From 3c33dd66ea59e9b01b05c515c22df11bcaf94194 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 27 Sep 2021 23:06:10 +0200 Subject: vidhar/sif: build-server/build-client --- hosts/sif/default.nix | 7 ++ hosts/vidhar/default.nix | 1 + modules/build-client.nix | 108 +++++++++++++++++++++++ overlays/uhk-agent.nix | 4 +- system-profiles/build-server/clients/sif/private | 26 ++++++ system-profiles/build-server/clients/sif/public | 1 + system-profiles/build-server/default.nix | 35 ++++++++ utils/default.nix | 2 +- 8 files changed, 181 insertions(+), 3 deletions(-) create mode 100644 modules/build-client.nix create mode 100644 system-profiles/build-server/clients/sif/private create mode 100644 system-profiles/build-server/clients/sif/public create mode 100644 system-profiles/build-server/default.nix diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 3109d852..4b303d9a 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -272,6 +272,13 @@ autoOptimiseStore = true; daemonNiceLevel = 10; daemonIONiceLevel = 3; + + buildServers.vidhar = { + address = "192.168.2.168"; + system = "x86_64-linux"; + speedFactor = 4; + supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; + }; }; environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index fb4256f6..ae0a8168 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -3,6 +3,7 @@ imports = with flake.nixosModules.systemProfiles; [ ./zfs.nix initrd-all-crypto-modules default-locale openssh rebuild-machines + build-server initrd-ssh ]; diff --git a/modules/build-client.nix b/modules/build-client.nix new file mode 100644 index 00000000..763fdb38 --- /dev/null +++ b/modules/build-client.nix @@ -0,0 +1,108 @@ +{ flake, config, lib, hostName, ... }: + +with lib; + +let + cfg = config.nix.buildServers; + + secretName = name: "nix-ssh-builder-${name}-private"; +in { + options = { + nix = { + buildServers = mkOption { + type = types.attrsOf (types.submodule { + options = { + address = mkOption { + type = types.str; + }; + + system = mkOption { + type = types.nullOr types.str; + default = null; + example = "x86_64-linux"; + description = '' + The system type the build machine can execute derivations on. + Either this attribute or systems must be + present, where system takes precedence if + both are set. + ''; + }; + systems = mkOption { + type = types.listOf types.str; + default = []; + example = [ "x86_64-linux" "aarch64-linux" ]; + description = '' + The system types the build machine can execute derivations on. + Either this attribute or system must be + present, where system takes precedence if + both are set. + ''; + }; + maxJobs = mkOption { + type = types.int; + default = 1; + description = '' + The number of concurrent jobs the build machine supports. The + build machine will enforce its own limits, but this allows hydra + to schedule better since there is no work-stealing between build + machines. + ''; + }; + speedFactor = mkOption { + type = types.int; + default = 1; + description = '' + The relative speed of this builder. This is an arbitrary integer + that indicates the speed of this builder, relative to other + builders. Higher is faster. + ''; + }; + mandatoryFeatures = mkOption { + type = types.listOf types.str; + default = []; + example = [ "big-parallel" ]; + description = '' + A list of features mandatory for this builder. The builder will + be ignored for derivations that don't require all features in + this list. All mandatory features are automatically included in + supportedFeatures. + ''; + }; + supportedFeatures = mkOption { + type = types.listOf types.str; + default = []; + example = [ "kvm" "big-parallel" ]; + description = '' + A list of features supported by this builder. The builder will + be ignored for derivations that require features not in this + list. + ''; + }; + }; + }); + default = {}; + }; + }; + }; + + config = mkIf (cfg != {}) { + programs.ssh.extraConfig = concatMapStringsSep "\n" ({ name, value }: '' + Host ${name} + User nix-ssh-builder + HostName ${value.address} + IdentitiesOnly yes + IdentityFile ${config.sops.secrets.${secretName name}.path} + ControlMaster auto + ControlPath /run/nix-ssh-builder-master-%r@%n:%p + ControlPersist 30m + Compression yes + ForwardAgent no + ServerAliveInterval 6 + ServerAliveCountMax 10 + '') (mapAttrsToList nameValuePair cfg); + + sops.secrets = mapAttrs' (name: hCfg: nameValuePair (secretName name) { sopsFile = ../system-profiles/build-server/clients + "/${hostName}/private"; format = "binary"; }) cfg; + + nix.buildMachines = mapAttrsToList (hostName: hCfg: { inherit hostName; inherit (hCfg) system systems maxJobs speedFactor mandatoryFeatures supportedFeatures; }) cfg; + }; +} diff --git a/overlays/uhk-agent.nix b/overlays/uhk-agent.nix index 3110c835..1b37121f 100644 --- a/overlays/uhk-agent.nix +++ b/overlays/uhk-agent.nix @@ -2,13 +2,13 @@ final: prev: { uhk-agent = let - version = "1.5.14"; + version = "1.5.15"; image = prev.stdenv.mkDerivation { name = "uhk-agent-image"; src = prev.fetchurl { url = "https://github.com/UltimateHackingKeyboard/agent/releases/download/v${version}/UHK.Agent-${version}-linux-x86_64.AppImage"; - hash = "sha256-D3sLjhWoeFVGgsFJo7/vsx4Dh8RsE+S6AA8z4Hsk8Ps="; + hash = "sha256-t2Jwd/x0eTZ4xBaCb/FomH/zSRLt7IIERUF9n9ONCpE="; }; buildCommand = '' install -m 0644 $src $out diff --git a/system-profiles/build-server/clients/sif/private b/system-profiles/build-server/clients/sif/private new file mode 100644 index 00000000..3b39664f --- /dev/null +++ b/system-profiles/build-server/clients/sif/private @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:8CT1qg+/3hvJQyNiy9Xv76dMHv2lGKsYx+w/GAPY+WMQgtUIBzxYv8o2PMHIeZqETJX9xfAfwANweGanVrIM7RVdQSNPPGBiWa/2C1b2K2hJw5RtvmbuuDkIWkINwzvnRwtXwGcCpRt18DGe82SnaUrkqozJND1fVuzvvcb6aR81qvm7wdxQi6tZcCsUduzdZTDlLPqUIdEAq5WBvvXGdlJq2wgPINE0SBeOGFTt/wayl6bMzGlR55+V6MsP46Nvfxjg6md/Wbimyto1aulqQ7mniuWnDBdcfGy5L5y6AIlKlJ09+RkJxhIY2QLZW4Hw0vnROVytATtrmIRcMiAZeAUD7J7Xykw0QnFi3VcxC1QTgMbO+5MNCLggW48/RD/ph2uidBskixFllatFOS1//j9C6Qm6aragcmYVoAGDFoScKt8A90KrbmSO3u50WzXOsA07Fdk/mpyyHhdy7/PrQvnkPygGcag+QwhESFfFGQVQSSW1BPXv7H9N2Jq3RLFWaH9EljcHdCFM6zr0hh111at6Gtj9oy3xSpjr,iv:ztdGapMDwI7XMDLC7cne5PWp42BvsuUjCAbp3R3KGyM=,tag:nMfZ/U4zRs48PZlI4cRGfw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2021-09-27T18:11:41Z", + "mac": "ENC[AES256_GCM,data:LeLaxKnUhMpXXlxiZaRw3pKnd8tzcd8I9CwO2SRuzvzo/Bi8cBHq7IrJUmG6PWrTHhwTEI2Ul4DEF4PygRZybjRYUEVLbnKqYGPf4P0nZPhBBH6Ogpdc0o2C1t7A+HIka99A75oXx81k0bEaj6WuqgtPpOA6JhirCyOCJ7xDQE0=,iv:5XNCFDirM1NzS56AVDiJxP+4IuSMComezM+1pD6rayc=,tag:8ECDILhztr3NAVl0RhiwfQ==,type:str]", + "pgp": [ + { + "created_at": "2021-09-27T18:11:40Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA9mZ6ZMwa4Y4QmXMM1nMeFT6grP/xRfoObWlejEHcBC0w\noDm5V5YffnpSqTEKE8AzYbMvZqjme5Xwyxy79pqAbiHaThkQr8YN8HhHyRFIrLIq\n0l4BwKFGlxfxbmEcxx0B4NuUhOzs1S/lMvQhqhr38naFht3Bz9G3GhSrJdDiHVDb\nUwxvqv7GFnacRf9LMgIVCsi6485h2jbOZfx+xB3jT3p11eMyPMgEW1Q5Hwq+NM9k\n=DWiW\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + }, + { + "created_at": "2021-09-27T18:11:40Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4Dgwm4NZSaLAcSAQdAt2OVBFZSyyqqZtXnwN2h16edqa70UBrhDGhsID6jpnYw\nSuFSqkEZ7uGe38JDfA4fbhYHCMPIwt2E8o35Sr/UbzanKhjWu9+7R2v92zBBzBcG\n0l4BDU29ZKhQ65In2PhURs+5G3/qB9THB5vKAmP43RtS4pphFGH3uKwY1T7JSDuX\nYytSMKKBG4OnKlbMJd4SMRICD7aBuV6VPTmA6B3p+c8m5qcg7Uh1eDN0AxWJKr5o\n=pUaa\n-----END PGP MESSAGE-----\n", + "fp": "F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/system-profiles/build-server/clients/sif/public b/system-profiles/build-server/clients/sif/public new file mode 100644 index 00000000..49d43107 --- /dev/null +++ b/system-profiles/build-server/clients/sif/public @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICH7/Ni0zaEXqZw/3CewIIe+M55PEUbLCqOd3KpxymkX nix-ssh-builder@sif diff --git a/system-profiles/build-server/default.nix b/system-profiles/build-server/default.nix new file mode 100644 index 00000000..9c821f64 --- /dev/null +++ b/system-profiles/build-server/default.nix @@ -0,0 +1,35 @@ +{ customUtils, flake, config, lib, ... }: + +{ + imports = with flake.nixosModules.systemProfiles; [ openssh ]; + + config = { + users.groups.nix-ssh-builder = {}; + users.users.nix-ssh-builder = { + description = "Nix build server user"; + useDefaultShell = true; + isSystemUser = true; + group = "nix-ssh-builder"; + }; + + services.openssh = { + enable = true; + extraConfig = '' + Match User nix-ssh-builder + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitTunnel no + X11Forwarding no + ForceCommand ${config.nix.package.out}/bin/nix-store --serve --write + Match All + ''; + }; + + users.users.nix-ssh-builder.openssh.authorizedKeys.keys = + let + importKeys = dir: lib.attrValues (customUtils.mapFilterAttrs (_: v: v == "directory") (n: _: lib.nameValuePair n (importKeys' dir n)) (builtins.readDir dir)); + importKeys' = dir: host: builtins.readFile (dir + "/${host}/public"); + in importKeys ./clients; + }; +} diff --git a/utils/default.nix b/utils/default.nix index 48add212..75d886a3 100644 --- a/utils/default.nix +++ b/utils/default.nix @@ -2,7 +2,7 @@ rec { inherit (builtins) readDir; inherit (lib) filterAttrs hasSuffix removeSuffix mapAttrs' nameValuePair isFunction functionArgs setFunctionArgs id; - mapFilterAttrs = seive: f: attrs: filterAttrs seive (mapAttrs' f attrs); + mapFilterAttrs = sieve: f: attrs: filterAttrs sieve (mapAttrs' f attrs); nixImport = { dir, _import ? name: _base: import "${toString dir}/${name}" }: mapFilterAttrs (_: v: v != null) -- cgit v1.2.3