nix/module/RemoteBuilder.nix

38 lines
1.2 KiB
Nix
Raw Normal View History

# Module that enables remote builds. This is a server configuration.
2024-04-14 06:44:00 +03:00
{ pkgs, secret, lib, ... }: let
keyPath = "/root/.nixbuilder";
2024-03-10 07:54:10 +03:00
in {
# Service that generates new key on boot if not present.
# Don't forget to add new key to secret.ssh.buildKeys.
2024-03-10 07:54:10 +03:00
systemd.services.generate-nix-cache-key = {
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.nix ];
script = ''
[[ -f "${keyPath}/private-key" ]] && exit
mkdir ${keyPath} || true
2024-04-14 06:44:00 +03:00
nix-store --generate-binary-cache-key "nixbuilder-1" "${keyPath}/private-key" "${keyPath}/public-key"
2024-03-10 08:00:13 +03:00
nix store sign --all -k "${keyPath}/private-key"
2024-03-10 07:54:10 +03:00
'';
};
2024-04-14 06:44:00 +03:00
# Add `nixbuilder` restricted user.
2024-04-14 06:44:00 +03:00
users.groups.nixbuilder = {};
users.users.nixbuilder = {
openssh.authorizedKeys.keys = secret.ssh.buildKeys;
2024-04-14 06:44:00 +03:00
description = "Nix Remote Builder";
isNormalUser = true;
createHome = lib.mkForce false;
uid = 1234;
home = "/";
group = "nixbuilder";
};
# Sign store automatically.
# Sign existing store with: nix store sign --all -k /path/to/secret-key-file
nix.settings = {
trusted-users = [ "nixbuilder" ];
secret-key-files = [ "${keyPath}/private-key" ];
};
2024-03-09 18:38:41 +03:00
}