diff --git a/common.nix b/common.nix index cf401e1..d0173c7 100644 --- a/common.nix +++ b/common.nix @@ -14,6 +14,7 @@ with lib; { imports = [ # defaultShell ./modules/services/nix-cache + ./modules/services/nix-build-farm ]; ## Packages diff --git a/modules/services/nix-build-farm/default.nix b/modules/services/nix-build-farm/default.nix new file mode 100644 index 0000000..74ccbc0 --- /dev/null +++ b/modules/services/nix-build-farm/default.nix @@ -0,0 +1,67 @@ +{ config, lib, ... }: +with { inherit (lib) mkOption types mkIf; }; +let + cfg = config.services.nix-build-farm; + hosts = import ./hosts.nix; + + build-user = "nix-builder"; + + isBuilder = host: host ? "builder"; + allBuilders = lib.filterAttrs (_: isBuilder) hosts; +in +{ + options.services.nix-build-farm = { + enable = mkOption { + type = types.bool; + default = true; + description = "Whether to enable nix-build-farm as a client"; + }; + hostname = mkOption { + type = types.enum (builtins.attrNames hosts); + description = "The hostname as listed in ./hosts.nix file"; + }; + privateKeyFile = mkOption { + type = types.path; + description = "The path to the private SSH key file"; + }; + }; + + config = mkIf cfg.enable ( + let + host = hosts.${cfg.hostname}; + otherHosts = lib.filterAttrs (name: _: name != cfg.hostname) hosts; + otherBuilders = lib.filterAttrs (name: _: name != cfg.hostname) allBuilders; + in + { + nix.distributedBuilds = true; + nix.buildMachines = lib.mapAttrsToList + (name: host: { + hostName = host.host; + sshUser = build-user; + } // host.builder) + otherBuilders; + + programs.ssh.extraConfig = (lib.concatStringsSep "\n" (lib.mapAttrsToList + (name: host: '' + Host ${name} + HostName ${host.host} + User ${build-user} + IdentitiesOnly yes + IdentityFile ${cfg.privateKeyFile} + '') + otherBuilders)); + + users = mkIf (isBuilder host) { + users.${build-user} = { + description = "Nix build farm user"; + group = build-user; + isNormalUser = true; + openssh.authorizedKeys.keys = lib.mapAttrsToList (_: host: host.pubKey) otherHosts; + }; + groups.${build-user} = { }; + }; + } + ); +} + + diff --git a/modules/services/nix-build-farm/hosts.nix b/modules/services/nix-build-farm/hosts.nix new file mode 100644 index 0000000..3b09874 --- /dev/null +++ b/modules/services/nix-build-farm/hosts.nix @@ -0,0 +1,19 @@ +{ + home = { + host = "home.tinc"; + pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6N1uTxnbo73tyzD9X7d7OgPeoOpY7JmQaHASjSWFPI nki@kagamiPC"; + + builder = { + publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUN5UUc3YWUrZEY3SWN0dVU3T3FnR3hqRlJydGpPaGpxSmF6UW5RUVlqbUQgcm9vdEBua2kteW9nYS1nOAo="; + systems = [ "x86_64-linux" "aarch64-linux" ]; + maxJobs = 16; + speedFactor = 2; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + }; + }; + + yoga = { + host = "yoga.tinc"; + pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6ZrO/xIdmwBCUx80cscBSpJBBTp55OHGrXYBGRXKAw nki@nki-yoga-g8"; + }; +} diff --git a/nki-home/configuration.nix b/nki-home/configuration.nix index c57ff3f..c706384 100644 --- a/nki-home/configuration.nix +++ b/nki-home/configuration.nix @@ -38,6 +38,10 @@ with lib; privateKeyFile = config.sops.secrets."nix-cache/private-key".path; }; + sops.secrets."nix-build-farm/private-key" = { mode = "0400"; }; + services.nix-build-farm.hostname = "home"; + services.nix-build-farm.privateKeyFile = config.sops.secrets."nix-build-farm/private-key".path; + # Networking common.linux.networking = { diff --git a/nki-home/secrets.yaml b/nki-home/secrets.yaml index a70a401..de69d63 100644 --- a/nki-home/secrets.yaml +++ b/nki-home/secrets.yaml @@ -15,6 +15,8 @@ peertube: dtth-key: ENC[AES256_GCM,data:Gu7qOisVBZrFXKBr51165FJ7Ej4hV+lIf3AMC02R3UFNXOnTHF2xC8E=,iv:F83FuD1VjZEJFMcx3gkQuKCpJmYdHtO15fRHkYdMxJM=,tag:ScH42Tr5ZsIo9JMnXhylSw==,type:str] nix-cache: private-key: ENC[AES256_GCM,data:4sbfIQb10Y50CrZbgjN+1iXEbXTpDqMbIB/yA3WlaAqhLtb8HKib5aZX3DLoxFbVihJcztQsvBBgEAhT9iMijoksaT9qzBQ5yIn4NGCfFem1DK8DQdjhTLMCVTyMFCT7hQHu/2Sd7w==,iv:zTSxuKOtOLekOBKBvl9MScD/Bo1Hviqq/n8Saa+1Cgo=,tag:fx73fCDPY9d07V3KKMw3DA==,type:str] +nix-build-farm: + private-key: ENC[AES256_GCM,data:m5neeWCEdaZ1MRhNwTptfDIgv3ABNlYyNil3oTD81Jbe/6WxWaS5Q++CRlHCjc2hOoHsWsZixw8iGZVTA+QXgH6B9C6A4oOAhgR9m92EGTEfFw0qxQbdzs7U98Yonx/N8SApUycZZB/EU81+MrDNY4GGzCiO6s00/vZLkDTYnqRFgbo+8KTG0BQTl4q+VYP2q3l0wy+Ivz5CWPmbz42Xdin/sBnjeFHKDuof4iZZnN3i8gUJ/mMw3lbdiHd6A8DL0G5Ut46ljzMC2aMsZOATCID3mPOPgI0xIetDofPJLDqVsNqptRHo8WB+KwDidvl222f5F7JqdSqgAMOJYPscrX0odufApiJfg5bbXBygvrDfAlPSruW7GsWGoKAhw0qC4NC/j+qYCwhS0qdorCLnIy3zzMtA6HkHtE675hy7/7oLj7k9Y8MhE4PxztjXTmDazaVCtKhnA/DpaxP2mH84gfCkJFD1YF9jtPm+P3e+46FwkW+WnHaA2L+H7Evava30DLEBhh5y9Gd1A3JN4isn,iv:7KUWg7+GWgmGJkbIvsy9gtccZBb+1Y5uDWhXQFk0obk=,tag:qJdM684XPHxecLVxVb5pgw==,type:str] sops: kms: [] gcp_kms: [] @@ -48,8 +50,8 @@ sops: bUhIT0Z2b1dVWGNyS1hRVFRyZTA4d00KchP7EhSOMwBl5vFuuskzosRoi8jUu1sw hVjJNF2a40ewgkQgVAoWEzirHbknbQORzmepDDRth7Bve3UQU64+GA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-16T12:16:41Z" - mac: ENC[AES256_GCM,data:x3zeCDljzyRpro4sem2pC33rFfm5jAjFhhX9JNlzLB6aNZ1TUv0qz4g7NhkWY23XNjJFmYqIW+pib97OVDd15kRojknM/UYCThW5oZDIWKn+TA9+bF9NGBjxP60t3n3dlU5VmgD8bgiApUS+XzHnJXuxhfiIHclvfxdLC33R7S4=,iv:str4fZX58mzFlD4rYaLmiCAeZmHIernG3636Tt+Rwgg=,tag:qS47OGc/o4/0Cj/V4e8dBg==,type:str] + lastmodified: "2024-08-16T13:59:20Z" + mac: ENC[AES256_GCM,data:ncT8fbtEb9ZcLcftXwgAKJRPPSG4TRHFMArtVgWNmIjDRcCNNT7ICa+9Dl8DAYKRJ+8pgelV9StIg2f7rvypHYlckontEP5nwSFzEApLItG3AZXewTC8VPoDYb4T8/OWKDoa5kBMvGrDr1bFP/CZz7H8No+k5TV7fVExsw0PHpg=,iv:vxbkeJtHkOAq7NcaZEIOMV3qGEqBUg/vpJYumBBfY70=,tag:T0yw2x1O5Tp0UllLpcFryg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0