set up distributed builds

hosts/kalessin/default.nix

@@ -1,5 +1,8 @@
 { config, lib, pkgs, ... }:
 
+let
+  keys = import ../../keys.nix;
+in
 {
   imports = [
     ./hardware-configuration.nix
@@ -12,10 +15,15 @@
 
   fountain.users.qenya.enable = true;
   users.users.qenya.extraGroups = [ "wheel" ];
-
   fountain.users.trungle.enable = true;
 
   qenya.base-server.enable = true;
   
+  qenya.services.remote-builder = {
+    enable = true;
+    authorizedKeys.keys = [ keys.machines.tohru ];
+  };
+  boot.binfmt.emulatedSystems = [ "x86_64-linux" ];
+
   system.stateVersion = "23.11";
 }

hosts/tohru/default.nix

@@ -46,6 +46,12 @@
     ];
   };
 
+  qenya.services.distributed-builds = {
+    enable = true;
+    keyFile = "/etc/ssh/ssh_host_ed25519_key";
+    builders = [ "kalessin" ];
+  };
+
   programs.evolution.enable = true; # not in home-manager yet; not declaratively configurable yet
   programs.steam.enable = true;
 

services/default.nix

@@ -2,9 +2,11 @@
   imports = [
     ./actual.nix
     ./audiobookshelf.nix
+    ./distributed-builds.nix
     ./forgejo.nix
     ./jellyfin.nix
     ./navidrome.nix
     ./pipewire-low-latency.nix
+    ./remote-builder.nix
   ];
 }

services/distributed-builds.nix

@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (builtins) elem;
+  inherit (lib) mkIf mkEnableOption mkOption types optional;
+  cfg = config.qenya.services.distributed-builds;
+in
+{
+  options.qenya.services.distributed-builds = {
+    enable = mkEnableOption "distributed builds";
+    keyFile = mkOption {
+      type = types.path;
+      description = ''
+        Path to the OpenSSH private key to be used for distributed builds.
+      '';
+    };
+    builders = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = ''
+        List of builders to attempt to use for distributed builds.
+      '';
+      example = [ "kalessin" ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [{
+      assertion = cfg ? keyFile;
+      message = "must specify a private key to be used for distributed builds";
+    }];
+
+    nix.distributedBuilds = true;
+    nix.settings.builders-use-substitutes = true;
+
+    nix.buildMachines =
+      (optional (elem "kalessin" cfg.builders) {
+        hostName = config.birdsong.hosts."kalessin".ipv4;
+        sshUser = "remotebuild";
+        sshKey = cfg.keyFile;
+        systems = [ "aarch64-linux" "x86_64-linux" ];
+        supportedFeatures = [ ];
+      });
+  };
+}

services/remote-builder.nix

@@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkOption mkEnableOption types;
+  cfg = config.qenya.services.remote-builder;
+in
+{
+  options.qenya.services.remote-builder = {
+    enable = mkEnableOption "remote builder";
+    authorizedKeys = {
+      keys = mkOption {
+        type = types.listOf types.singleLineStr;
+        default = [ ];
+        description = ''
+          A list of verbatim OpenSSH public keys that should be authorized to
+          use this remote builder. See
+          `users.users.<name>.openssh.authorizedKeys.keys`.
+        '';
+      };
+      keyFiles = mkOption {
+        type = types.listOf types.path;
+        default = [ ];
+        description = ''
+          A list of files each containing one OpenSSH public key that should be
+          authorized to use this remote builder. See
+          `users.users.<name>.openssh.authorizedKeys.keyFiles`.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.remotebuild = {
+      isSystemUser = true;
+      group = "nogroup";
+      shell = "/bin/sh";
+      openssh.authorizedKeys.keys = cfg.authorizedKeys.keys;
+      openssh.authorizedKeys.keyFiles = cfg.authorizedKeys.keyFiles;
+    };
+
+    nix.nrBuildUsers = 64;
+    nix.settings.trusted-users = [ "remotebuild" ];
+  };
+}