Set up loki as remote builder

machines/drone/configuration.nix

@@ -11,7 +11,7 @@
     drone.enable = true;
     nix-common = {
       enable = true;
-      disable-cache = true;
+      remote-builders = true;
     };
   };
 

machines/gitea/configuration.nix

@@ -10,7 +10,7 @@
     gitea.enable = true;
     nix-common = {
       enable = true;
-      disable-cache = true;
+      remote-builders = true;
     };
   };
 

machines/loki/configuration.nix

@@ -3,12 +3,15 @@ let
   pkgs = import nixpkgs { system = "x86_64-linux"; };
 in
 {
-  imports = [ ./hardware-configuration.nix ../../users/erwin ../../users/root ];
+  imports = [ ./hardware-configuration.nix ../../users/erwin ../../users/root ../../users/builder ];
 
   eboskma = {
-    users.erwin = {
+    users = {
+      erwin = {
       enable = true;
       home-manager = true;
+      };
+      builder.enable = true;
     };
     # backscrub.enable = true;
     base = {
@@ -44,10 +47,6 @@ in
     };
     nix-common = {
       enable = true;
-      disable-cache = true;
-    };
-    nix-serve = {
-      enable = false;
     };
     tablet.enable = false;
     sound.enable = true;

machines/proxy/configuration.nix

@@ -10,7 +10,7 @@
     docker.enable = true;
     nix-common = {
       enable = true;
-      disable-cache = true;
+      remote-builders = true;
     };
     nginx-proxy-manager.enable = true;
   };

modules/nix-common/default.nix

@@ -9,9 +9,14 @@ in
 {
   options.eboskma.nix-common = {
     enable = mkEnableOption "activate nix-common";
-    disable-cache = mkEnableOption "no not use binary cache";
+    remote-builders = mkEnableOption "enable remote builders";
   };
 
+  imports = [
+    (mkRemovedOptionModule ["eboskma" "nix-common" "disable-cache" ]
+      "The option `disable-cache` is no longer used")
+  ];
+
   config = mkIf cfg.enable {
     nixpkgs = {
       config.allowUnfree = true;
@@ -23,18 +28,30 @@ in
         experimental-features = nix-command flakes
       '';
 
+      buildMachines = mkIf cfg.remote-builders [
+        {
+          hostName = "loki";
+          systems = [ "x86_64-linux" ];
+          maxJobs = 8;
+          speedFactor = 2;
+          supportedFeatures = [ "kvm" "big-parallel" "nixos-test" "benchmark" ];
+        }
+      ];
+      distributedBuilds = cfg.remote-builders;
+
       settings = {
         auto-optimise-store = true;
         allowed-users = [ "root" ];
+        trusted-users = [ "root" ];
         substituters = [
           "https://nix-community.cachix.org"
           "https://marcus7070.cachix.org"
-        ] ++ lib.optionals (! cfg.disable-cache) [ "http://loki.datarift.nl" ];
+        ]; 
 
         trusted-public-keys = [
           "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
           "marcus7070.cachix.org-1:JawxHSgnYsgNYJmNqZwvLjI4NcOwrcEZDToWlT3WwXw="
-        ] ++ lib.optionals (! cfg.disable-cache) [ "loki.datarift.nl:Mk+g9h52oCWtCi6b6KxRkntrD+HZVhwNT8muUQtgKoA=" ];
+        ];
       };
 
       gc = {
@@ -43,5 +60,14 @@ in
         options = "--delete-older-than=30d";
       };
     };
+
+    programs.ssh.extraConfig = mkIf cfg.remote-builders ''
+Host loki
+  HostName 10.0.0.4
+  Port 22
+  User builder
+  IdentitiesOnly yes
+  IdentityFile /root/.ssh/id_builder
+'';
   };
 }

modules/nix-serve/default.nix

@@ -13,6 +13,8 @@ in
       bindAddress = "127.0.0.1";
     };
 
+    systemd.tmpfiles.rules = [ "C /run/cache-priv-key.pem 400 nix-serve root - ${config.services.nix-serve.secretKeyFile}" ];
+
     services.nginx = {
       enable = true;
       recommendedProxySettings = true;

users/builder/default.nix

@@ -0,0 +1,25 @@
+{ pkgs, config, lib, ...}:
+with lib;
+let
+  cfg = config.eboskma.users.builder;
+  authorizedKeys = builtins.map (key: (builtins.readFile (./keys/${key})))
+    (builtins.attrNames (builtins.readDir ./keys));
+in
+{
+  options.eboskma.users.builder = { enable = mkEnableOption "builder"; };
+
+  config = mkIf (cfg.enable) {
+    users.users.builder = {
+      isSystemUser = true;
+      group = "builder";
+      useDefaultShell = true;
+      home = "/var/lib/builder";
+      createHome = true;
+      openssh.authorizedKeys.keys = authorizedKeys;
+    };
+
+    users.groups.builder = {};
+
+    nix.settings.trusted-users = [ "builder" ];
+  };
+}

users/builder/keys/drone

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKt96oN09JnlyHzGbKpxjqmfzfU5okhCBpC0CT0pkSUC root@drone

users/builder/keys/gitea

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCDXelodQB8FgCJWqYgpOZKISN2RJw0IumQr98fy/m5 root@gitea

users/builder/keys/proxy

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTrtuCcGH+gkfdVvD+BcpPTbmirXW7XieI6qNtBD7mJ root@proxy