summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/sif/default.nix7
-rw-r--r--hosts/vidhar/default.nix1
-rw-r--r--modules/build-client.nix108
-rw-r--r--overlays/uhk-agent.nix4
-rw-r--r--system-profiles/build-server/clients/sif/private26
-rw-r--r--system-profiles/build-server/clients/sif/public1
-rw-r--r--system-profiles/build-server/default.nix35
-rw-r--r--utils/default.nix2
8 files changed, 181 insertions, 3 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 3109d852..4b303d9a 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -272,6 +272,13 @@
272 autoOptimiseStore = true; 272 autoOptimiseStore = true;
273 daemonNiceLevel = 10; 273 daemonNiceLevel = 10;
274 daemonIONiceLevel = 3; 274 daemonIONiceLevel = 3;
275
276 buildServers.vidhar = {
277 address = "192.168.2.168";
278 system = "x86_64-linux";
279 speedFactor = 4;
280 supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
281 };
275 }; 282 };
276 283
277 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; 284 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index fb4256f6..ae0a8168 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -3,6 +3,7 @@
3 imports = with flake.nixosModules.systemProfiles; [ 3 imports = with flake.nixosModules.systemProfiles; [
4 ./zfs.nix 4 ./zfs.nix
5 initrd-all-crypto-modules default-locale openssh rebuild-machines 5 initrd-all-crypto-modules default-locale openssh rebuild-machines
6 build-server
6 initrd-ssh 7 initrd-ssh
7 ]; 8 ];
8 9
diff --git a/modules/build-client.nix b/modules/build-client.nix
new file mode 100644
index 00000000..763fdb38
--- /dev/null
+++ b/modules/build-client.nix
@@ -0,0 +1,108 @@
1{ flake, config, lib, hostName, ... }:
2
3with lib;
4
5let
6 cfg = config.nix.buildServers;
7
8 secretName = name: "nix-ssh-builder-${name}-private";
9in {
10 options = {
11 nix = {
12 buildServers = mkOption {
13 type = types.attrsOf (types.submodule {
14 options = {
15 address = mkOption {
16 type = types.str;
17 };
18
19 system = mkOption {
20 type = types.nullOr types.str;
21 default = null;
22 example = "x86_64-linux";
23 description = ''
24 The system type the build machine can execute derivations on.
25 Either this attribute or <varname>systems</varname> must be
26 present, where <varname>system</varname> takes precedence if
27 both are set.
28 '';
29 };
30 systems = mkOption {
31 type = types.listOf types.str;
32 default = [];
33 example = [ "x86_64-linux" "aarch64-linux" ];
34 description = ''
35 The system types the build machine can execute derivations on.
36 Either this attribute or <varname>system</varname> must be
37 present, where <varname>system</varname> takes precedence if
38 both are set.
39 '';
40 };
41 maxJobs = mkOption {
42 type = types.int;
43 default = 1;
44 description = ''
45 The number of concurrent jobs the build machine supports. The
46 build machine will enforce its own limits, but this allows hydra
47 to schedule better since there is no work-stealing between build
48 machines.
49 '';
50 };
51 speedFactor = mkOption {
52 type = types.int;
53 default = 1;
54 description = ''
55 The relative speed of this builder. This is an arbitrary integer
56 that indicates the speed of this builder, relative to other
57 builders. Higher is faster.
58 '';
59 };
60 mandatoryFeatures = mkOption {
61 type = types.listOf types.str;
62 default = [];
63 example = [ "big-parallel" ];
64 description = ''
65 A list of features mandatory for this builder. The builder will
66 be ignored for derivations that don't require all features in
67 this list. All mandatory features are automatically included in
68 <varname>supportedFeatures</varname>.
69 '';
70 };
71 supportedFeatures = mkOption {
72 type = types.listOf types.str;
73 default = [];
74 example = [ "kvm" "big-parallel" ];
75 description = ''
76 A list of features supported by this builder. The builder will
77 be ignored for derivations that require features not in this
78 list.
79 '';
80 };
81 };
82 });
83 default = {};
84 };
85 };
86 };
87
88 config = mkIf (cfg != {}) {
89 programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: ''
90 Host ${name}
91 User nix-ssh-builder
92 HostName ${value.address}
93 IdentitiesOnly yes
94 IdentityFile ${config.sops.secrets.${secretName name}.path}
95 ControlMaster auto
96 ControlPath /run/nix-ssh-builder-master-%r@%n:%p
97 ControlPersist 30m
98 Compression yes
99 ForwardAgent no
100 ServerAliveInterval 6
101 ServerAliveCountMax 10
102 '') (mapAttrsToList nameValuePair cfg);
103
104 sops.secrets = mapAttrs' (name: hCfg: nameValuePair (secretName name) { sopsFile = ../system-profiles/build-server/clients + "/${hostName}/private"; format = "binary"; }) cfg;
105
106 nix.buildMachines = mapAttrsToList (hostName: hCfg: { inherit hostName; inherit (hCfg) system systems maxJobs speedFactor mandatoryFeatures supportedFeatures; }) cfg;
107 };
108}
diff --git a/overlays/uhk-agent.nix b/overlays/uhk-agent.nix
index 3110c835..1b37121f 100644
--- a/overlays/uhk-agent.nix
+++ b/overlays/uhk-agent.nix
@@ -2,13 +2,13 @@ final: prev:
2{ 2{
3 uhk-agent = 3 uhk-agent =
4 let 4 let
5 version = "1.5.14"; 5 version = "1.5.15";
6 6
7 image = prev.stdenv.mkDerivation { 7 image = prev.stdenv.mkDerivation {
8 name = "uhk-agent-image"; 8 name = "uhk-agent-image";
9 src = prev.fetchurl { 9 src = prev.fetchurl {
10 url = "https://github.com/UltimateHackingKeyboard/agent/releases/download/v${version}/UHK.Agent-${version}-linux-x86_64.AppImage"; 10 url = "https://github.com/UltimateHackingKeyboard/agent/releases/download/v${version}/UHK.Agent-${version}-linux-x86_64.AppImage";
11 hash = "sha256-D3sLjhWoeFVGgsFJo7/vsx4Dh8RsE+S6AA8z4Hsk8Ps="; 11 hash = "sha256-t2Jwd/x0eTZ4xBaCb/FomH/zSRLt7IIERUF9n9ONCpE=";
12 }; 12 };
13 buildCommand = '' 13 buildCommand = ''
14 install -m 0644 $src $out 14 install -m 0644 $src $out
diff --git a/system-profiles/build-server/clients/sif/private b/system-profiles/build-server/clients/sif/private
new file mode 100644
index 00000000..3b39664f
--- /dev/null
+++ b/system-profiles/build-server/clients/sif/private
@@ -0,0 +1,26 @@
1{
2 "data": "ENC[AES256_GCM,data:8CT1qg+/3hvJQyNiy9Xv76dMHv2lGKsYx+w/GAPY+WMQgtUIBzxYv8o2PMHIeZqETJX9xfAfwANweGanVrIM7RVdQSNPPGBiWa/2C1b2K2hJw5RtvmbuuDkIWkINwzvnRwtXwGcCpRt18DGe82SnaUrkqozJND1fVuzvvcb6aR81qvm7wdxQi6tZcCsUduzdZTDlLPqUIdEAq5WBvvXGdlJq2wgPINE0SBeOGFTt/wayl6bMzGlR55+V6MsP46Nvfxjg6md/Wbimyto1aulqQ7mniuWnDBdcfGy5L5y6AIlKlJ09+RkJxhIY2QLZW4Hw0vnROVytATtrmIRcMiAZeAUD7J7Xykw0QnFi3VcxC1QTgMbO+5MNCLggW48/RD/ph2uidBskixFllatFOS1//j9C6Qm6aragcmYVoAGDFoScKt8A90KrbmSO3u50WzXOsA07Fdk/mpyyHhdy7/PrQvnkPygGcag+QwhESFfFGQVQSSW1BPXv7H9N2Jq3RLFWaH9EljcHdCFM6zr0hh111at6Gtj9oy3xSpjr,iv:ztdGapMDwI7XMDLC7cne5PWp42BvsuUjCAbp3R3KGyM=,tag:nMfZ/U4zRs48PZlI4cRGfw==,type:str]",
3 "sops": {
4 "kms": null,
5 "gcp_kms": null,
6 "azure_kv": null,
7 "hc_vault": null,
8 "age": null,
9 "lastmodified": "2021-09-27T18:11:41Z",
10 "mac": "ENC[AES256_GCM,data:LeLaxKnUhMpXXlxiZaRw3pKnd8tzcd8I9CwO2SRuzvzo/Bi8cBHq7IrJUmG6PWrTHhwTEI2Ul4DEF4PygRZybjRYUEVLbnKqYGPf4P0nZPhBBH6Ogpdc0o2C1t7A+HIka99A75oXx81k0bEaj6WuqgtPpOA6JhirCyOCJ7xDQE0=,iv:5XNCFDirM1NzS56AVDiJxP+4IuSMComezM+1pD6rayc=,tag:8ECDILhztr3NAVl0RhiwfQ==,type:str]",
11 "pgp": [
12 {
13 "created_at": "2021-09-27T18:11:40Z",
14 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA9mZ6ZMwa4Y4QmXMM1nMeFT6grP/xRfoObWlejEHcBC0w\noDm5V5YffnpSqTEKE8AzYbMvZqjme5Xwyxy79pqAbiHaThkQr8YN8HhHyRFIrLIq\n0l4BwKFGlxfxbmEcxx0B4NuUhOzs1S/lMvQhqhr38naFht3Bz9G3GhSrJdDiHVDb\nUwxvqv7GFnacRf9LMgIVCsi6485h2jbOZfx+xB3jT3p11eMyPMgEW1Q5Hwq+NM9k\n=DWiW\n-----END PGP MESSAGE-----\n",
15 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
16 },
17 {
18 "created_at": "2021-09-27T18:11:40Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAt2OVBFZSyyqqZtXnwN2h16edqa70UBrhDGhsID6jpnYw\nSuFSqkEZ7uGe38JDfA4fbhYHCMPIwt2E8o35Sr/UbzanKhjWu9+7R2v92zBBzBcG\n0l4BDU29ZKhQ65In2PhURs+5G3/qB9THB5vKAmP43RtS4pphFGH3uKwY1T7JSDuX\nYytSMKKBG4OnKlbMJd4SMRICD7aBuV6VPTmA6B3p+c8m5qcg7Uh1eDN0AxWJKr5o\n=pUaa\n-----END PGP MESSAGE-----\n",
20 "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1"
25 }
26} \ No newline at end of file
diff --git a/system-profiles/build-server/clients/sif/public b/system-profiles/build-server/clients/sif/public
new file mode 100644
index 00000000..49d43107
--- /dev/null
+++ b/system-profiles/build-server/clients/sif/public
@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICH7/Ni0zaEXqZw/3CewIIe+M55PEUbLCqOd3KpxymkX nix-ssh-builder@sif
diff --git a/system-profiles/build-server/default.nix b/system-profiles/build-server/default.nix
new file mode 100644
index 00000000..9c821f64
--- /dev/null
+++ b/system-profiles/build-server/default.nix
@@ -0,0 +1,35 @@
1{ customUtils, flake, config, lib, ... }:
2
3{
4 imports = with flake.nixosModules.systemProfiles; [ openssh ];
5
6 config = {
7 users.groups.nix-ssh-builder = {};
8 users.users.nix-ssh-builder = {
9 description = "Nix build server user";
10 useDefaultShell = true;
11 isSystemUser = true;
12 group = "nix-ssh-builder";
13 };
14
15 services.openssh = {
16 enable = true;
17 extraConfig = ''
18 Match User nix-ssh-builder
19 AllowAgentForwarding no
20 AllowTcpForwarding no
21 PermitTTY no
22 PermitTunnel no
23 X11Forwarding no
24 ForceCommand ${config.nix.package.out}/bin/nix-store --serve --write
25 Match All
26 '';
27 };
28
29 users.users.nix-ssh-builder.openssh.authorizedKeys.keys =
30 let
31 importKeys = dir: lib.attrValues (customUtils.mapFilterAttrs (_: v: v == "directory") (n: _: lib.nameValuePair n (importKeys' dir n)) (builtins.readDir dir));
32 importKeys' = dir: host: builtins.readFile (dir + "/${host}/public");
33 in importKeys ./clients;
34 };
35}
diff --git a/utils/default.nix b/utils/default.nix
index 48add212..75d886a3 100644
--- a/utils/default.nix
+++ b/utils/default.nix
@@ -2,7 +2,7 @@
2rec { 2rec {
3 inherit (builtins) readDir; 3 inherit (builtins) readDir;
4 inherit (lib) filterAttrs hasSuffix removeSuffix mapAttrs' nameValuePair isFunction functionArgs setFunctionArgs id; 4 inherit (lib) filterAttrs hasSuffix removeSuffix mapAttrs' nameValuePair isFunction functionArgs setFunctionArgs id;
5 mapFilterAttrs = seive: f: attrs: filterAttrs seive (mapAttrs' f attrs); 5 mapFilterAttrs = sieve: f: attrs: filterAttrs sieve (mapAttrs' f attrs);
6 nixImport = { dir, _import ? name: _base: import "${toString dir}/${name}" }: 6 nixImport = { dir, _import ? name: _base: import "${toString dir}/${name}" }:
7 mapFilterAttrs 7 mapFilterAttrs
8 (_: v: v != null) 8 (_: v: v != null)