diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index ae5b218..0bbdfec 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -1,5 +1,8 @@ { config, lib, pkgs, ... }: +let + keys = import ../../keys.nix; +in { imports = [ ./hardware-configuration.nix @@ -12,10 +15,15 @@ fountain.users.qenya.enable = true; users.users.qenya.extraGroups = [ "wheel" ]; - fountain.users.trungle.enable = true; qenya.base-server.enable = true; + + qenya.services.remote-builder = { + enable = true; + authorizedKeys.keys = [ keys.machines.tohru ]; + }; + boot.binfmt.emulatedSystems = [ "x86_64-linux" ]; system.stateVersion = "23.11"; } diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 7832985..cae91d3 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -46,6 +46,12 @@ ]; }; + qenya.services.distributed-builds = { + enable = true; + keyFile = "/etc/ssh/ssh_host_ed25519_key"; + builders = [ "kalessin" ]; + }; + programs.evolution.enable = true; # not in home-manager yet; not declaratively configurable yet programs.steam.enable = true; diff --git a/services/default.nix b/services/default.nix index a83117a..f136e92 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,9 +2,11 @@ imports = [ ./actual.nix ./audiobookshelf.nix + ./distributed-builds.nix ./forgejo.nix ./jellyfin.nix ./navidrome.nix ./pipewire-low-latency.nix + ./remote-builder.nix ]; } \ No newline at end of file diff --git a/services/distributed-builds.nix b/services/distributed-builds.nix new file mode 100644 index 0000000..e0bbbbb --- /dev/null +++ b/services/distributed-builds.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +let + inherit (builtins) elem; + inherit (lib) mkIf mkEnableOption mkOption types optional; + cfg = config.qenya.services.distributed-builds; +in +{ + options.qenya.services.distributed-builds = { + enable = mkEnableOption "distributed builds"; + keyFile = mkOption { + type = types.path; + description = '' + Path to the OpenSSH private key to be used for distributed builds. + ''; + }; + builders = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of builders to attempt to use for distributed builds. + ''; + example = [ "kalessin" ]; + }; + }; + + config = mkIf cfg.enable { + assertions = [{ + assertion = cfg ? keyFile; + message = "must specify a private key to be used for distributed builds"; + }]; + + nix.distributedBuilds = true; + nix.settings.builders-use-substitutes = true; + + nix.buildMachines = + (optional (elem "kalessin" cfg.builders) { + hostName = config.birdsong.hosts."kalessin".ipv4; + sshUser = "remotebuild"; + sshKey = cfg.keyFile; + systems = [ "aarch64-linux" "x86_64-linux" ]; + supportedFeatures = [ ]; + }); + }; +} diff --git a/services/remote-builder.nix b/services/remote-builder.nix new file mode 100644 index 0000000..265241a --- /dev/null +++ b/services/remote-builder.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.qenya.services.remote-builder; +in +{ + options.qenya.services.remote-builder = { + enable = mkEnableOption "remote builder"; + authorizedKeys = { + keys = mkOption { + type = types.listOf types.singleLineStr; + default = [ ]; + description = '' + A list of verbatim OpenSSH public keys that should be authorized to + use this remote builder. See + `users.users..openssh.authorizedKeys.keys`. + ''; + }; + keyFiles = mkOption { + type = types.listOf types.path; + default = [ ]; + description = '' + A list of files each containing one OpenSSH public key that should be + authorized to use this remote builder. See + `users.users..openssh.authorizedKeys.keyFiles`. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.remotebuild = { + isSystemUser = true; + group = "nogroup"; + shell = "/bin/sh"; + openssh.authorizedKeys.keys = cfg.authorizedKeys.keys; + openssh.authorizedKeys.keyFiles = cfg.authorizedKeys.keyFiles; + }; + + nix.nrBuildUsers = 64; + nix.settings.trusted-users = [ "remotebuild" ]; + }; +}