nix/module/RemoteBuild.nix

103 lines
3 KiB
Nix

{
pkgs,
lib,
config,
secret,
...
}:
with lib;
let
cfg = config.module.builder;
serverKeyPath = "/root/.nixbuilder";
serverSshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqr7zKGOy/2bbAQCD85Ol+NoGGtvdMbSy3jGb98jM+f"; # Use ssh-keyscan.
in
{
options = {
module.builder = {
server.enable = mkEnableOption "This is a builder server.";
client.enable = mkEnableOption "This is a builder client.";
};
};
config = mkMerge [
(mkIf cfg.server.enable {
# Service that generates new key on boot if not present.
# Don't forget to add new public key to secret.ssh.buildKeys.
systemd.services.generate-nix-cache-key = {
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.nix ];
script = ''
[[ -f "${serverKeyPath}/private-key" ]] && exit
mkdir ${serverKeyPath} || true
nix-store --generate-binary-cache-key "nixbuilder-1" "${serverKeyPath}/private-key" "${serverKeyPath}/public-key"
nix store sign --all -k "${serverKeyPath}/private-key"
'';
};
# Add `nixbuilder` restricted user.
users.groups.nixbuilder = { };
users.users.nixbuilder = {
openssh.authorizedKeys.keys = secret.ssh.buildKeys;
description = "Nix Remote Builder";
isNormalUser = true;
createHome = lib.mkForce false;
uid = 1234;
home = "/";
group = "nixbuilder";
};
# Sign store automatically.
# Sign existing store with: nix store sign --all -k /path/to/secret-key-file
nix.settings = {
trusted-users = [ "nixbuilder" ];
secret-key-files = [ "${serverKeyPath}/private-key" ];
};
})
(mkIf cfg.client.enable {
# NOTE: Requires host public key to be present in secret.ssh.builderKeys.
nix = {
distributedBuilds = true;
buildMachines = [
{
hostName = "nixbuilder";
protocol = "ssh-ng";
systems = [
"x86_64-linux"
"i686-linux"
"aarch64-linux"
];
maxJobs = 16;
speedFactor = 2;
mandatoryFeatures = [ ];
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
];
}
];
settings =
let
substituters = [ "ssh-ng://nixbuilder" ];
in
{
substituters = mkForce substituters;
trusted-substituters = substituters ++ [ "https://cache.nixos.org/" ];
builders-use-substitutes = true;
max-jobs = 0;
trusted-public-keys = [ secret.ssh.builderKey ];
# require-sigs = false;
# substitute = false;
};
};
services.openssh.knownHosts.nixbuilder = {
publicKey = serverSshPublicKey;
extraHostNames = [ "[10.0.0.1]:22143" ];
};
})
];
}