Set up build farm (#3)

Reviewed-on: #3 Co-authored-by: Natsu Kagami <nki@nkagami.me> Co-committed-by: Natsu Kagami <nki@nkagami.me>
2024-08-19 14:04:52 +00:00 · 2024-08-19 14:04:52 +00:00 · bc4cfe7c69
commit bc4cfe7c69
parent 70ab3aa5b3
13 changed files with 162 additions and 25 deletions
--- a/modules/services/nix-build-farm/default.nix
+++ b/modules/services/nix-build-farm/default.nix
@ -0,0 +1,66 @@
+{ config, lib, ... }:
+with { inherit (lib) mkOption types mkIf; };
+let
+  cfg = config.services.nix-build-farm;
+  hosts = import ./hosts.nix;
+
+  build-user = "nix-builder";
+
+  isBuilder = host: host ? "builder";
+  allBuilders = lib.filterAttrs (_: isBuilder) hosts;
+in
+{
+  options.services.nix-build-farm = {
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to enable nix-build-farm as a client";
+    };
+    hostname = mkOption {
+      type = types.enum (builtins.attrNames hosts);
+      description = "The hostname as listed in ./hosts.nix file";
+    };
+    privateKeyFile = mkOption {
+      type = types.path;
+      description = "The path to the private SSH key file";
+    };
+
+    ipAddrs = mkOption {
+      type = types.str;
+      description = "The ip addresses to limit access to";
+      default = "11.0.0.*";
+    };
+  };
+
+  config = mkIf cfg.enable (
+    let
+      host = hosts.${cfg.hostname};
+      otherHosts = lib.filterAttrs (name: _: name != cfg.hostname) hosts;
+      otherBuilders = lib.filterAttrs (name: _: name != cfg.hostname) allBuilders;
+    in
+    {
+      nix.distributedBuilds = true;
+      nix.buildMachines = lib.mapAttrsToList
+        (name: host: {
+          hostName = host.host;
+          sshUser = build-user;
+          sshKey = cfg.privateKeyFile;
+        } // host.builder)
+        otherBuilders;
+
+      users = mkIf (isBuilder host) {
+        users.${build-user} = {
+          description = "Nix build farm user";
+          group = build-user;
+          isNormalUser = true;
+          openssh.authorizedKeys.keys = lib.mapAttrsToList (_: host: ''from="${cfg.ipAddrs}" ${host.pubKey}'') otherHosts;
+        };
+        groups.${build-user} = { };
+      };
+
+      nix.settings.trusted-users = mkIf (isBuilder host) [ build-user ];
+    }
+  );
+}
+
+
--- a/modules/services/nix-build-farm/hosts.nix
+++ b/modules/services/nix-build-farm/hosts.nix
@ -0,0 +1,37 @@
+{
+  cloud = {
+    host = "cloud.tinc";
+    pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE87ddj0fTH0NuvJz0dT5ln7v7zbafXqDVdM2A4ddOb0 root@nki-personal-do";
+  };
+
+  home = {
+    host = "home.tinc";
+    pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6N1uTxnbo73tyzD9X7d7OgPeoOpY7JmQaHASjSWFPI nki@kagamiPC";
+
+    builder = {
+      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUhiVTh2NlNBa0kyOTBCc1QzVG1IRVVJQWdXcVFyNm9jRmpjakRRczRoT2ggcm9vdEBrYWdhbWlQQwo=";
+      systems = [ "x86_64-linux" "aarch64-linux" ];
+      maxJobs = 16;
+      speedFactor = 2;
+      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    };
+  };
+
+  yoga = {
+    host = "yoga.tinc";
+    pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6ZrO/xIdmwBCUx80cscBSpJBBTp55OHGrXYBGRXKAw nki@nki-yoga-g8";
+  };
+
+  framework = {
+    host = "framework.tinc";
+    pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/g472MaT7YySUhBjxClfmMjpn98qYnKXDKlzWHYwuO nki@nki-framework";
+
+    builder = {
+      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUdOUlBCVFRkNTVVMXY1U1Jac0FjYVdhS3JGZTY0ZjIxOVViODVTQ2NWd28gcm9vdEBua2ktZnJhbWV3b3JrCg==";
+      systems = [ "x86_64-linux" "aarch64-linux" ];
+      maxJobs = 16;
+      speedFactor = 3;
+      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    };
+  };
+}
--- a/modules/services/nix-cache/default.nix
+++ b/modules/services/nix-cache/default.nix
@ -3,6 +3,8 @@
 with { inherit (lib) mkEnableOption mkOption types mkIf; };
 let
  cfg = config.nki.services.nix-cache;
+
+  bindAddr = "127.0.0.1:5000";
 in
 {
  options.nki.services.nix-cache = {
@ -31,18 +33,17 @@ in

  config = {
    nix.settings = mkIf cfg.enableClient {
-      substituters = [ "http://${cfg.host}" ];
+      substituters = lib.mkAfter [ "http://${cfg.host}" ];
      trusted-public-keys = [ cfg.publicKey ];
    };

-    services.nix-serve = mkIf cfg.enableServer {
+    services.harmonia = mkIf cfg.enableServer {
      enable = true;
-      secretKeyFile = cfg.privateKeyFile;
-    };
-
-    users = mkIf cfg.enableServer {
-      users.nix-serve = { group = "nix-serve"; isSystemUser = true; };
-      groups.nix-serve = { };
+      signKeyPath = cfg.privateKeyFile;
+      settings = {
+        bind = bindAddr;
+        priority = 45;
+      };
    };

    services.nginx = mkIf cfg.enableServer {
@ -51,7 +52,7 @@ in
      virtualHosts = {
        # ... existing hosts config etc. ...
        "${cfg.host}" = {
-          locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+          locations."/".proxyPass = "http://${bindAddr}";
        };
      };
    };