From 0aee3539f0c219d558878bf2714f6c1b152ea9cd Mon Sep 17 00:00:00 2001 From: Toast Date: Wed, 24 Apr 2024 00:24:50 +0200 Subject: [PATCH 1/5] Flake: update secrets --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index c0cec35..79c1741 100644 --- a/flake.lock +++ b/flake.lock @@ -377,11 +377,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1713863887, - "narHash": "sha256-TwlNZjJloyZ0/5KCPeSWrnyDfEFokayovRPQY7xqq1g=", + "lastModified": 1713910881, + "narHash": "sha256-MZ1+GmZL3V3Kqe4YrxPA2W8vrF/c+f7sYOpf+jw6ESc=", "ref": "refs/heads/main", - "rev": "b8c66d7b0ca9fc21bc5332801b0203033cc3a772", - "revCount": 13, + "rev": "918b61f3ee194d7e67fa1d3200b64fe7741dd24a", + "revCount": 15, "type": "git", "url": "ssh://forgejo@git.everest.sable-pancake.ts.net:4222/Toast/nix-secrets" }, From 68628028bd611c721d628fb9d33c75eea8fedf96 Mon Sep 17 00:00:00 2001 From: Toast Date: Wed, 24 Apr 2024 00:29:40 +0200 Subject: [PATCH 2/5] Machines/WinMax2: set up as a nix remote builder --- machines/WinMax2/default.nix | 1 + machines/WinMax2/remote-builder.nix | 55 +++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 machines/WinMax2/remote-builder.nix diff --git a/machines/WinMax2/default.nix b/machines/WinMax2/default.nix index 187a110..899f761 100755 --- a/machines/WinMax2/default.nix +++ b/machines/WinMax2/default.nix @@ -2,5 +2,6 @@ imports = [ ./configuration.nix ./hardware-configuration.nix + ./remote-builder.nix ]; } diff --git a/machines/WinMax2/remote-builder.nix b/machines/WinMax2/remote-builder.nix new file mode 100644 index 0000000..ad86042 --- /dev/null +++ b/machines/WinMax2/remote-builder.nix @@ -0,0 +1,55 @@ +{ + config, + flakeSelf, + ... +}: let + hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/"; + hostKeyPath = "/etc/ssh/winmax2_host_key"; +in { + age.secrets = { + winmax2-host-key = { + file = hostSecrets + "host-private-key.age"; + path = hostKeyPath; + mode = "0400"; + }; + "winmax2-host-key.pub" = { + file = hostSecrets + "host-public-key.age"; + path = hostKeyPath + ".pub"; + }; + }; + + users = { + groups.nixrbld = {}; + users.nixrbld = { + isSystemUser = true; + group = "nixrbld"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8v+04ZwqHZRG8P8nxdQt+fGJfzlxHXF0F6jzENb+U6 Remote builder access key" + ]; + }; + }; + + nix.settings.trusted-users = ["nixrbld"]; + + services.openssh = { + enable = true; + startWhenNeeded = true; + # I only want it to be accesible though tailscale + openFirewall = false; + allowSFTP = false; + settings = { + UseDns = true; + PermitRootLogin = "no"; + PasswordAuthentication = false; + AllowUsers = ["nixrbld"]; + }; + hostKeys = [ + { + path = hostKeyPath; + type = "ed25519"; + comment = "Everest host key"; + } + ]; + }; + networking.firewall.interfaces.tailscale0.allowedTCPPorts = [22]; +} From 30f41d10db9c68587a8d560c4eee47b6b52fd76c Mon Sep 17 00:00:00 2001 From: Toast Date: Wed, 24 Apr 2024 01:09:08 +0200 Subject: [PATCH 3/5] Common/nix: add remote builder --- roles/common/programs/nix.nix | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/roles/common/programs/nix.nix b/roles/common/programs/nix.nix index 1663df2..77fd14a 100755 --- a/roles/common/programs/nix.nix +++ b/roles/common/programs/nix.nix @@ -1,9 +1,38 @@ -{systemPkgs, ...}: { +{ + systemPkgs, + config, + flakeSelf, + ... +}: { + age.secrets = { + remoteBuilderKey.file = "${flakeSelf.inputs.secrets}/WinMax2/nixrbld-private-key.age"; + }; + + programs.ssh = { + knownHosts.winmax2.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPE+ksvEq/I2LMLOztVXpLE9yuI6EkRh4EtXdlYkhl6C WinMax2 host key"; + extraConfig = '' + Host nixrbld + HostName winmax2 + IdentitiesOnly yes + IdentityFile ${config.age.secrets.remoteBuilderKey.path} + User nixrbld + ''; + }; + nix = { settings = { auto-optimise-store = true; experimental-features = "nix-command flakes"; }; + distributedBuilds = true; + buildMachines = [ + { + hostName = "nixrbld"; + system = "x86_64-linux"; + protocol = "ssh-ng"; + maxJobs = 4; + } + ]; optimise = { automatic = true; dates = ["weekly"]; From 7535e078fe790802ceef8041e91a0d4fe54350d0 Mon Sep 17 00:00:00 2001 From: Toast Date: Wed, 24 Apr 2024 01:18:09 +0200 Subject: [PATCH 4/5] Common/nix: add supportedFeatures to remote builder --- roles/common/programs/nix.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/common/programs/nix.nix b/roles/common/programs/nix.nix index 77fd14a..6cdf8ae 100755 --- a/roles/common/programs/nix.nix +++ b/roles/common/programs/nix.nix @@ -31,6 +31,11 @@ system = "x86_64-linux"; protocol = "ssh-ng"; maxJobs = 4; + supportedFeatures = [ + "big-parallel" + "kvm" + "nixos-test" + ]; } ]; optimise = { From 19bddffde3c50ed62cca9685b616568ce920c907 Mon Sep 17 00:00:00 2001 From: Toast Date: Wed, 24 Apr 2024 01:33:56 +0200 Subject: [PATCH 5/5] Machines/WinMax2: set up shell for nixrbld --- machines/WinMax2/remote-builder.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/WinMax2/remote-builder.nix b/machines/WinMax2/remote-builder.nix index ad86042..1a3f839 100644 --- a/machines/WinMax2/remote-builder.nix +++ b/machines/WinMax2/remote-builder.nix @@ -22,6 +22,7 @@ in { groups.nixrbld = {}; users.nixrbld = { isSystemUser = true; + useDefaultShell = true; group = "nixrbld"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8v+04ZwqHZRG8P8nxdQt+fGJfzlxHXF0F6jzENb+U6 Remote builder access key"