{ config, lib, pkgs, secret, ... }: let cfg = config.module.builder; serverKeyPath = "/root/.nixbuilder"; serverSshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqr7zKGOy/2bbAQCD85Ol+NoGGtvdMbSy3jGb98jM+f"; # Use ssh-keyscan. in { options.module.builder = { server.enable = lib.mkEnableOption "the builder server."; client.enable = lib.mkEnableOption "the builder client."; }; config = lib.mkMerge [ (lib.mkIf cfg.server.enable { # Service that generates new key on boot if not present. # Don't forget to add new public key to secret.ssh.buildKeys. systemd.services.generate-nix-cache-key = { wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; }; path = [ pkgs.nix ]; script = '' [[ -f "${serverKeyPath}/private-key" ]] && exit mkdir ${serverKeyPath} || true nix-store --generate-binary-cache-key "nixbuilder-1" "${serverKeyPath}/private-key" "${serverKeyPath}/public-key" nix store sign --all -k "${serverKeyPath}/private-key" ''; }; # Add `nixbuilder` restricted user. users.groups.nixbuilder = { }; users.users.nixbuilder = { createHome = lib.mkForce false; description = "Nix Remote Builder"; group = "nixbuilder"; home = "/"; isNormalUser = true; openssh.authorizedKeys.keys = secret.ssh.buildKeys; uid = 1234; }; # Sign store automatically. # Sign existing store with: nix store sign --all -k /path/to/secret-key-file nix.settings = { trusted-users = [ "nixbuilder" ]; secret-key-files = [ "${serverKeyPath}/private-key" ]; }; }) (lib.mkIf cfg.client.enable { # NOTE: Requires host public key to be present in secret.ssh.builderKeys. nix = { distributedBuilds = true; buildMachines = [{ hostName = "nixbuilder"; maxJobs = 16; protocol = "ssh-ng"; speedFactor = 2; mandatoryFeatures = [ ]; systems = [ "aarch64-linux" "i686-linux" "x86_64-linux" ]; supportedFeatures = [ "benchmark" "big-parallel" "kvm" "nixos-test" ]; }]; settings = let substituters = [ "ssh-ng://nixbuilder" ]; in { builders-use-substitutes = true; max-jobs = 0; substituters = lib.mkForce substituters; trusted-substituters = substituters ++ [ "https://cache.nixos.org/" ]; trusted-public-keys = [ secret.ssh.builderKey ]; # require-sigs = false; # substitute = false; }; }; services.openssh.knownHosts.nixbuilder = { publicKey = serverSshPublicKey; extraHostNames = [ "[10.0.0.1]:22143" ]; }; }) ]; }