nix/config/RemoteBuild.nix

97 lines
2.8 KiB
Nix
Raw Normal View History

{
config,
lib,
pkgs,
secret,
...
}:
let
cfg = config.module.builder;
serverKeyPath = "/root/.nixbuilder";
serverSshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqr7zKGOy/2bbAQCD85Ol+NoGGtvdMbSy3jGb98jM+f"; # Use ssh-keyscan.
in
{
config = lib.mkMerge [
(lib.mkIf cfg.server.enable {
# Service that generates new key on boot if not present.
# Don't forget to add new public key to secret.ssh.buildKeys.
systemd.services.generate-nix-cache-key = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
};
path = [ pkgs.nix ];
script = ''
[[ -f "${serverKeyPath}/private-key" ]] && exit
mkdir ${serverKeyPath} || true
nix-store --generate-binary-cache-key "nixbuilder-1" "${serverKeyPath}/private-key" "${serverKeyPath}/public-key"
nix store sign --all -k "${serverKeyPath}/private-key"
'';
};
2024-06-25 04:04:39 +03:00
# Add `nixbuilder` restricted user.
users.groups.nixbuilder = { };
users.users.nixbuilder = {
createHome = lib.mkForce false;
description = "Nix Remote Builder";
group = "nixbuilder";
home = "/";
isNormalUser = true;
openssh.authorizedKeys.keys = secret.ssh.buildKeys;
uid = 1234;
};
2024-06-25 04:04:39 +03:00
# Sign store automatically.
# Sign existing store with: nix store sign --all -k /path/to/secret-key-file
nix.settings = {
trusted-users = [ "nixbuilder" ];
secret-key-files = [ "${serverKeyPath}/private-key" ];
};
})
2024-06-25 04:04:39 +03:00
(lib.mkIf cfg.client.enable {
# NOTE: Requires host public key to be present in secret.ssh.builderKeys.
nix = {
distributedBuilds = true;
buildMachines = [
{
hostName = "nixbuilder";
maxJobs = 16;
protocol = "ssh-ng";
speedFactor = 2;
mandatoryFeatures = [ ];
systems = [
"aarch64-linux"
"i686-linux"
"x86_64-linux"
];
supportedFeatures = [
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
}
];
settings =
let
substituters = [ "ssh-ng://nixbuilder" ];
in
{
builders-use-substitutes = true;
max-jobs = 0;
substituters = lib.mkForce substituters;
trusted-substituters = substituters ++ [ "https://cache.nixos.org/" ];
trusted-public-keys = [ secret.ssh.builderKey ];
# require-sigs = false;
# substitute = false;
};
};
services.openssh.knownHosts.nixbuilder = {
publicKey = serverSshPublicKey;
extraHostNames = [ "[10.0.0.1]:22143" ];
};
})
];
2024-03-09 18:38:41 +03:00
}