrated and utilized within the Nix configurations as evidenced by the references in multiple Nix files.
Scripts Executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash # Description: Verify the usage of the `disko` repository in the configurations. # Test: Search for the usage of `disko` in the Nix files. Expect: References to `disko` in configuration files. rg --type nix $'disko'Length of output: 243
8-8: Ensure thenixpkgsrepository is correctly integrated and used in the configurations.Verification successful
The search results from the executed script confirm that the
nixpkgsrepository is indeed referenced multiple times within theflake.nixfile. The specific lines from the output show various uses ofnixpkgs, including its URL configuration, as part of function parameters, and within a NixOS configuration. This indicates that thenixpkgsrepository is integrated and utilized in different parts of the configuration as expected.Based on this information, the review comment concerning the integration and usage of the
nixpkgsrepository in the configurations is verified as correct.
- The repository URL is set correctly.
nixpkgsis used as a parameter in the outputs function.- It is utilized in defining NixOS configurations, specifically
plutus-bench.- It is also referenced in setting permitted insecure packages.
Scripts Executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash # Description: Verify the usage of the `nixpkgs` repository in the configurations. # Test: Search for the usage of `nixpkgs` in the Nix files. Expect: References to `nixpkgs` in configuration files. rg --type nix $'nixpkgs'Length of output: 336
flake.nix
Outdated
| nixosConfigurations.plutus-bench = nixpkgs.lib.nixosSystem { | ||
| system = "x86_64-linux"; | ||
| specialArgs = { inherit inputs; }; | ||
| modules = [ | ||
| ./nixos/ax41-nvme.nix | ||
| { | ||
| system.stateVersion = "23.05"; | ||
| hetzner-dedicated.nic = { | ||
| ipv4 = "65.108.236.230"; | ||
| netmask4 = 26; | ||
| gateway4 = "65.108.236.193"; | ||
| ipv6 = "2a01:4f9:1a:b0de::2"; | ||
| netmask6 = 64; | ||
| mac = "a8:a1:59:a2:95:40"; | ||
| }; | ||
| users.users.root.openssh.authorizedKeys.keys = | ||
| [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/fJqgjwPG7b5SRPtCovFmtjmAksUSNg3xHWyqBM4Cs shlevy@shlevy-laptop" | ||
| "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbXkgUEf6TLnEWXwc5wjxhr45wKHJFEVIWIkz9E9ZrnZ4BfH6rI4+tiWn6QihpXnS7zwPqWgCaeLkWzHXwqFmHPzFv1PNVYT1BcuddRFceWcTNXxwJ2JTDXtadH5F/ZyDI2SRsbPfGa1iLca/ANUOQVb4yI3PSALD4BPd5G19mf/8HTZGL0wnYbq9JG7FHKG/8UheuoLf4En6Dk65JLTKvhdnASV5uMJOqmNaI3Q5v6YjVNokPLOqal/PN9/ERJ+jQIB65fFdSV4U55/jHFne1CdtEae77Qymi9JoLg1L4gbS9Dgmu09Asv4FB+jH4HQRUIkCKQig6Blp/HVrAPWVud2IgULgEqw/l07BBVThWbdmxd32YtAkhveNX6FHQO3Fhjk1J2wAXpOgZFVBiRbaCP9PyZe5yKK7crajnIAIzzOUv+SrHLvUN06wrAqUxCNJ8tnb/VZI0m2DXblKXfMxAQ/yoyjD8OlvlWz89MyPCiq4Ep9RbFWQw2YyW17JQp+U= renebarbosa@Renes-MacBook-Air.local" | ||
| "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHdILXJXPGYkjB8QbX246cRT9jLNZq0P8a9+r14Xm6pjX9r0Uj0o+b0zysZR+GcupwDZ9/GkGiKm5LfB9xgP48= shlevy@avp.shealevy.com" | ||
| "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWEZvh2alpzkTFXCcIbCFu+EJ5ARP0GBqbwYlhzhKof" | ||
| ]; | ||
| networking.nameservers = [ "185.12.64.1" "185.12.64.2" "2a01:4ff:ff00::add:1" "2a01:4ff:ff00::add:2" ]; | ||
| powerManagement = { | ||
| cpuFreqGovernor = "userspace"; | ||
| cpufreq = { | ||
| min = 3600000; # 3.6 GHz | ||
| max = 4210000; # 4.2 GHz | ||
| }; | ||
| }; | ||
| } | ||
| ({ pkgs, lib, ... }: { | ||
| environment.systemPackages = [ pkgs.git ]; | ||
| # Remove when GHA removes upstream | ||
| nixpkgs.config.permittedInsecurePackages = [ | ||
| "nodejs-16.20.2" | ||
| ]; | ||
|
|
||
| nix.settings = { | ||
| max-jobs = 12; | ||
| cores = 0; | ||
| sandbox = true; | ||
| substituters = lib.mkAfter [ "https://cache.iog.io" ]; | ||
| trusted-public-keys = [ | ||
| "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" | ||
| ]; | ||
| trusted-users = [ "root" ]; | ||
| builders-use-substitutes = true; | ||
| experimental-features = [ "nix-command" "flakes" ]; | ||
| bash-prompt = ''\n\[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w \[\033[01;31m\](dev-shell)\[\033[01;32m\]]\$ \[\033[0m\]''; | ||
| }; | ||
| services.github-runner = { | ||
| enable = true; | ||
| extraLabels = [ "plutus-benchmark" ]; | ||
| name = "plutus-benchmark"; | ||
| tokenFile = "/root/runner-pat"; | ||
| url = "https://github.com/input-output-hk/plutus"; | ||
| nodeRuntimes = [ "node16" "node20" ]; | ||
| }; | ||
| }) | ||
| ]; | ||
| }; |
There was a problem hiding this comment.
Review the plutus-bench configuration for potential security and maintainability issues.
- users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/fJqgjwPG7b5SRPtCovFmtjmAksUSNg3xHWyqBM4Cs shlevy@shlevy-laptop" ];
+ users.users.root.openssh.authorizedKeys.keys = [ "<SSH_KEY>" ];
- hetzner-dedicated.nic = {
- ipv4 = "65.108.236.230";
- netmask4 = 26;
- gateway4 = "65.108.236.193";
- ipv6 = "2a01:4f9:1a:b0de::2";
- netmask6 = 64;
- mac = "a8:a1:59:a2:95:40";
- };
+ hetzner-dedicated.nic = {
+ ipv4 = "<IPV4_ADDRESS>";
+ netmask4 = <NETMASK4>;
+ gateway4 = "<GATEWAY4>";
+ ipv6 = "<IPV6_ADDRESS>";
+ netmask6 = <NETMASK6>;
+ mac = "<MAC_ADDRESS>";
+ };
- nixpkgs.config.permittedInsecurePackages = [
- "nodejs-16.20.2"
- ];
+ nixpkgs.config.permittedInsecurePackages = [
+ "<PERMITTED_INSECURE_PACKAGES>"
+ ];
- services.github-runner = {
- enable = true;
- extraLabels = [ "plutus-benchmark" ];
- name = "plutus-benchmark";
- tokenFile = "/root/runner-pat";
- url = "https://github.com/input-output-hk/plutus";
- };
+ services.github-runner = {
+ enable = true;
+ extraLabels = [ "plutus-benchmark" ];
+ name = "plutus-benchmark";
+ tokenFile = "<TOKEN_FILE_PATH>";
+ url = "https://github.com/input-output-hk/plutus";
+ };Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.
| nixosConfigurations.plutus-bench = nixpkgs.lib.nixosSystem { | |
| system = "x86_64-linux"; | |
| specialArgs = { inherit inputs; }; | |
| modules = [ | |
| ./nixos/ax41-nvme.nix | |
| { | |
| system.stateVersion = "23.05"; | |
| hetzner-dedicated.nic = { | |
| ipv4 = "65.108.236.230"; | |
| netmask4 = 26; | |
| gateway4 = "65.108.236.193"; | |
| ipv6 = "2a01:4f9:1a:b0de::2"; | |
| netmask6 = 64; | |
| mac = "a8:a1:59:a2:95:40"; | |
| }; | |
| users.users.root.openssh.authorizedKeys.keys = | |
| [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/fJqgjwPG7b5SRPtCovFmtjmAksUSNg3xHWyqBM4Cs shlevy@shlevy-laptop" | |
| "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbXkgUEf6TLnEWXwc5wjxhr45wKHJFEVIWIkz9E9ZrnZ4BfH6rI4+tiWn6QihpXnS7zwPqWgCaeLkWzHXwqFmHPzFv1PNVYT1BcuddRFceWcTNXxwJ2JTDXtadH5F/ZyDI2SRsbPfGa1iLca/ANUOQVb4yI3PSALD4BPd5G19mf/8HTZGL0wnYbq9JG7FHKG/8UheuoLf4En6Dk65JLTKvhdnASV5uMJOqmNaI3Q5v6YjVNokPLOqal/PN9/ERJ+jQIB65fFdSV4U55/jHFne1CdtEae77Qymi9JoLg1L4gbS9Dgmu09Asv4FB+jH4HQRUIkCKQig6Blp/HVrAPWVud2IgULgEqw/l07BBVThWbdmxd32YtAkhveNX6FHQO3Fhjk1J2wAXpOgZFVBiRbaCP9PyZe5yKK7crajnIAIzzOUv+SrHLvUN06wrAqUxCNJ8tnb/VZI0m2DXblKXfMxAQ/yoyjD8OlvlWz89MyPCiq4Ep9RbFWQw2YyW17JQp+U= renebarbosa@Renes-MacBook-Air.local" | |
| "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHdILXJXPGYkjB8QbX246cRT9jLNZq0P8a9+r14Xm6pjX9r0Uj0o+b0zysZR+GcupwDZ9/GkGiKm5LfB9xgP48= shlevy@avp.shealevy.com" | |
| "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWEZvh2alpzkTFXCcIbCFu+EJ5ARP0GBqbwYlhzhKof" | |
| ]; | |
| networking.nameservers = [ "185.12.64.1" "185.12.64.2" "2a01:4ff:ff00::add:1" "2a01:4ff:ff00::add:2" ]; | |
| powerManagement = { | |
| cpuFreqGovernor = "userspace"; | |
| cpufreq = { | |
| min = 3600000; # 3.6 GHz | |
| max = 4210000; # 4.2 GHz | |
| }; | |
| }; | |
| } | |
| ({ pkgs, lib, ... }: { | |
| environment.systemPackages = [ pkgs.git ]; | |
| # Remove when GHA removes upstream | |
| nixpkgs.config.permittedInsecurePackages = [ | |
| "nodejs-16.20.2" | |
| ]; | |
| nix.settings = { | |
| max-jobs = 12; | |
| cores = 0; | |
| sandbox = true; | |
| substituters = lib.mkAfter [ "https://cache.iog.io" ]; | |
| trusted-public-keys = [ | |
| "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" | |
| ]; | |
| trusted-users = [ "root" ]; | |
| builders-use-substitutes = true; | |
| experimental-features = [ "nix-command" "flakes" ]; | |
| bash-prompt = ''\n\[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w \[\033[01;31m\](dev-shell)\[\033[01;32m\]]\$ \[\033[0m\]''; | |
| }; | |
| services.github-runner = { | |
| enable = true; | |
| extraLabels = [ "plutus-benchmark" ]; | |
| name = "plutus-benchmark"; | |
| tokenFile = "/root/runner-pat"; | |
| url = "https://github.com/input-output-hk/plutus"; | |
| nodeRuntimes = [ "node16" "node20" ]; | |
| }; | |
| }) | |
| ]; | |
| }; | |
| nixosConfigurations.plutus-bench = nixpkgs.lib.nixosSystem { | |
| system = "x86_64-linux"; | |
| specialArgs = { inherit inputs; }; | |
| modules = [ | |
| ./nixos/ax41-nvme.nix | |
| { | |
| system.stateVersion = "23.05"; | |
| hetzner-dedicated.nic = { | |
| ipv4 = "<IPV4_ADDRESS>"; | |
| netmask4 = <NETMASK4>; | |
| gateway4 = "<GATEWAY4>"; | |
| ipv6 = "<IPV6_ADDRESS>"; | |
| netmask6 = <NETMASK6>; | |
| mac = "<MAC_ADDRESS>"; | |
| }; | |
| users.users.root.openssh.authorizedKeys.keys = | |
| [ "<SSH_KEY>" | |
| "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbXkgUEf6TLnEWXwc5wjxhr45wKHJFEVIWIkz9E9ZrnZ4BfH6rI4+tiWn6QihpXnS7zwPqWgCaeLkWzHXwqFmHPzFv1PNVYT1BcuddRFceWcTNXxwJ2JTDXtadH5F/ZyDI2SRsbPfGa1iLca/ANUOQVb4yI3PSALD4BPd5G19mf/8HTZGL0wnYbq9JG7FHKG/8UheuoLf4En6Dk65JLTKvhdnASV5uMJOqmNaI3Q5v6YjVNokPLOqal/PN9/ERJ+jQIB65fFdSV4U55/jHFne1CdtEae77Qymi9JoLg1L4gbS9Dgmu09Asv4FB+jH4HQRUIkCKQig6Blp/HVrAPWVud2IgULgEqw/l07BBVThWbdmxd32YtAkhveNX6FHQO3Fhjk1J2wAXpOgZFVBiRbaCP9PyZe5yKK7crajnIAIzzOUv+SrHLvUN06wrAqUxCNJ8tnb/VZI0m2DXblKXfMxAQ/yoyjD8OlvlWz89MyPCiq4Ep9RbFWQw2YyW17JQp+U= renebarbosa@Renes-MacBook-Air.local" | |
| "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHdILXJXPGYkjB8QbX246cRT9jLNZq0P8a9+r14Xm6pjX9r0Uj0o+b0zysZR+GcupwDZ9/GkGiKm5LfB9xgP48= shlevy@avp.shealevy.com" | |
| "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWEZvh2alpzkTFXCcIbCFu+EJ5ARP0GBqbwYlhzhKof" | |
| ]; | |
| networking.nameservers = [ "185.12.64.1" "185.12.64.2" "2a01:4ff:ff00::add:1" "2a01:4ff:ff00::add:2" ]; | |
| powerManagement = { | |
| cpuFreqGovernor = "userspace"; | |
| cpufreq = { | |
| min = 3600000; # 3.6 GHz | |
| max = 4210000; # 4.2 GHz | |
| }; | |
| }; | |
| } | |
| ({ pkgs, lib, ... }: { | |
| environment.systemPackages = [ pkgs.git ]; | |
| # Remove when GHA removes upstream | |
| nixpkgs.config.permittedInsecurePackages = [ | |
| "<PERMITTED_INSECURE_PACKAGES>" | |
| ]; | |
| nix.settings = { | |
| max-jobs = 12; | |
| cores = 0; | |
| sandbox = true; | |
| substituters = lib.mkAfter [ "https://cache.iog.io" ]; | |
| trusted-public-keys = [ | |
| "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" | |
| ]; | |
| trusted-users = [ "root" ]; | |
| builders-use-substitutes = true; | |
| experimental-features = [ "nix-command" "flakes" ]; | |
| bash-prompt = ''\n\[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w \[\033[01;31m\](dev-shell)\[\033[01;32m\]]\$ \[\033[0m\]''; | |
| }; | |
| services.github-runner = { | |
| enable = true; | |
| extraLabels = [ "plutus-benchmark" ]; | |
| name = "plutus-benchmark"; | |
| tokenFile = "<TOKEN_FILE_PATH>"; | |
| url = "https://github.com/input-output-hk/plutus"; | |
| nodeRuntimes = [ "node16" "node20" ]; | |
| }; | |
| }) | |
| ]; | |
| }; |
There was a problem hiding this comment.
Actionable comments posted: 2
Review Details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files ignored due to path filters (1)
flake.lockis excluded by!**/*.lock
Files selected for processing (1)
- flake.nix (2 hunks)
Additional comments not posted (1)
flake.nix (1)
7-8: Update repository URLs to ensure they point to the correct versions.
| }; | ||
| users.users.root.openssh.authorizedKeys.keys = | ||
| [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/fJqgjwPG7b5SRPtCovFmtjmAksUSNg3xHWyqBM4Cs shlevy@shlevy-laptop" | ||
| "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbXkgUEf6TLnEWXwc5wjxhr45wKHJFEVIWIkz9E9ZrnZ4BfH6rI4+tiWn6QihpXnS7zwPqWgCaeLkWzHXwqFmHPzFv1PNVYT1BcuddRFceWcTNXxwJ2JTDXtadH5F/ZyDI2SRsbPfGa1iLca/ANUOQVb4yI3PSALD4BPd5G19mf/8HTZGL0wnYbq9JG7FHKG/8UheuoLf4En6Dk65JLTKvhdnASV5uMJOqmNaI3Q5v6YjVNokPLOqal/PN9/ERJ+jQIB65fFdSV4U55/jHFne1CdtEae77Qymi9JoLg1L4gbS9Dgmu09Asv4FB+jH4HQRUIkCKQig6Blp/HVrAPWVud2IgULgEqw/l07BBVThWbdmxd32YtAkhveNX6FHQO3Fhjk1J2wAXpOgZFVBiRbaCP9PyZe5yKK7crajnIAIzzOUv+SrHLvUN06wrAqUxCNJ8tnb/VZI0m2DXblKXfMxAQ/yoyjD8OlvlWz89MyPCiq4Ep9RbFWQw2YyW17JQp+U= renebarbosa@Renes-MacBook-Air.local" | ||
| "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHdILXJXPGYkjB8QbX246cRT9jLNZq0P8a9+r14Xm6pjX9r0Uj0o+b0zysZR+GcupwDZ9/GkGiKm5LfB9xgP48= shlevy@avp.shealevy.com" | ||
| "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWEZvh2alpzkTFXCcIbCFu+EJ5ARP0GBqbwYlhzhKof" | ||
| ]; |
There was a problem hiding this comment.
Consider externalizing sensitive data such as SSH keys to enhance security.
- users.users.root.openssh.authorizedKeys.keys =
- [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/fJqgjwPG7b5SRPtCovFmtjmAksUSNg3xHWyqBM4Cs shlevy@shlevy-laptop"
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbXkgUEf6TLnEWXwc5wjxhr45wKHJFEVIWIkz9E9ZrnZ4BfH6rI4+tiWn6QihpXnS7zwPqWgCaeLkWzHXwqFmHPzFv1PNVYT1BcuddRFceWcTNXxwJ2JTDXtadH5F/ZyDI2SRsbPfGa1iLca/ANUOQVb4yI3PSALD4BPd5G19mf/8HTZGL0wnYbq9JG7FHKG/8UheuoLf4En6Dk65JLTKvhdnASV5uMJOqmNaI3Q5v6YjVNokPLOqal/PN9/ERJ+jQIB65fFdSV4U55/jHFne1CdtEae77Qymi9JoLg1L4gbS9Dgmu09Asv4FB+jH4HQRUIkCKQig6Blp/HVrAPWVud2IgULgEqw/l07BBVThWbdmxd32YtAkhveNX6FHQO3Fhjk1J2wAXpOgZFVBiRbaCP9PyZe5yKK7crajnIAIzzOUv+SrHLvUN06wrAqUxCNJ8tnb/VZI0m2DXblKXfMxAQ/yoyjD8OlvlWz89MyPCiq4Ep9RbFWQw2YyW17JQp+U= renebarbosa@Renes-MacBook-Air.local"
- "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHdILXJXPGYkjB8QbX246cRT9jLNZq0P8a9+r14Xm6pjX9r0Uj0o+b0zysZR+GcupwDZ9/GkGiKm5LfB9xgP48= shlevy@avp.shealevy.com"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWEZvh2alpzkTFXCcIbCFu+EJ5ARP0GBqbwYlhzhKof"
- ];
+ users.users.root.openssh.authorizedKeys.keys = [ "<SSH_KEY>" ];Committable suggestion was skipped due low confidence.
flake.nix
Outdated
| nixosConfigurations.plutus-bench = nixpkgs.lib.nixosSystem { | ||
| system = "x86_64-linux"; | ||
| specialArgs = { inherit inputs; }; | ||
| modules = [ | ||
| ./nixos/ax41-nvme.nix | ||
| { | ||
| system.stateVersion = "23.05"; | ||
| hetzner-dedicated.nic = { | ||
| ipv4 = "65.108.236.230"; | ||
| netmask4 = 26; | ||
| gateway4 = "65.108.236.193"; | ||
| ipv6 = "2a01:4f9:1a:b0de::2"; | ||
| netmask6 = 64; | ||
| mac = "a8:a1:59:a2:95:40"; | ||
| }; | ||
| users.users.root.openssh.authorizedKeys.keys = | ||
| [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/fJqgjwPG7b5SRPtCovFmtjmAksUSNg3xHWyqBM4Cs shlevy@shlevy-laptop" | ||
| "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbXkgUEf6TLnEWXwc5wjxhr45wKHJFEVIWIkz9E9ZrnZ4BfH6rI4+tiWn6QihpXnS7zwPqWgCaeLkWzHXwqFmHPzFv1PNVYT1BcuddRFceWcTNXxwJ2JTDXtadH5F/ZyDI2SRsbPfGa1iLca/ANUOQVb4yI3PSALD4BPd5G19mf/8HTZGL0wnYbq9JG7FHKG/8UheuoLf4En6Dk65JLTKvhdnASV5uMJOqmNaI3Q5v6YjVNokPLOqal/PN9/ERJ+jQIB65fFdSV4U55/jHFne1CdtEae77Qymi9JoLg1L4gbS9Dgmu09Asv4FB+jH4HQRUIkCKQig6Blp/HVrAPWVud2IgULgEqw/l07BBVThWbdmxd32YtAkhveNX6FHQO3Fhjk1J2wAXpOgZFVBiRbaCP9PyZe5yKK7crajnIAIzzOUv+SrHLvUN06wrAqUxCNJ8tnb/VZI0m2DXblKXfMxAQ/yoyjD8OlvlWz89MyPCiq4Ep9RbFWQw2YyW17JQp+U= renebarbosa@Renes-MacBook-Air.local" | ||
| "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHdILXJXPGYkjB8QbX246cRT9jLNZq0P8a9+r14Xm6pjX9r0Uj0o+b0zysZR+GcupwDZ9/GkGiKm5LfB9xgP48= shlevy@avp.shealevy.com" | ||
| "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWEZvh2alpzkTFXCcIbCFu+EJ5ARP0GBqbwYlhzhKof" | ||
| ]; | ||
| networking.nameservers = [ "185.12.64.1" "185.12.64.2" "2a01:4ff:ff00::add:1" "2a01:4ff:ff00::add:2" ]; | ||
| powerManagement = { | ||
| cpuFreqGovernor = "userspace"; | ||
| cpufreq = { | ||
| min = 3600000; # 3.6 GHz | ||
| max = 4210000; # 4.2 GHz | ||
| }; | ||
| }; | ||
| } | ||
| ({ pkgs, lib, ... }: { | ||
| environment.systemPackages = [ | ||
| pkgs.git | ||
| pkgs.diffutils | ||
| ]; | ||
| # Remove when GHA removes upstream | ||
| nixpkgs.config.permittedInsecurePackages = [ | ||
| "nodejs-16.20.2" | ||
| ]; | ||
|
|
||
| nix.settings = { | ||
| max-jobs = 12; | ||
| cores = 0; | ||
| sandbox = true; | ||
| substituters = lib.mkAfter [ "https://cache.iog.io" ]; | ||
| trusted-public-keys = [ | ||
| "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" | ||
| ]; | ||
| trusted-users = [ "root" ]; | ||
| builders-use-substitutes = true; | ||
| experimental-features = [ "nix-command" "flakes" ]; | ||
| bash-prompt = ''\n\[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w \[\033[01;31m\](dev-shell)\[\033[01;32m\]]\$ \[\033[0m\]''; | ||
| }; | ||
| services.github-runner = { | ||
| enable = true; | ||
| extraLabels = [ "plutus-benchmark" ]; | ||
| name = "plutus-benchmark"; | ||
| tokenFile = "/root/runner-pat"; | ||
| url = "https://github.com/IntersectMBO/plutus"; | ||
| nodeRuntimes = [ "node16" "node20" ]; | ||
| }; | ||
| }) | ||
| ]; | ||
| }; |
There was a problem hiding this comment.
Tip
Codebase Verification
The configuration for the GitHub runner token file and SSH authorized keys appears to be incomplete or missing. Specifically:
- The file
/root/runner-patis referenced inflake.nixbut there are no scripts or configurations managing its creation. - There are no references to
/root/.ssh/authorized_keysin the codebase, indicating it might not be managed correctly.
Please review and address these issues to ensure proper management of these files.
Analysis chain
Review the comprehensive plutus-bench configuration for potential security and maintainability issues.
Scripts Executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Verify the security of the SSH keys and the GitHub runner token file.
# Test: Check if the SSH keys and token file are securely managed.
cat /root/runner-pat
cat /root/.ssh/authorized_keys
Length of output: 163
Script:
#!/bin/bash
# Description: Search for the creation or management of the GitHub runner token file and SSH authorized keys within the codebase.
# Search for any references to the GitHub runner token file
rg '/root/runner-pat'
# Search for any references to the SSH authorized keys file
rg '/root/.ssh/authorized_keys'
Length of output: 111
Script:
#!/bin/bash
# Description: Search for the creation or management of the GitHub runner token file and SSH authorized keys within the codebase.
# Search for any scripts or configuration files that might create or manage the GitHub runner token file
rg 'runner-pat' --type sh --type nix
# Search for any scripts or configuration files that might create or manage the SSH authorized keys
rg 'authorized_keys' --type sh --type nix
Length of output: 136
There was a problem hiding this comment.
Actionable comments posted: 3
Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files selected for processing (1)
- flake.nix (2 hunks)
Additional comments not posted (3)
flake.nix (3)
7-8: Updated URLs fordiskoandnixpkgsto point to new repositories.This change aligns with the PR objectives to update the source repositories for these components.
19-86: Introduced a comprehensive NixOS configuration forplutus-bench.This configuration includes various system settings and services necessary for the Plutus benchmarking environment.
76-76: Verify the security of the GitHub runner token file path.Ensure that the token file at
/root/runner-patis securely managed and not exposed to unauthorized access.
| "nodejs-16.20.2" | ||
| ]; |
There was a problem hiding this comment.
Review the necessity of using insecure package nodejs-16.20.2.
Using insecure packages can pose a security risk. Verify if this package is absolutely necessary and explore secure alternatives if possible.
| hetzner-dedicated.nic = { | ||
| ipv4 = "65.108.236.230"; | ||
| netmask4 = 26; | ||
| gateway4 = "65.108.236.193"; | ||
| ipv6 = "2a01:4f9:1a:b0de::2"; | ||
| netmask6 = 64; | ||
| mac = "a8:a1:59:a2:95:40"; |
There was a problem hiding this comment.
Consider externalizing hardcoded network settings.
Hardcoded IP and MAC addresses can lead to maintenance challenges. It would be beneficial to manage these settings externally, perhaps through environment variables or a configuration management system.
| users.users.root.openssh.authorizedKeys.keys = | ||
| [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/fJqgjwPG7b5SRPtCovFmtjmAksUSNg3xHWyqBM4Cs shlevy@shlevy-laptop" | ||
| "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbXkgUEf6TLnEWXwc5wjxhr45wKHJFEVIWIkz9E9ZrnZ4BfH6rI4+tiWn6QihpXnS7zwPqWgCaeLkWzHXwqFmHPzFv1PNVYT1BcuddRFceWcTNXxwJ2JTDXtadH5F/ZyDI2SRsbPfGa1iLca/ANUOQVb4yI3PSALD4BPd5G19mf/8HTZGL0wnYbq9JG7FHKG/8UheuoLf4En6Dk65JLTKvhdnASV5uMJOqmNaI3Q5v6YjVNokPLOqal/PN9/ERJ+jQIB65fFdSV4U55/jHFne1CdtEae77Qymi9JoLg1L4gbS9Dgmu09Asv4FB+jH4HQRUIkCKQig6Blp/HVrAPWVud2IgULgEqw/l07BBVThWbdmxd32YtAkhveNX6FHQO3Fhjk1J2wAXpOgZFVBiRbaCP9PyZe5yKK7crajnIAIzzOUv+SrHLvUN06wrAqUxCNJ8tnb/VZI0m2DXblKXfMxAQ/yoyjD8OlvlWz89MyPCiq4Ep9RbFWQw2YyW17JQp+U= renebarbosa@Renes-MacBook-Air.local" | ||
| "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHdILXJXPGYkjB8QbX246cRT9jLNZq0P8a9+r14Xm6pjX9r0Uj0o+b0zysZR+GcupwDZ9/GkGiKm5LfB9xgP48= shlevy@avp.shealevy.com" | ||
| "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWEZvh2alpzkTFXCcIbCFu+EJ5ARP0GBqbwYlhzhKof" | ||
| ]; |
There was a problem hiding this comment.
Move hardcoded SSH keys to secure storage.
Hardcoding SSH keys in the source code poses a security risk. Consider using a secure secrets management system to handle these keys.
Summary by CodeRabbit
New Features
plutus-benchconfiguration for enhanced benchmarking capabilities.plutus-benchmark.Updates
diskoandnixpkgsto improve package management and integration.