From bc4cfe7c691d05ff9111ddaf6baac8cd7ba1b062 Mon Sep 17 00:00:00 2001 From: Natsu Kagami Date: Mon, 19 Aug 2024 14:04:52 +0000 Subject: [PATCH] Set up build farm (#3) Reviewed-on: https://git.dtth.ch/nki/nix-home/pulls/3 Co-authored-by: Natsu Kagami Co-committed-by: Natsu Kagami --- common.nix | 1 + modules/services/nix-build-farm/default.nix | 66 +++++++++++++++++++++ modules/services/nix-build-farm/hosts.nix | 37 ++++++++++++ modules/services/nix-cache/default.nix | 19 +++--- nki-framework/configuration.nix | 4 ++ nki-framework/secrets.yaml | 6 +- nki-home/configuration.nix | 6 +- nki-home/secrets.yaml | 6 +- nki-personal-do/configuration.nix | 16 +++-- nki-personal-do/secrets/secrets.yaml | 8 ++- nki-yoga-g8/configuration.nix | 5 ++ nki-yoga-g8/secrets.yaml | 6 +- overlay.nix | 7 +++ 13 files changed, 162 insertions(+), 25 deletions(-) create mode 100644 modules/services/nix-build-farm/default.nix create mode 100644 modules/services/nix-build-farm/hosts.nix diff --git a/common.nix b/common.nix index cf401e1..d0173c7 100644 --- a/common.nix +++ b/common.nix @@ -14,6 +14,7 @@ with lib; { imports = [ # defaultShell ./modules/services/nix-cache + ./modules/services/nix-build-farm ]; ## Packages diff --git a/modules/services/nix-build-farm/default.nix b/modules/services/nix-build-farm/default.nix new file mode 100644 index 0000000..54b6559 --- /dev/null +++ b/modules/services/nix-build-farm/default.nix @@ -0,0 +1,66 @@ +{ config, lib, ... }: +with { inherit (lib) mkOption types mkIf; }; +let + cfg = config.services.nix-build-farm; + hosts = import ./hosts.nix; + + build-user = "nix-builder"; + + isBuilder = host: host ? "builder"; + allBuilders = lib.filterAttrs (_: isBuilder) hosts; +in +{ + options.services.nix-build-farm = { + enable = mkOption { + type = types.bool; + default = true; + description = "Whether to enable nix-build-farm as a client"; + }; + hostname = mkOption { + type = types.enum (builtins.attrNames hosts); + description = "The hostname as listed in ./hosts.nix file"; + }; + privateKeyFile = mkOption { + type = types.path; + description = "The path to the private SSH key file"; + }; + + ipAddrs = mkOption { + type = types.str; + description = "The ip addresses to limit access to"; + default = "11.0.0.*"; + }; + }; + + config = mkIf cfg.enable ( + let + host = hosts.${cfg.hostname}; + otherHosts = lib.filterAttrs (name: _: name != cfg.hostname) hosts; + otherBuilders = lib.filterAttrs (name: _: name != cfg.hostname) allBuilders; + in + { + nix.distributedBuilds = true; + nix.buildMachines = lib.mapAttrsToList + (name: host: { + hostName = host.host; + sshUser = build-user; + sshKey = cfg.privateKeyFile; + } // host.builder) + otherBuilders; + + users = mkIf (isBuilder host) { + users.${build-user} = { + description = "Nix build farm user"; + group = build-user; + isNormalUser = true; + openssh.authorizedKeys.keys = lib.mapAttrsToList (_: host: ''from="${cfg.ipAddrs}" ${host.pubKey}'') otherHosts; + }; + groups.${build-user} = { }; + }; + + nix.settings.trusted-users = mkIf (isBuilder host) [ build-user ]; + } + ); +} + + diff --git a/modules/services/nix-build-farm/hosts.nix b/modules/services/nix-build-farm/hosts.nix new file mode 100644 index 0000000..8271634 --- /dev/null +++ b/modules/services/nix-build-farm/hosts.nix @@ -0,0 +1,37 @@ +{ + cloud = { + host = "cloud.tinc"; + pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE87ddj0fTH0NuvJz0dT5ln7v7zbafXqDVdM2A4ddOb0 root@nki-personal-do"; + }; + + home = { + host = "home.tinc"; + pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6N1uTxnbo73tyzD9X7d7OgPeoOpY7JmQaHASjSWFPI nki@kagamiPC"; + + builder = { + publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUhiVTh2NlNBa0kyOTBCc1QzVG1IRVVJQWdXcVFyNm9jRmpjakRRczRoT2ggcm9vdEBrYWdhbWlQQwo="; + systems = [ "x86_64-linux" "aarch64-linux" ]; + maxJobs = 16; + speedFactor = 2; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + }; + }; + + yoga = { + host = "yoga.tinc"; + pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6ZrO/xIdmwBCUx80cscBSpJBBTp55OHGrXYBGRXKAw nki@nki-yoga-g8"; + }; + + framework = { + host = "framework.tinc"; + pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/g472MaT7YySUhBjxClfmMjpn98qYnKXDKlzWHYwuO nki@nki-framework"; + + builder = { + publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUdOUlBCVFRkNTVVMXY1U1Jac0FjYVdhS3JGZTY0ZjIxOVViODVTQ2NWd28gcm9vdEBua2ktZnJhbWV3b3JrCg=="; + systems = [ "x86_64-linux" "aarch64-linux" ]; + maxJobs = 16; + speedFactor = 3; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + }; + }; +} diff --git a/modules/services/nix-cache/default.nix b/modules/services/nix-cache/default.nix index 218ad4f..cfec3c3 100644 --- a/modules/services/nix-cache/default.nix +++ b/modules/services/nix-cache/default.nix @@ -3,6 +3,8 @@ with { inherit (lib) mkEnableOption mkOption types mkIf; }; let cfg = config.nki.services.nix-cache; + + bindAddr = "127.0.0.1:5000"; in { options.nki.services.nix-cache = { @@ -31,18 +33,17 @@ in config = { nix.settings = mkIf cfg.enableClient { - substituters = [ "http://${cfg.host}" ]; + substituters = lib.mkAfter [ "http://${cfg.host}" ]; trusted-public-keys = [ cfg.publicKey ]; }; - services.nix-serve = mkIf cfg.enableServer { + services.harmonia = mkIf cfg.enableServer { enable = true; - secretKeyFile = cfg.privateKeyFile; - }; - - users = mkIf cfg.enableServer { - users.nix-serve = { group = "nix-serve"; isSystemUser = true; }; - groups.nix-serve = { }; + signKeyPath = cfg.privateKeyFile; + settings = { + bind = bindAddr; + priority = 45; + }; }; services.nginx = mkIf cfg.enableServer { @@ -51,7 +52,7 @@ in virtualHosts = { # ... existing hosts config etc. ... "${cfg.host}" = { - locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; + locations."/".proxyPass = "http://${bindAddr}"; }; }; }; diff --git a/nki-framework/configuration.nix b/nki-framework/configuration.nix index ea7ada1..4f6e5c3 100644 --- a/nki-framework/configuration.nix +++ b/nki-framework/configuration.nix @@ -21,6 +21,10 @@ common.linux.sops.enable = true; common.linux.sops.file = ./secrets.yaml; + sops.secrets."nix-build-farm/private-key" = { mode = "0400"; }; + services.nix-build-farm.hostname = "framework"; + services.nix-build-farm.privateKeyFile = config.sops.secrets."nix-build-farm/private-key".path; + # services.xserver.enable = true; # services.xserver.displayManager.sddm.enable = true; # services.xserver.displayManager.sddm.wayland.enable = true; diff --git a/nki-framework/secrets.yaml b/nki-framework/secrets.yaml index f14c729..942e29b 100644 --- a/nki-framework/secrets.yaml +++ b/nki-framework/secrets.yaml @@ -1,4 +1,6 @@ tinc-private-key: ENC[AES256_GCM,data:cKtOFrF5FRSHWxe/QxH5O9GAba1WcWeCwW1IOzmbgdtFufRoWbCtYeaLP+WQhQ70z6xobiY9DN8Jrh7mDptKSsfKrrx2SH5JrdpsoINhLMbetXq7E29+q6CkS8NlLgE/KyV8eFjQySNsYiA/+Efq9xj9e1wOmHBDsND/jgiJDkA1qsEIFZg/vuv8LdoRY3TV/oKJ4pao9+70G4H+8Ef1sMZHGNe9qJ94Wa71nNX2fTSjKH5YBbRijMAePWr/IeCpZ9Phs7RqjBs=,iv:l0iB136X7nLVblQjFi7K4f42JKSxdsiLIRy5GPzK1nc=,tag:HAgkvWkl0Rx62ejGZckdKA==,type:str] +nix-build-farm: + private-key: ENC[AES256_GCM,data:w56sobHrhvVcKbuK15Yj20EqgFrR/5pNy/rcQjlZCiFEfgPC6ZrbsxziIdMTOX+Q4DyllKCKo+g/MIKm5S+s+nIff509ODlILhTtXlZvZlnT9+wvm5oN3WQCdkkqOr1gNnErPupfMxA6V35tNvNBCeomYuM8Xb7TuH4I1fXa5GFeT0Tnp5A2WqWoS1MzXz34CxlKXvoL6i4w7nUngt5zaGr9oMZbSa0pHxEzIhXk6h/lE864QlJid7q/mDok9gh2R80WvArGtNNj9PrT6cNKYIFuXo7vITkSkT3vo9BLflg5sgRxy4+7rBaRla0ziihQvZLtworwo6aNDvEqPqYfiX0TMYPpEWvJpp/HGDJy+Po7b0ZZkwSza+tB0J79vFH2h11Px1XSwXdq757Bn9G4OTb5oKWS5ycBU4xTnnHQBjYTSooFxYyTAvfKNEsB8AHKSuQRZgtVhWoOSPpJ6YL94ClUIT+DTaNmQjwouqNatf/nif+N/FCar8JWZDE+FX1TBu0yLmJie/f0LCdCQx+6IVdyXg7oVCoNiGg0,iv:TeSxlVc0WlOMMUtv/uq3f7JvW/kNCM7LjguhZxL51a4=,tag:m1iuk4pAX/yugM0ObzkJHQ==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +25,8 @@ sops: TDZnVjBaVzZBem5lZDB1MW4xQ0RmZ28K6d7mF+f3ZyilXlSIQGT2pBrTWuYLccE1 rYIJjHjFft/2wPX2gAW9VTiwfMT3lKJhJRqNdoie5phV5BZhkb3D9w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-15T16:27:40Z" - mac: ENC[AES256_GCM,data:T1dTmWEY1c5QFzROnzFc1/dnfXN96B/OisPObZiwXQLHeh29AWjfqpd6eoYdAZW1Iipih7Nn1VUMxkf5xDuWziDrJhun2PaU3UOg/U6VrRIScnySV/VTQGyaJLJZuJmvgvyAV+G8KqxC4Biv7k0PBSZn6uvTg36D4f+IfItReE8=,iv:dgiDux8AxbWFtTd2jzd+XJ0eBMALcI8moDUDlgdnBiE=,tag:cYzL71xT8DBMn9j4pPUBpA==,type:str] + lastmodified: "2024-08-17T14:58:10Z" + mac: ENC[AES256_GCM,data:ZCrzXDttLxYUvdLiqM5I17Ys6O3zoOVKq8xP78VaLb3AAoV4RGGQxixKVQ6K9h84e8bFymh512BR7xKa9fqebxTyL1XCqPkRaSZy0aWjbc6QCaK+JD4yqivgO/x5x2xgMpX/ZhPFzKNLpMga61bnm6plvF8ocG+wOqYvj3vL0Ss=,iv:QZ8YJD7h2QD2jqVKo4bg0rwpZSTyyNw6zZDcBfClKPo=,tag:PH2XnTqxV2irymg2+Z+Egg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/nki-home/configuration.nix b/nki-home/configuration.nix index c57ff3f..1c0112c 100644 --- a/nki-home/configuration.nix +++ b/nki-home/configuration.nix @@ -32,12 +32,16 @@ with lib; common.linux.sops.file = ./secrets.yaml; # Nix cache server - sops.secrets."nix-cache/private-key" = { owner = "nix-serve"; group = "nix-serve"; mode = "0600"; }; + sops.secrets."nix-cache/private-key" = { owner = "harmonia"; group = "harmonia"; mode = "0600"; }; nki.services.nix-cache = { enableServer = true; privateKeyFile = config.sops.secrets."nix-cache/private-key".path; }; + sops.secrets."nix-build-farm/private-key" = { mode = "0400"; }; + services.nix-build-farm.hostname = "home"; + services.nix-build-farm.privateKeyFile = config.sops.secrets."nix-build-farm/private-key".path; + # Networking common.linux.networking = { diff --git a/nki-home/secrets.yaml b/nki-home/secrets.yaml index a70a401..de69d63 100644 --- a/nki-home/secrets.yaml +++ b/nki-home/secrets.yaml @@ -15,6 +15,8 @@ peertube: dtth-key: ENC[AES256_GCM,data:Gu7qOisVBZrFXKBr51165FJ7Ej4hV+lIf3AMC02R3UFNXOnTHF2xC8E=,iv:F83FuD1VjZEJFMcx3gkQuKCpJmYdHtO15fRHkYdMxJM=,tag:ScH42Tr5ZsIo9JMnXhylSw==,type:str] nix-cache: private-key: ENC[AES256_GCM,data:4sbfIQb10Y50CrZbgjN+1iXEbXTpDqMbIB/yA3WlaAqhLtb8HKib5aZX3DLoxFbVihJcztQsvBBgEAhT9iMijoksaT9qzBQ5yIn4NGCfFem1DK8DQdjhTLMCVTyMFCT7hQHu/2Sd7w==,iv:zTSxuKOtOLekOBKBvl9MScD/Bo1Hviqq/n8Saa+1Cgo=,tag:fx73fCDPY9d07V3KKMw3DA==,type:str] +nix-build-farm: + private-key: ENC[AES256_GCM,data:m5neeWCEdaZ1MRhNwTptfDIgv3ABNlYyNil3oTD81Jbe/6WxWaS5Q++CRlHCjc2hOoHsWsZixw8iGZVTA+QXgH6B9C6A4oOAhgR9m92EGTEfFw0qxQbdzs7U98Yonx/N8SApUycZZB/EU81+MrDNY4GGzCiO6s00/vZLkDTYnqRFgbo+8KTG0BQTl4q+VYP2q3l0wy+Ivz5CWPmbz42Xdin/sBnjeFHKDuof4iZZnN3i8gUJ/mMw3lbdiHd6A8DL0G5Ut46ljzMC2aMsZOATCID3mPOPgI0xIetDofPJLDqVsNqptRHo8WB+KwDidvl222f5F7JqdSqgAMOJYPscrX0odufApiJfg5bbXBygvrDfAlPSruW7GsWGoKAhw0qC4NC/j+qYCwhS0qdorCLnIy3zzMtA6HkHtE675hy7/7oLj7k9Y8MhE4PxztjXTmDazaVCtKhnA/DpaxP2mH84gfCkJFD1YF9jtPm+P3e+46FwkW+WnHaA2L+H7Evava30DLEBhh5y9Gd1A3JN4isn,iv:7KUWg7+GWgmGJkbIvsy9gtccZBb+1Y5uDWhXQFk0obk=,tag:qJdM684XPHxecLVxVb5pgw==,type:str] sops: kms: [] gcp_kms: [] @@ -48,8 +50,8 @@ sops: bUhIT0Z2b1dVWGNyS1hRVFRyZTA4d00KchP7EhSOMwBl5vFuuskzosRoi8jUu1sw hVjJNF2a40ewgkQgVAoWEzirHbknbQORzmepDDRth7Bve3UQU64+GA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-16T12:16:41Z" - mac: ENC[AES256_GCM,data:x3zeCDljzyRpro4sem2pC33rFfm5jAjFhhX9JNlzLB6aNZ1TUv0qz4g7NhkWY23XNjJFmYqIW+pib97OVDd15kRojknM/UYCThW5oZDIWKn+TA9+bF9NGBjxP60t3n3dlU5VmgD8bgiApUS+XzHnJXuxhfiIHclvfxdLC33R7S4=,iv:str4fZX58mzFlD4rYaLmiCAeZmHIernG3636Tt+Rwgg=,tag:qS47OGc/o4/0Cj/V4e8dBg==,type:str] + lastmodified: "2024-08-16T13:59:20Z" + mac: ENC[AES256_GCM,data:ncT8fbtEb9ZcLcftXwgAKJRPPSG4TRHFMArtVgWNmIjDRcCNNT7ICa+9Dl8DAYKRJ+8pgelV9StIg2f7rvypHYlckontEP5nwSFzEApLItG3AZXewTC8VPoDYb4T8/OWKDoa5kBMvGrDr1bFP/CZz7H8No+k5TV7fVExsw0PHpg=,iv:vxbkeJtHkOAq7NcaZEIOMV3qGEqBUg/vpJYumBBfY70=,tag:T0yw2x1O5Tp0UllLpcFryg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/nki-personal-do/configuration.nix b/nki-personal-do/configuration.nix index 1e2b881..8d65ae4 100644 --- a/nki-personal-do/configuration.nix +++ b/nki-personal-do/configuration.nix @@ -12,6 +12,9 @@ ../modules/cloud/conduit ../modules/cloud/gotosocial + # Encrypted DNS + ../modules/services/edns + ./headscale.nix ./gitea.nix ./miniflux.nix @@ -57,18 +60,15 @@ services.do-agent.enable = true; - system.autoUpgrade = { - enable = true; - allowReboot = true; - flake = "github:natsukagami/nix-home#nki-personal-do"; - }; - nix = { extraOptions = '' experimental-features = nix-command flakes ''; }; + nki.services.edns.enable = true; + nki.services.edns.ipv6 = true; + # Secret management sops.defaultSopsFile = ./secrets/secrets.yaml; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; @@ -81,6 +81,10 @@ services.my-tinc.rsaPrivateKey = config.sops.secrets."tinc/rsa-private-key".path; services.my-tinc.ed25519PrivateKey = config.sops.secrets."tinc/ed25519-private-key".path; + sops.secrets."nix-build-farm/private-key" = { mode = "0400"; }; + services.nix-build-farm.hostname = "home"; + services.nix-build-farm.privateKeyFile = config.sops.secrets."nix-build-farm/private-key".path; + # Set up traefik sops.secrets.cloudflare-dns-api-token = { owner = "traefik"; }; sops.secrets.traefik-dashboard-users = { owner = "traefik"; }; diff --git a/nki-personal-do/secrets/secrets.yaml b/nki-personal-do/secrets/secrets.yaml index 374f850..43e4aa3 100644 --- a/nki-personal-do/secrets/secrets.yaml +++ b/nki-personal-do/secrets/secrets.yaml @@ -40,6 +40,8 @@ invidious: ENC[AES256_GCM,data:pCRlBaHRJyOHj2t04V6DkGVAPuAc8hz+Sn24nQ3IvcXNIdaYi invidious-rotator-env: ENC[AES256_GCM,data:Q5c/sga+Nn0C7bKkTphob3tWNvKE1Zz0CIbXIayc73cfEsUgOIZdrm8BlAW7,iv:f0ccZsjNJ9UQCcfN/lZQdtxSg9ADFuykb8qw07c1xFI=,tag:4mUzgOHOE16FPhSTlbx+Rw==,type:str] peertube: ENC[AES256_GCM,data:YWySVZVTC26qPMcgSV5v4Vp1u69jGt7VV2ElQBSxvG/R589PCJRDgBqjjLBLMrrnP/wo6o6xNoyLCSfzMQYoFnM=,iv:97gNEJ84u4Mt5GTlVV29MNHUHQRkaMK47ULNUx+HTUE=,tag:LGVWeaTaSQ3GgaIpav66EA==,type:str] peertube-env: ENC[AES256_GCM,data:ZrWBwSfMuepIYTzHVCCSnpsXb+MTcOfklI0O/UdcGaR3RzO1R+/wXQcFlV46g9dvKLMOaH7bxrHeWxqPh/7hlPEYFYwlbwcX31MGiSeRyeR5YtVi0CmhiGRA3l8X5NMCpvZmNhnjYNuri/My86SMkjhuaFQ5+BjYISoJ5WnbNSqE9qgQKuJVu64hsOgaQQbmaBL/LU7Pv/vushbNg421kdbRnzCPcc3IzkVzsFsgYH2fdEJa3gE8M63eLn99PbA+e5cWEwGNkuoNuro2tnaMaX1PM6iTF+q0A8HbiEioNMRIdD9czatgF7EwKgCFNu44cm2lp/c5qj+Lm/nC,iv:+MjpreGr9M+Oe5DrDe5SIBKtLuIqtb0a50YvGhDZT2Y=,tag:gYGlMcgWwa1ZpbQb4XfMmQ==,type:str] +nix-build-farm: + private-key: ENC[AES256_GCM,data:bYQ5TAHgJ8rZmmnp0ZW9pM3p6e2ewAqz9+clp2lDnvPsU/YHr/POSW+UESvulT0UDI8t5th71py2G4BG3z9PdPaWw2iSm6hW3VITYCGYvLbF2yK6anSkww0ilpjwm5NXKJLTiPehkAqsZlZsAxeYw5bF0+7JjeH9+49jLOXtGD0uFSf5M3wVZcObzSYsdGaNKGYkokBYeZii1tdwZvAuUKKZ1eOvDAz5v6hjqZA7brDWr5IZXNCqRZOdyGQ5g3UP4o5XFnl57d1RAmKPK9WaTCjbi0hMfms4zldqGeXTRDAhvqMH2w/BY7KvgIOr+aQelTvQbOciq+DaZbzNgdI5gqrSUA19EEL04Qu/gjoVGwMhZ7Lq9+yS2Lb+xdhmn/99sbcRjaRqqjgzHRvbyirPT9EuEAdrijyuZzY9kASv8LN/Q8cawRZNk2vf0M8Qzg0F7iw2kcDrf+dwdcyrrAbg2XDlGsFBckBcPKA44PkOPtFLHZRU9pSpd15rL1JIes6m2YX7AmJFP2+FA5WjXQoqF+CRhBVUWXaXAmcq,iv:7Uqnu2xEcHotczRzIcDfq9bM7wNXdz0Fg2HNpxlV1/Q=,tag:w5aLsT9LN92+83rdP2YJTg==,type:str] sops: kms: [] gcp_kms: [] @@ -73,8 +75,8 @@ sops: by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-11T20:55:31Z" - mac: ENC[AES256_GCM,data:IdpNGX3E2TwGnmHhc7HXPjBEaYC7jO1dnEHQGoVra+scnKO66nt6uD2wK91G2wvdp2ekkR4qnF9/NYbpOt2vbzyaZG0xMHTr1w1Y5oqxzbTUned9sWjpsL2lCHpg4FQ+dImim05N76Qcna7gC5Y9wyh78/eB177SJ5mTEnyZhwE=,iv:3kjluCoHIMEQOTuDJbQZJWl3BLWzp/UqcC8jmlkVyDE=,tag:nmqkhmqXKB5/LKX7RpQB6g==,type:str] + lastmodified: "2024-08-17T15:08:31Z" + mac: ENC[AES256_GCM,data:ejelcIHDYd7zbIJVw62fj4EcgR8ln/jm32QlaE7shYHwt9nJEsV0aWy9rqEjAm8Z0z3ruT4hR9M7aFkNICR9W20r54V0aRfJsp0txe9LeisAE4gXmVo3/+6pBGOUQNtFO+WaLqDwAGNvfr7IlQFXJyrkuOGe+HGVkhlx+UHxRDI=,iv:pI2xAfhajEWt4RjL2Cu3QPX8bgJn1/ew8ldz8E5Jej8=,tag:KJoia8X/FpaSbuXSDOjQAQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/nki-yoga-g8/configuration.nix b/nki-yoga-g8/configuration.nix index 2a8bcd7..672292f 100644 --- a/nki-yoga-g8/configuration.nix +++ b/nki-yoga-g8/configuration.nix @@ -19,6 +19,11 @@ common.linux.sops.enable = true; common.linux.sops.file = ./secrets.yaml; + # Build farm + sops.secrets."nix-build-farm/private-key" = { mode = "0400"; }; + services.nix-build-farm.hostname = "yoga"; + services.nix-build-farm.privateKeyFile = config.sops.secrets."nix-build-farm/private-key".path; + ## tinc sops.secrets."tinc-private-key" = { }; services.my-tinc = { diff --git a/nki-yoga-g8/secrets.yaml b/nki-yoga-g8/secrets.yaml index 40f588c..521434f 100644 --- a/nki-yoga-g8/secrets.yaml +++ b/nki-yoga-g8/secrets.yaml @@ -1,4 +1,6 @@ tinc-private-key: ENC[AES256_GCM,data:lzmisexQPfRlIMGqbmb+uqGtOPceQ3CJGlVOeOC6nbP/IDwkufSWtxugYmUwi9IJKwO0mldijiKWuG3p9005H++8567hhPy/bU7fA4vyVC+3UVGW6l0mE+yKQXTyI7kzxkXMCK5a4Q4rUJj544vU6pt75/mytfg+Cox2woGZAHZvJ/pRuHDe2t3R6w3EYYTu6x1w5azGnFvCOVdR6XPsGJA2p3oRnEpz64L7KD2QOdtm0YsfMnorH9FbvkZgNr927VbRnBRJ1QM=,iv:4K4w6ruQxtRGjmFnWszlXZKp36TuTTnrB0sDEE/tmrM=,tag:NBP897Sw84bvZTvo/+fVfA==,type:str] +nix-build-farm: + private-key: ENC[AES256_GCM,data:etqFl2T2atN2djxqktFRtrTGqsC61A+ZUd2yS0PLm5KPO2s2/k6XqQGac9rUWP86C1YGpTJhUMzYuOPGW4yNc0YmoeHVslxBR7nX8pubXabZNdB2YMm/yAgsdeeflo4slbxJ6+00eH0iCrtWcHtWbZafHnxojborZABOvCsODdx/ahJ4J9aHqf22cAqe9iJY3L0TgE+iazKS8OO+C/PTaQiV02NZjP8GajRMXzPVoYT7wz3u0t0q0m/t8FkhMIDl9QKL+kFUDeLEGoCBzR57JXLZiW1gJsRxbkP8hVIB3s4TQnhasxqQQlCJuqBSNFl/cGdBm/ADm/yi78VHQG7rUxUrFVDL4Aoidjp6GyoojLIEpdQjtlvC7RCLNpTibV6B71EB3obpjMmmIwfoDLT4jEWhXNx3b8DnMoa0Qh4ba+HBJf+XKA93B0qOJWwJzj4qH9uqBK3xPOGTkqQMmd9M1HYrStTcI/JUX0WvEMwk8xI8MZN/TsLij4w5i6NCwSqa8Dn2lyLK0BGp5C8RT8R4k6U2ieyY6lmxsGIe,iv:703rM/FQz65upd1JWTHNsjAXh2BeoknkALShKuHUsis=,tag:yAB6KJqpm1mOFT5GzKRPBw==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +25,8 @@ sops: eitNc1E2SzY5bkUxNWtNczRsWWJaU2MKUIu9GT7zu0MvvnXxiQfLW9pQcxFKOwPm VRU2k3XQkYjSDZX29DxrOzaPS/L3OYNyBYMyOW8GyMa2V12lMH6lPQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-23T16:24:43Z" - mac: ENC[AES256_GCM,data:YTPZCX2Nkws0EJB/+PJVCYlKN0BoWqDRIH5QfhB7ayQ42tkUlz60Bt1ksbEMNtz2RS4sJSp4dlihTBLO4gRHbeMZf40f+j42Td4Dj0etqOkaspR5q5mE1XR8ml7QRzALEq5SHRi13szfO4BHaaFsSHTyFgKxA4uDzZ4JnBoxjAQ=,iv:KuO4rhO9vH+HqcgqTvOYBayitFzLhm4CQRTyzIplKnM=,tag:G/qgcxZoc89etzkUnkw02Q==,type:str] + lastmodified: "2024-08-16T14:17:07Z" + mac: ENC[AES256_GCM,data:qrMyVDLhtK4URqrHFBx+08PMrFyfib4iH0y7iAeVB/oFGazjm3O5MeS9fNYJeONghuelux69nh2FRfSJHG/moEBcWlL68R4xbCb4he528P+n7mQnR54BNFJdT2oOra4bqO9n/4m2UA8jmA0veoqSrZUVjnmjftqOedjnRESY1L8=,iv:jql79ItwPcJg/nnbsUywOzWz/UJy0ZpY04pvEF290c4=,tag:XKrToym2dXdippnivoK1/Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/overlay.nix b/overlay.nix index c953867..7a806ff 100644 --- a/overlay.nix +++ b/overlay.nix @@ -120,6 +120,13 @@ let # Use stable delta compiled with old Rust version delta = final.stable.delta; deepfilternet = final.stable.deepfilternet; + harmonia = final.callPackage + (import + (builtins.fetchurl { + url = "https://raw.githubusercontent.com/Mic92/nixpkgs/63f91202f5cd071187ede5e5ffc56003cb442876/pkgs/by-name/ha/harmonia/package.nix"; + sha256 = "1mz211c0bxn116ix0j5xx4wlglpbkfg7d3npw1z8hg9gc0vbj2xb"; + })) + { }; }; in [