From 939414b564f7fe1db3ff2b160befb7a646c3cbc5 Mon Sep 17 00:00:00 2001
From: Dmitry Voronin <hi@voronind.com>
Date: Mon, 24 Jun 2024 17:53:37 +0300
Subject: [PATCH] ReboteBuild : Fix substitute issues to always prefer the
 builder.

---
 android/Nix.nix          |  5 -----
 android/default.nix      |  5 +++--
 module/RemoteBuild.nix   | 18 +++++++++++-------
 module/RemoteBuilder.nix | 12 ++++++------
 module/common/Nix.nix    | 28 +++++++++++++++-------------
 part/Secret.nix          |  3 ++-
 6 files changed, 37 insertions(+), 34 deletions(-)
 delete mode 100644 android/Nix.nix

diff --git a/android/Nix.nix b/android/Nix.nix
deleted file mode 100644
index 0c87208..0000000
--- a/android/Nix.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ ... }: {
-	extraOptions = ''
-		experimental-features = nix-command flakes
-	'';
-}
diff --git a/android/default.nix b/android/default.nix
index 256795c..06387df 100644
--- a/android/default.nix
+++ b/android/default.nix
@@ -12,7 +12,6 @@
 	# Android modules.
 	environment = import ./Environment.nix args;
 	git         = import ./Git.nix         args;
-	nix         = import ./Nix.nix         args;
 	package     = import ./Package.nix     args;
 	termux      = import ./Termux.nix      args;
 
@@ -25,7 +24,9 @@
 in {
 	# Configure system.
 	time.timeZone    = const.timeZone;
-	nix.extraOptions = nix.extraOptions;
+	nix.settings = {
+		experimental-features = [ "nix-command " "flakes" ];
+	};
 
 	# Install packages.
 	environment.packages = package.list;
diff --git a/module/RemoteBuild.nix b/module/RemoteBuild.nix
index 2b8bcda..f68bb1e 100644
--- a/module/RemoteBuild.nix
+++ b/module/RemoteBuild.nix
@@ -1,5 +1,5 @@
 # Module that enables remote builds. This is a client configuration.
-{ config, pkgs, ... }: {
+{ lib, secret, ... }: {
 	# NOTE: Requires host private key to be present in secret.ssh.builderKeys.
 	nix.buildMachines = [{
 		hostName = "nixbuilder";
@@ -15,10 +15,14 @@
 		supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
 	}];
 	nix.distributedBuilds = true;
-	nix.extraOptions = ''
-		builders-use-substitutes = true
-		extra-substituters = ssh-ng://nixbuilder
-		extra-trusted-substituters = ssh-ng://nixbuilder
-		extra-trusted-public-keys = nixbuilder-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
-	'';
+	nix.settings = let
+		substituters = [ "ssh-ng://nixbuilder" ];
+	in {
+		substituters         = lib.mkForce substituters;
+		trusted-substituters = lib.mkForce substituters;
+		builders-use-substitutes = true;
+		max-jobs = 0;
+		trusted-public-keys = [ secret.ssh.builderKey ];
+		# substitute = false;
+	};
 }
diff --git a/module/RemoteBuilder.nix b/module/RemoteBuilder.nix
index e9a2583..ea70ec7 100644
--- a/module/RemoteBuilder.nix
+++ b/module/RemoteBuilder.nix
@@ -3,7 +3,7 @@
 	keyPath = "/root/.nixbuilder";
 in {
 	# Service that generates new key on boot if not present.
-	# Don't forget to add new key to secret.ssh.builderKeys.
+	# Don't forget to add new key to secret.ssh.buildKeys.
 	systemd.services.generate-nix-cache-key = {
 		wantedBy = [ "multi-user.target" ];
 		serviceConfig.Type = "oneshot";
@@ -19,7 +19,7 @@ in {
 	# Add `nixbuilder` restricted user.
 	users.groups.nixbuilder = {};
 	users.users.nixbuilder = {
-		openssh.authorizedKeys.keys = secret.ssh.builderKeys;
+		openssh.authorizedKeys.keys = secret.ssh.buildKeys;
 		description  = "Nix Remote Builder";
 		isNormalUser = true;
 		createHome   = lib.mkForce false;
@@ -30,8 +30,8 @@ in {
 
 	# Sign store automatically.
 	# Sign existing store with: nix store sign --all -k /path/to/secret-key-file
-	nix.extraOptions = ''
-		trusted-users = nixbuilder
-		secret-key-files = ${keyPath}/private-key
-	'';
+	nix.settings = {
+		trusted-users    = [ "nixbuilder" ];
+		secret-key-files = [ "${keyPath}/private-key" ];
+	};
 }
diff --git a/module/common/Nix.nix b/module/common/Nix.nix
index 89dda2b..35fc546 100644
--- a/module/common/Nix.nix
+++ b/module/common/Nix.nix
@@ -10,20 +10,22 @@
 	# Allow installation of proprietary software.
 	nixpkgs.config.allowUnfree = true;
 
-	# Deduplicate store automatically. Slows down switches a bit, but saves space.
-	nix.settings.auto-optimise-store = true;
+	nix.settings = {
+		# Deduplicate store automatically. Slows down switches a bit, but saves space.
+		auto-optimise-store = true;
 
-	# Extra configuration line-by-line:
-	# 1. Allow use of flakes.
-	# 2. When running GC, keep .drv files.
-	# 3. When running GC, keep build dependencies.
-	# 4. Run GC automatically when there's a 50 GB or less free space.
-	nix.extraOptions = ''
-		experimental-features = nix-command flakes
-		keep-derivations = true
-		keep-outputs = true
-		min-free = ${toString (50 * 1000 * 1000 * 1000)}
-	'';
+		# Allow use of flakes.
+		experimental-features = [ "nix-command " "flakes" ];
+
+		# When running GC, keep .drv files.
+		keep-derivations = true;
+
+		# When running GC, keep build dependencies.
+		keep-outputs = true;
+
+		# Run GC automatically when there's a 50 GB or less free space.
+		min-free = 50 * 1000 * 1000 * 1000;
+	};
 
 	# NOTE: Currently I run GC completely, but this setting (put above near min-free)
 	# can stop GC when you hit 101 GB of free space available.
diff --git a/part/Secret.nix b/part/Secret.nix
index a540c6f..996f8df 100644
--- a/part/Secret.nix
+++ b/part/Secret.nix
@@ -10,7 +10,8 @@
 		];
 
 		# Keys that are allowd to connect via SSH to nixbuild user for Nix remote builds.
-		builderKeys = [
+		builderKey = "nixbuilder-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=";
+		buildKeys = [
 			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuuw5ek5wGB9KdBhCTxjV+CBpPU6RIOynHkFYC4dau3 root@dasha"
 			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop"
 			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home"