nix/module/RemoteBuild.nix
2024-11-06 01:07:30 +03:00

112 lines
2.7 KiB
Nix

{
config,
lib,
pkgs,
secret,
...
}: let
cfg = config.module.builder;
serverKeyPath = "/root/.nixbuilder";
serverSshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqr7zKGOy/2bbAQCD85Ol+NoGGtvdMbSy3jGb98jM+f"; # Use ssh-keyscan.
in {
options.module.builder = {
server.enable = lib.mkEnableOption "the builder server.";
client.enable = lib.mkEnableOption "the builder client.";
};
config = lib.mkMerge [
(lib.mkIf cfg.server.enable {
# Service that generates new key on boot if not present.
# Don't forget to add new public key to secret.ssh.buildKeys.
systemd.services.generate-nix-cache-key = {
wantedBy = [
"multi-user.target"
];
serviceConfig = {
Type = "oneshot";
};
path = [
pkgs.nix
];
script = ''
[[ -f "${serverKeyPath}/private-key" ]] && exit
mkdir ${serverKeyPath} || true
nix-store --generate-binary-cache-key "nixbuilder-1" "${serverKeyPath}/private-key" "${serverKeyPath}/public-key"
nix store sign --all -k "${serverKeyPath}/private-key"
'';
};
# Add `nixbuilder` restricted user.
users.groups.nixbuilder = { };
users.users.nixbuilder = {
createHome = lib.mkForce false;
description = "Nix Remote Builder";
group = "nixbuilder";
home = "/";
isNormalUser = true;
openssh.authorizedKeys.keys = secret.ssh.buildKeys;
uid = 1234;
};
# Sign store automatically.
# Sign existing store with: nix store sign --all -k /path/to/secret-key-file
nix.settings = {
trusted-users = [
"nixbuilder"
];
secret-key-files = [
"${serverKeyPath}/private-key"
];
};
})
(lib.mkIf cfg.client.enable {
# NOTE: Requires host public key to be present in secret.ssh.builderKeys.
nix = {
distributedBuilds = true;
buildMachines = [{
hostName = "nixbuilder";
maxJobs = 16;
protocol = "ssh-ng";
speedFactor = 2;
mandatoryFeatures = [ ];
systems = [
"aarch64-linux"
"i686-linux"
"x86_64-linux"
];
supportedFeatures = [
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
}];
settings = let
substituters = [
"ssh-ng://nixbuilder"
];
in {
builders-use-substitutes = true;
max-jobs = 0;
substituters = lib.mkForce substituters;
trusted-substituters = substituters ++ [
"https://cache.nixos.org/"
];
trusted-public-keys = [
secret.ssh.builderKey
];
# require-sigs = false;
# substitute = false;
};
};
services.openssh.knownHosts.nixbuilder = {
publicKey = serverSshPublicKey;
extraHostNames = [
"[10.0.0.1]:22143"
];
};
})
];
}