2024-10-11 23:27:07 +03:00
|
|
|
{
|
2024-12-18 09:40:11 +03:00
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
pkgs,
|
|
|
|
secret,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
let
|
|
|
|
cfg = config.module.builder;
|
|
|
|
serverKeyPath = "/root/.nixbuilder";
|
|
|
|
serverSshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqr7zKGOy/2bbAQCD85Ol+NoGGtvdMbSy3jGb98jM+f"; # Use ssh-keyscan.
|
|
|
|
in
|
|
|
|
{
|
|
|
|
config = lib.mkMerge [
|
|
|
|
(lib.mkIf cfg.server.enable {
|
|
|
|
# Service that generates new key on boot if not present.
|
|
|
|
# Don't forget to add new public key to secret.ssh.buildKeys.
|
|
|
|
systemd.services.generate-nix-cache-key = {
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
};
|
|
|
|
path = [ pkgs.nix ];
|
|
|
|
script = ''
|
|
|
|
[[ -f "${serverKeyPath}/private-key" ]] && exit
|
|
|
|
mkdir ${serverKeyPath} || true
|
|
|
|
nix-store --generate-binary-cache-key "nixbuilder-1" "${serverKeyPath}/private-key" "${serverKeyPath}/public-key"
|
|
|
|
nix store sign --all -k "${serverKeyPath}/private-key"
|
|
|
|
'';
|
|
|
|
};
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-12-18 09:40:11 +03:00
|
|
|
# Add `nixbuilder` restricted user.
|
|
|
|
users.groups.nixbuilder = { };
|
|
|
|
users.users.nixbuilder = {
|
|
|
|
createHome = lib.mkForce false;
|
|
|
|
description = "Nix Remote Builder";
|
|
|
|
group = "nixbuilder";
|
|
|
|
home = "/";
|
|
|
|
isNormalUser = true;
|
|
|
|
openssh.authorizedKeys.keys = secret.ssh.buildKeys;
|
|
|
|
uid = 1234;
|
|
|
|
};
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-12-18 09:40:11 +03:00
|
|
|
# Sign store automatically.
|
|
|
|
# Sign existing store with: nix store sign --all -k /path/to/secret-key-file
|
|
|
|
nix.settings = {
|
|
|
|
trusted-users = [ "nixbuilder" ];
|
|
|
|
secret-key-files = [ "${serverKeyPath}/private-key" ];
|
|
|
|
};
|
|
|
|
})
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-12-18 09:40:11 +03:00
|
|
|
(lib.mkIf cfg.client.enable {
|
|
|
|
# NOTE: Requires host public key to be present in secret.ssh.builderKeys.
|
|
|
|
nix = {
|
|
|
|
distributedBuilds = true;
|
|
|
|
buildMachines = [
|
|
|
|
{
|
|
|
|
hostName = "nixbuilder";
|
|
|
|
maxJobs = 16;
|
|
|
|
protocol = "ssh-ng";
|
|
|
|
speedFactor = 2;
|
|
|
|
mandatoryFeatures = [ ];
|
|
|
|
systems = [
|
|
|
|
"aarch64-linux"
|
|
|
|
"i686-linux"
|
|
|
|
"x86_64-linux"
|
|
|
|
];
|
|
|
|
supportedFeatures = [
|
|
|
|
"benchmark"
|
|
|
|
"big-parallel"
|
|
|
|
"kvm"
|
|
|
|
"nixos-test"
|
|
|
|
];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
settings =
|
|
|
|
let
|
|
|
|
substituters = [ "ssh-ng://nixbuilder" ];
|
|
|
|
in
|
|
|
|
{
|
|
|
|
builders-use-substitutes = true;
|
|
|
|
max-jobs = 0;
|
|
|
|
substituters = lib.mkForce substituters;
|
|
|
|
trusted-substituters = substituters ++ [ "https://cache.nixos.org/" ];
|
|
|
|
trusted-public-keys = [ secret.ssh.builderKey ];
|
|
|
|
# require-sigs = false;
|
|
|
|
# substitute = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
services.openssh.knownHosts.nixbuilder = {
|
|
|
|
publicKey = serverSshPublicKey;
|
|
|
|
extraHostNames = [ "[10.0.0.1]:22143" ];
|
|
|
|
};
|
|
|
|
})
|
|
|
|
];
|
2024-03-09 18:38:41 +03:00
|
|
|
}
|