Added remote build user
All checks were successful
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 9s
All checks were successful
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 9s
This commit is contained in:
parent
0d8ea5a568
commit
0830ab5d48
GPG key ID:
75579581C74554B6
3 changed files with 67 additions and 39 deletions
|
|
@ -25,51 +25,77 @@ in
|
|||
};
|
||||
|
||||
useSelfhostedCache = mkEnableOption "use self-hosted nix cache (currently hosted on gospel)";
|
||||
remoteBuilder.enable = mkEnableOption "set up as a remote builder";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
nix-prefetch
|
||||
nixfmt-rfc-style
|
||||
];
|
||||
|
||||
nix =
|
||||
let
|
||||
users = [
|
||||
"root"
|
||||
config.aa.user.name
|
||||
];
|
||||
in
|
||||
config = mkIf cfg.enable (
|
||||
lib.mkMerge [
|
||||
{
|
||||
package = cfg.package;
|
||||
environment.systemPackages = with pkgs; [
|
||||
nix-prefetch
|
||||
nixfmt-rfc-style
|
||||
];
|
||||
|
||||
settings = {
|
||||
experimental-features = "nix-command flakes";
|
||||
trusted-users = users;
|
||||
allowed-users = users;
|
||||
nix =
|
||||
let
|
||||
users = [
|
||||
"root"
|
||||
config.aa.user.name
|
||||
];
|
||||
in
|
||||
{
|
||||
package = cfg.package;
|
||||
|
||||
builders-use-substitutes = cfg.useSelfhostedCache;
|
||||
substituters =
|
||||
if cfg.useSelfhostedCache then
|
||||
[
|
||||
# TESTING
|
||||
"https://minio.kilonull.com/nix-store"
|
||||
selfHostedCacheHost
|
||||
]
|
||||
else
|
||||
[ ];
|
||||
trusted-public-keys = mkIf cfg.useSelfhostedCache [
|
||||
"gospelCache:9cbn8Wm54BbwpPS0TXw+15wrYZBpfOJt4Fzfbfcq/pc="
|
||||
];
|
||||
settings = {
|
||||
experimental-features = "nix-command flakes";
|
||||
trusted-users = users;
|
||||
allowed-users = users;
|
||||
|
||||
builders-use-substitutes = cfg.useSelfhostedCache;
|
||||
substituters =
|
||||
if cfg.useSelfhostedCache then
|
||||
[
|
||||
# TESTING
|
||||
"https://minio.kilonull.com/nix-store"
|
||||
selfHostedCacheHost
|
||||
]
|
||||
else
|
||||
[ ];
|
||||
trusted-public-keys = mkIf cfg.useSelfhostedCache [
|
||||
"gospelCache:9cbn8Wm54BbwpPS0TXw+15wrYZBpfOJt4Fzfbfcq/pc="
|
||||
];
|
||||
};
|
||||
|
||||
# TODO: Configure distributedBuilds and buildMachines?
|
||||
|
||||
gc = {
|
||||
automatic = lib.mkDefault true;
|
||||
dates = lib.mkDefault "weekly";
|
||||
options = lib.mkDefault "--delete-older-than 30d";
|
||||
};
|
||||
};
|
||||
}
|
||||
(lib.mkIf cfg.remoteBuilder.enable {
|
||||
users.users.remotebuild = {
|
||||
isNormalUser = true;
|
||||
createHome = false;
|
||||
group = "remotebuild";
|
||||
|
||||
# All the keys from ./remote_client_keys should be trusted
|
||||
openssh.authorizedKeys.keyFiles = (
|
||||
let
|
||||
publicKeys = builtins.readDir ./remote_client_keys;
|
||||
fileNames = builtins.attrNames publicKeys;
|
||||
filePaths = builtins.map (fileName: ./remote_client_keys + "/${fileName}") fileNames;
|
||||
in
|
||||
filePaths
|
||||
);
|
||||
};
|
||||
|
||||
# TODO: Configure distributedBuilds and buildMachines?
|
||||
users.groups.remotebuild = { };
|
||||
|
||||
gc = {
|
||||
automatic = lib.mkDefault true;
|
||||
dates = lib.mkDefault "weekly";
|
||||
options = lib.mkDefault "--delete-older-than 30d";
|
||||
};
|
||||
};
|
||||
};
|
||||
nix.settings.trusted-users = [ "remotebuild" ];
|
||||
})
|
||||
]
|
||||
);
|
||||
}
|
||||
|
|
|
|||
1
modules/nixos/nix/remote_client_keys/carbon.pub
Normal file
1
modules/nixos/nix/remote_client_keys/carbon.pub
Normal file
|
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKy1MP/CjBPhcXac3XgTEnhATN6xpXRO6YDkHNhLQrkx root@carbon
|
||||
Loading…
Add table
Add a link
Reference in a new issue