common.nix

@@ -14,6 +14,7 @@ with lib; {
   imports = [
     # defaultShell
     ./modules/services/nix-cache
+    ./modules/services/nix-build-farm
   ];
 
   ## Packages

modules/services/nix-build-farm/default.nix

@@ -0,0 +1,67 @@
+{ config, lib, ... }:
+with { inherit (lib) mkOption types mkIf; };
+let
+  cfg = config.services.nix-build-farm;
+  hosts = import ./hosts.nix;
+
+  build-user = "nix-builder";
+
+  isBuilder = host: host ? "builder";
+  allBuilders = lib.filterAttrs (_: isBuilder) hosts;
+in
+{
+  options.services.nix-build-farm = {
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Whether to enable nix-build-farm as a client";
+    };
+    hostname = mkOption {
+      type = types.enum (builtins.attrNames hosts);
+      description = "The hostname as listed in ./hosts.nix file";
+    };
+    privateKeyFile = mkOption {
+      type = types.path;
+      description = "The path to the private SSH key file";
+    };
+  };
+
+  config = mkIf cfg.enable (
+    let
+      host = hosts.${cfg.hostname};
+      otherHosts = lib.filterAttrs (name: _: name != cfg.hostname) hosts;
+      otherBuilders = lib.filterAttrs (name: _: name != cfg.hostname) allBuilders;
+    in
+    {
+      nix.distributedBuilds = true;
+      nix.buildMachines = lib.mapAttrsToList
+        (name: host: {
+          hostName = host.host;
+          sshUser = build-user;
+        } // host.builder)
+        otherBuilders;
+
+      programs.ssh.extraConfig = (lib.concatStringsSep "\n" (lib.mapAttrsToList
+        (name: host: ''
+          Host ${name}
+            HostName ${host.host}
+            User ${build-user}
+            IdentitiesOnly yes
+            IdentityFile ${cfg.privateKeyFile}
+        '')
+        otherBuilders));
+
+      users = mkIf (isBuilder host) {
+        users.${build-user} = {
+          description = "Nix build farm user";
+          group = build-user;
+          isNormalUser = true;
+          openssh.authorizedKeys.keys = lib.mapAttrsToList (_: host: host.pubKey) otherHosts;
+        };
+        groups.${build-user} = { };
+      };
+    }
+  );
+}
+
+

modules/services/nix-build-farm/hosts.nix

@@ -0,0 +1,19 @@
+{
+  home = {
+    host = "home.tinc";
+    pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6N1uTxnbo73tyzD9X7d7OgPeoOpY7JmQaHASjSWFPI nki@kagamiPC";
+
+    builder = {
+      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUN5UUc3YWUrZEY3SWN0dVU3T3FnR3hqRlJydGpPaGpxSmF6UW5RUVlqbUQgcm9vdEBua2kteW9nYS1nOAo=";
+      systems = [ "x86_64-linux" "aarch64-linux" ];
+      maxJobs = 16;
+      speedFactor = 2;
+      supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    };
+  };
+
+  yoga = {
+    host = "yoga.tinc";
+    pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE6ZrO/xIdmwBCUx80cscBSpJBBTp55OHGrXYBGRXKAw nki@nki-yoga-g8";
+  };
+}

nki-home/configuration.nix

@@ -38,6 +38,10 @@ with lib;
     privateKeyFile = config.sops.secrets."nix-cache/private-key".path;
   };
 
+  sops.secrets."nix-build-farm/private-key" = { mode = "0400"; };
+  services.nix-build-farm.hostname = "home";
+  services.nix-build-farm.privateKeyFile = config.sops.secrets."nix-build-farm/private-key".path;
+
   # Networking
   common.linux.networking =
     {

nki-home/secrets.yaml

@@ -15,6 +15,8 @@ peertube:
     dtth-key: ENC[AES256_GCM,data:Gu7qOisVBZrFXKBr51165FJ7Ej4hV+lIf3AMC02R3UFNXOnTHF2xC8E=,iv:F83FuD1VjZEJFMcx3gkQuKCpJmYdHtO15fRHkYdMxJM=,tag:ScH42Tr5ZsIo9JMnXhylSw==,type:str]
 nix-cache:
     private-key: ENC[AES256_GCM,data:4sbfIQb10Y50CrZbgjN+1iXEbXTpDqMbIB/yA3WlaAqhLtb8HKib5aZX3DLoxFbVihJcztQsvBBgEAhT9iMijoksaT9qzBQ5yIn4NGCfFem1DK8DQdjhTLMCVTyMFCT7hQHu/2Sd7w==,iv:zTSxuKOtOLekOBKBvl9MScD/Bo1Hviqq/n8Saa+1Cgo=,tag:fx73fCDPY9d07V3KKMw3DA==,type:str]
+nix-build-farm:
+    private-key: ENC[AES256_GCM,data:m5neeWCEdaZ1MRhNwTptfDIgv3ABNlYyNil3oTD81Jbe/6WxWaS5Q++CRlHCjc2hOoHsWsZixw8iGZVTA+QXgH6B9C6A4oOAhgR9m92EGTEfFw0qxQbdzs7U98Yonx/N8SApUycZZB/EU81+MrDNY4GGzCiO6s00/vZLkDTYnqRFgbo+8KTG0BQTl4q+VYP2q3l0wy+Ivz5CWPmbz42Xdin/sBnjeFHKDuof4iZZnN3i8gUJ/mMw3lbdiHd6A8DL0G5Ut46ljzMC2aMsZOATCID3mPOPgI0xIetDofPJLDqVsNqptRHo8WB+KwDidvl222f5F7JqdSqgAMOJYPscrX0odufApiJfg5bbXBygvrDfAlPSruW7GsWGoKAhw0qC4NC/j+qYCwhS0qdorCLnIy3zzMtA6HkHtE675hy7/7oLj7k9Y8MhE4PxztjXTmDazaVCtKhnA/DpaxP2mH84gfCkJFD1YF9jtPm+P3e+46FwkW+WnHaA2L+H7Evava30DLEBhh5y9Gd1A3JN4isn,iv:7KUWg7+GWgmGJkbIvsy9gtccZBb+1Y5uDWhXQFk0obk=,tag:qJdM684XPHxecLVxVb5pgw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -48,8 +50,8 @@ sops:
             bUhIT0Z2b1dVWGNyS1hRVFRyZTA4d00KchP7EhSOMwBl5vFuuskzosRoi8jUu1sw
             hVjJNF2a40ewgkQgVAoWEzirHbknbQORzmepDDRth7Bve3UQU64+GA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-16T12:16:41Z"
+    lastmodified: "2024-08-16T13:59:20Z"
-    mac: ENC[AES256_GCM,data:x3zeCDljzyRpro4sem2pC33rFfm5jAjFhhX9JNlzLB6aNZ1TUv0qz4g7NhkWY23XNjJFmYqIW+pib97OVDd15kRojknM/UYCThW5oZDIWKn+TA9+bF9NGBjxP60t3n3dlU5VmgD8bgiApUS+XzHnJXuxhfiIHclvfxdLC33R7S4=,iv:str4fZX58mzFlD4rYaLmiCAeZmHIernG3636Tt+Rwgg=,tag:qS47OGc/o4/0Cj/V4e8dBg==,type:str]
+    mac: ENC[AES256_GCM,data:ncT8fbtEb9ZcLcftXwgAKJRPPSG4TRHFMArtVgWNmIjDRcCNNT7ICa+9Dl8DAYKRJ+8pgelV9StIg2f7rvypHYlckontEP5nwSFzEApLItG3AZXewTC8VPoDYb4T8/OWKDoa5kBMvGrDr1bFP/CZz7H8No+k5TV7fVExsw0PHpg=,iv:vxbkeJtHkOAq7NcaZEIOMV3qGEqBUg/vpJYumBBfY70=,tag:T0yw2x1O5Tp0UllLpcFryg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0