RemoteBuilder : Add auto key gen.

This commit is contained in:
Dmitry Voronin 2024-03-10 07:54:10 +03:00
parent 420663df78
commit 37b315f536
3 changed files with 15 additions and 12 deletions

View file

@ -1,9 +0,0 @@
{ pkgs, ... }: {
services.nix-serve = {
enable = true;
bindAddress = "0.0.0.0";
package = pkgs.nix-serve-ng;
port = 5000;
secretKeyFile = "/root/.nixcache/secret-key-file"; # Generate with: nix-store --generate-binary-cache-key nixcache.voronind.com secret-key-file public-key-file
};
}

View file

@ -17,6 +17,6 @@
builders-use-substitutes = true
extra-substituters = ssh-ng://home
extra-trusted-substituters = ssh-ng://home
extra-trusted-public-keys = nixcache.voronind.com:i9dE2VZI40/LCM/mmUGs8kwal1bQo3xbSjrzxhInmOw=
extra-trusted-public-keys = home-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
'';
}

View file

@ -1,6 +1,18 @@
{ ... }: {
{ pkgs, ... }: let
keyPath = "/root/.nixcache";
in {
systemd.services.generate-nix-cache-key = {
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.nix ];
script = ''
[[ -f "${keyPath}/private-key" ]] && exit
mkdir ${keyPath} || true
nix-store --generate-binary-cache-key "$HOSTNAME-1" "${keyPath}/private-key" "${keyPath}/public-key"
'';
};
# To apply: nix store sign --all -k /path/to/secret-key-file
nix.extraOptions = ''
secret-key-files = /root/.nixcache/secret-key-file
secret-key-files = /root/.nixcache/private-key
'';
}