From 0830ab5d48f9ec05e44fbe7b584c7cae846b9a42 Mon Sep 17 00:00:00 2001 From: alejandro-angulo Date: Sun, 18 May 2025 19:50:37 -0700 Subject: [PATCH] Added remote build user --- modules/nixos/nix/default.nix | 104 +++++++++++------- .../nixos/nix/remote_client_keys/carbon.pub | 1 + systems/x86_64-linux/gospel/default.nix | 1 + 3 files changed, 67 insertions(+), 39 deletions(-) create mode 100644 modules/nixos/nix/remote_client_keys/carbon.pub diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index cebeecd..c9853ae 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -25,51 +25,77 @@ in }; useSelfhostedCache = mkEnableOption "use self-hosted nix cache (currently hosted on gospel)"; + remoteBuilder.enable = mkEnableOption "set up as a remote builder"; }; - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - nix-prefetch - nixfmt-rfc-style - ]; - - nix = - let - users = [ - "root" - config.aa.user.name - ]; - in + config = mkIf cfg.enable ( + lib.mkMerge [ { - package = cfg.package; + environment.systemPackages = with pkgs; [ + nix-prefetch + nixfmt-rfc-style + ]; - settings = { - experimental-features = "nix-command flakes"; - trusted-users = users; - allowed-users = users; + nix = + let + users = [ + "root" + config.aa.user.name + ]; + in + { + package = cfg.package; - builders-use-substitutes = cfg.useSelfhostedCache; - substituters = - if cfg.useSelfhostedCache then - [ - # TESTING - "https://minio.kilonull.com/nix-store" - selfHostedCacheHost - ] - else - [ ]; - trusted-public-keys = mkIf cfg.useSelfhostedCache [ - "gospelCache:9cbn8Wm54BbwpPS0TXw+15wrYZBpfOJt4Fzfbfcq/pc=" - ]; + settings = { + experimental-features = "nix-command flakes"; + trusted-users = users; + allowed-users = users; + + builders-use-substitutes = cfg.useSelfhostedCache; + substituters = + if cfg.useSelfhostedCache then + [ + # TESTING + "https://minio.kilonull.com/nix-store" + selfHostedCacheHost + ] + else + [ ]; + trusted-public-keys = mkIf cfg.useSelfhostedCache [ + "gospelCache:9cbn8Wm54BbwpPS0TXw+15wrYZBpfOJt4Fzfbfcq/pc=" + ]; + }; + + # TODO: Configure distributedBuilds and buildMachines? + + gc = { + automatic = lib.mkDefault true; + dates = lib.mkDefault "weekly"; + options = lib.mkDefault "--delete-older-than 30d"; + }; + }; + } + (lib.mkIf cfg.remoteBuilder.enable { + users.users.remotebuild = { + isNormalUser = true; + createHome = false; + group = "remotebuild"; + + # All the keys from ./remote_client_keys should be trusted + openssh.authorizedKeys.keyFiles = ( + let + publicKeys = builtins.readDir ./remote_client_keys; + fileNames = builtins.attrNames publicKeys; + filePaths = builtins.map (fileName: ./remote_client_keys + "/${fileName}") fileNames; + in + filePaths + ); }; - # TODO: Configure distributedBuilds and buildMachines? + users.groups.remotebuild = { }; - gc = { - automatic = lib.mkDefault true; - dates = lib.mkDefault "weekly"; - options = lib.mkDefault "--delete-older-than 30d"; - }; - }; - }; + nix.settings.trusted-users = [ "remotebuild" ]; + }) + ] + ); } diff --git a/modules/nixos/nix/remote_client_keys/carbon.pub b/modules/nixos/nix/remote_client_keys/carbon.pub new file mode 100644 index 0000000..ac9fb0a --- /dev/null +++ b/modules/nixos/nix/remote_client_keys/carbon.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKy1MP/CjBPhcXac3XgTEnhATN6xpXRO6YDkHNhLQrkx root@carbon diff --git a/systems/x86_64-linux/gospel/default.nix b/systems/x86_64-linux/gospel/default.nix index dfcee6d..1278833 100644 --- a/systems/x86_64-linux/gospel/default.nix +++ b/systems/x86_64-linux/gospel/default.nix @@ -14,6 +14,7 @@ aa = { nix.enable = true; + nix.remoteBuilder.enable = true; archetypes = { workstation.enable = true;