2024-05-04 23:15:57 +03:00
|
|
|
# Module that enables remote builds. This is a server configuration.
|
2024-04-14 06:44:00 +03:00
|
|
|
{ pkgs, secret, lib, ... }: let
|
|
|
|
keyPath = "/root/.nixbuilder";
|
2024-03-10 07:54:10 +03:00
|
|
|
in {
|
2024-05-04 23:15:57 +03:00
|
|
|
# Service that generates new key on boot if not present.
|
2024-06-24 17:53:37 +03:00
|
|
|
# Don't forget to add new key to secret.ssh.buildKeys.
|
2024-03-10 07:54:10 +03:00
|
|
|
systemd.services.generate-nix-cache-key = {
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
path = [ pkgs.nix ];
|
|
|
|
script = ''
|
|
|
|
[[ -f "${keyPath}/private-key" ]] && exit
|
|
|
|
mkdir ${keyPath} || true
|
2024-04-14 06:44:00 +03:00
|
|
|
nix-store --generate-binary-cache-key "nixbuilder-1" "${keyPath}/private-key" "${keyPath}/public-key"
|
2024-03-10 08:00:13 +03:00
|
|
|
nix store sign --all -k "${keyPath}/private-key"
|
2024-03-10 07:54:10 +03:00
|
|
|
'';
|
|
|
|
};
|
2024-04-14 06:44:00 +03:00
|
|
|
|
2024-05-04 23:15:57 +03:00
|
|
|
# Add `nixbuilder` restricted user.
|
2024-04-14 06:44:00 +03:00
|
|
|
users.groups.nixbuilder = {};
|
|
|
|
users.users.nixbuilder = {
|
2024-06-24 17:53:37 +03:00
|
|
|
openssh.authorizedKeys.keys = secret.ssh.buildKeys;
|
2024-04-14 06:44:00 +03:00
|
|
|
description = "Nix Remote Builder";
|
|
|
|
isNormalUser = true;
|
|
|
|
createHome = lib.mkForce false;
|
|
|
|
uid = 1234;
|
|
|
|
home = "/";
|
|
|
|
group = "nixbuilder";
|
|
|
|
};
|
|
|
|
|
2024-05-04 23:15:57 +03:00
|
|
|
# Sign store automatically.
|
|
|
|
# Sign existing store with: nix store sign --all -k /path/to/secret-key-file
|
2024-06-24 17:53:37 +03:00
|
|
|
nix.settings = {
|
|
|
|
trusted-users = [ "nixbuilder" ];
|
|
|
|
secret-key-files = [ "${keyPath}/private-key" ];
|
|
|
|
};
|
2024-03-09 18:38:41 +03:00
|
|
|
}
|