ReboteBuild : Fix substitute issues to always prefer the builder.

2024-06-24 17:53:37 +03:00 · 2024-06-24 17:53:37 +03:00 · 939414b564
parent 2c6fa18226
commit 939414b564
6 changed files with 37 additions and 34 deletions
--- a/android/Nix.nix
+++ b/android/Nix.nix
@ -1,5 +0,0 @@
-{ ... }: {
-	extraOptions = ''
-		experimental-features = nix-command flakes
-	'';
-}
--- a/android/default.nix
+++ b/android/default.nix
@ -12,7 +12,6 @@
 	# Android modules.
 	environment = import ./Environment.nix args;
 	git         = import ./Git.nix         args;
-	nix         = import ./Nix.nix         args;
 	package     = import ./Package.nix     args;
 	termux      = import ./Termux.nix      args;

@ -25,7 +24,9 @@
 in {
 	# Configure system.
 	time.timeZone    = const.timeZone;
-	nix.extraOptions = nix.extraOptions;
+	nix.settings = {
+		experimental-features = [ "nix-command " "flakes" ];
+	};

 	# Install packages.
 	environment.packages = package.list;
--- a/module/RemoteBuild.nix
+++ b/module/RemoteBuild.nix
@ -1,5 +1,5 @@
 # Module that enables remote builds. This is a client configuration.
-{ config, pkgs, ... }: {
+{ lib, secret, ... }: {
 	# NOTE: Requires host private key to be present in secret.ssh.builderKeys.
 	nix.buildMachines = [{
 		hostName = "nixbuilder";
@ -15,10 +15,14 @@
 		supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
 	}];
 	nix.distributedBuilds = true;
-	nix.extraOptions = ''
-		builders-use-substitutes = true
-		extra-substituters = ssh-ng://nixbuilder
-		extra-trusted-substituters = ssh-ng://nixbuilder
-		extra-trusted-public-keys = nixbuilder-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=
-	'';
+	nix.settings = let
+		substituters = [ "ssh-ng://nixbuilder" ];
+	in {
+		substituters         = lib.mkForce substituters;
+		trusted-substituters = lib.mkForce substituters;
+		builders-use-substitutes = true;
+		max-jobs = 0;
+		trusted-public-keys = [ secret.ssh.builderKey ];
+		# substitute = false;
+	};
 }
--- a/module/RemoteBuilder.nix
+++ b/module/RemoteBuilder.nix
@ -3,7 +3,7 @@
 	keyPath = "/root/.nixbuilder";
 in {
 	# Service that generates new key on boot if not present.
-	# Don't forget to add new key to secret.ssh.builderKeys.
+	# Don't forget to add new key to secret.ssh.buildKeys.
 	systemd.services.generate-nix-cache-key = {
 		wantedBy = [ "multi-user.target" ];
 		serviceConfig.Type = "oneshot";
@ -19,7 +19,7 @@ in {
 	# Add `nixbuilder` restricted user.
 	users.groups.nixbuilder = {};
 	users.users.nixbuilder = {
-		openssh.authorizedKeys.keys = secret.ssh.builderKeys;
+		openssh.authorizedKeys.keys = secret.ssh.buildKeys;
 		description  = "Nix Remote Builder";
 		isNormalUser = true;
 		createHome   = lib.mkForce false;
@ -30,8 +30,8 @@ in {

 	# Sign store automatically.
 	# Sign existing store with: nix store sign --all -k /path/to/secret-key-file
-	nix.extraOptions = ''
-		trusted-users = nixbuilder
-		secret-key-files = ${keyPath}/private-key
-	'';
+	nix.settings = {
+		trusted-users    = [ "nixbuilder" ];
+		secret-key-files = [ "${keyPath}/private-key" ];
+	};
 }
--- a/module/common/Nix.nix
+++ b/module/common/Nix.nix
@ -10,20 +10,22 @@
 	# Allow installation of proprietary software.
 	nixpkgs.config.allowUnfree = true;

+	nix.settings = {
 		# Deduplicate store automatically. Slows down switches a bit, but saves space.
-	nix.settings.auto-optimise-store = true;
+		auto-optimise-store = true;

-	# Extra configuration line-by-line:
-	# 1. Allow use of flakes.
-	# 2. When running GC, keep .drv files.
-	# 3. When running GC, keep build dependencies.
-	# 4. Run GC automatically when there's a 50 GB or less free space.
-	nix.extraOptions = ''
-		experimental-features = nix-command flakes
-		keep-derivations = true
-		keep-outputs = true
-		min-free = ${toString (50 * 1000 * 1000 * 1000)}
-	'';
+		# Allow use of flakes.
+		experimental-features = [ "nix-command " "flakes" ];
+
+		# When running GC, keep .drv files.
+		keep-derivations = true;
+
+		# When running GC, keep build dependencies.
+		keep-outputs = true;
+
+		# Run GC automatically when there's a 50 GB or less free space.
+		min-free = 50 * 1000 * 1000 * 1000;
+	};

 	# NOTE: Currently I run GC completely, but this setting (put above near min-free)
 	# can stop GC when you hit 101 GB of free space available.
--- a/part/Secret.nix
+++ b/part/Secret.nix
@ -10,7 +10,8 @@
 		];

 		# Keys that are allowd to connect via SSH to nixbuild user for Nix remote builds.
-		builderKeys = [
+		builderKey = "nixbuilder-1:Skghjixd8lPzNe2ZEgYLM9Pu/wF9wiZtZGsdm3bo9h0=";
+		buildKeys = [
 			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuuw5ek5wGB9KdBhCTxjV+CBpPU6RIOynHkFYC4dau3 root@dasha"
 			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop"
 			"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home"