Set up loki as remote builder

2022-08-14 16:38:25 +02:00 · 2022-08-14 16:38:25 +02:00 · 793b6d06d2
commit 793b6d06d2
parent 19421432b8
10 changed files with 67 additions and 12 deletions
--- a/machines/drone/configuration.nix
+++ b/machines/drone/configuration.nix
@ -11,7 +11,7 @@
    drone.enable = true;
    nix-common = {
      enable = true;
-      disable-cache = true;
+      remote-builders = true;
    };
  };
--- a/machines/gitea/configuration.nix
+++ b/machines/gitea/configuration.nix
@ -10,7 +10,7 @@
    gitea.enable = true;
    nix-common = {
      enable = true;
-      disable-cache = true;
+      remote-builders = true;
    };
  };
--- a/machines/loki/configuration.nix
+++ b/machines/loki/configuration.nix
@ -3,13 +3,16 @@ let
  pkgs = import nixpkgs { system = "x86_64-linux"; };
 in
 {
-  imports = [ ./hardware-configuration.nix ../../users/erwin ../../users/root ];
+  imports = [ ./hardware-configuration.nix ../../users/erwin ../../users/root ../../users/builder ];
  eboskma = {
-    users.erwin = {
+    users = {
      erwin = {
      enable = true;
      home-manager = true;
      };
      builder.enable = true;
    };
    # backscrub.enable = true;
    base = {
      plymouth.enable = true;
@ -44,10 +47,6 @@ in
    };
    nix-common = {
      enable = true;
      disable-cache = true;
    };
    nix-serve = {
      enable = false;
    };
    tablet.enable = false;
    sound.enable = true;
--- a/machines/proxy/configuration.nix
+++ b/machines/proxy/configuration.nix
@ -10,7 +10,7 @@
    docker.enable = true;
    nix-common = {
      enable = true;
-      disable-cache = true;
+      remote-builders = true;
    };
    nginx-proxy-manager.enable = true;
  };
--- a/modules/nix-common/default.nix
+++ b/modules/nix-common/default.nix
@ -9,9 +9,14 @@ in
 {
  options.eboskma.nix-common = {
    enable = mkEnableOption "activate nix-common";
-    disable-cache = mkEnableOption "no not use binary cache";
+    remote-builders = mkEnableOption "enable remote builders";
  };
  imports = [
    (mkRemovedOptionModule ["eboskma" "nix-common" "disable-cache" ]
      "The option `disable-cache` is no longer used")
  ];
  config = mkIf cfg.enable {
    nixpkgs = {
      config.allowUnfree = true;
@ -23,18 +28,30 @@ in
        experimental-features = nix-command flakes
      '';
      buildMachines = mkIf cfg.remote-builders [
        {
          hostName = "loki";
          systems = [ "x86_64-linux" ];
          maxJobs = 8;
          speedFactor = 2;
          supportedFeatures = [ "kvm" "big-parallel" "nixos-test" "benchmark" ];
        }
      ];
      distributedBuilds = cfg.remote-builders;
      settings = {
        auto-optimise-store = true;
        allowed-users = [ "root" ];
        trusted-users = [ "root" ];
        substituters = [
          "https://nix-community.cachix.org"
          "https://marcus7070.cachix.org"
-        ] ++ lib.optionals (! cfg.disable-cache) [ "http://loki.datarift.nl" ];
+        ]; 
        trusted-public-keys = [
          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
          "marcus7070.cachix.org-1:JawxHSgnYsgNYJmNqZwvLjI4NcOwrcEZDToWlT3WwXw="
-        ] ++ lib.optionals (! cfg.disable-cache) [ "loki.datarift.nl:Mk+g9h52oCWtCi6b6KxRkntrD+HZVhwNT8muUQtgKoA=" ];
+        ];
      };
      gc = {
@ -43,5 +60,14 @@ in
        options = "--delete-older-than=30d";
      };
    };
    programs.ssh.extraConfig = mkIf cfg.remote-builders ''
 Host loki
  HostName 10.0.0.4
  Port 22
  User builder
  IdentitiesOnly yes
  IdentityFile /root/.ssh/id_builder
 '';
  };
 }
--- a/modules/nix-serve/default.nix
+++ b/modules/nix-serve/default.nix
@ -13,6 +13,8 @@ in
      bindAddress = "127.0.0.1";
    };
    systemd.tmpfiles.rules = [ "C /run/cache-priv-key.pem 400 nix-serve root - ${config.services.nix-serve.secretKeyFile}" ];
    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
--- a/users/builder/default.nix
+++ b/users/builder/default.nix
@ -0,0 +1,25 @@
 { pkgs, config, lib, ...}:
 with lib;
 let
  cfg = config.eboskma.users.builder;
  authorizedKeys = builtins.map (key: (builtins.readFile (./keys/${key})))
    (builtins.attrNames (builtins.readDir ./keys));
 in
 {
  options.eboskma.users.builder = { enable = mkEnableOption "builder"; };
  config = mkIf (cfg.enable) {
    users.users.builder = {
      isSystemUser = true;
      group = "builder";
      useDefaultShell = true;
      home = "/var/lib/builder";
      createHome = true;
      openssh.authorizedKeys.keys = authorizedKeys;
    };
    users.groups.builder = {};
    nix.settings.trusted-users = [ "builder" ];
  };
 }
--- a/users/builder/keys/drone
+++ b/users/builder/keys/drone
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKt96oN09JnlyHzGbKpxjqmfzfU5okhCBpC0CT0pkSUC root@drone
--- a/users/builder/keys/gitea
+++ b/users/builder/keys/gitea
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCDXelodQB8FgCJWqYgpOZKISN2RJw0IumQr98fy/m5 root@gitea
--- a/users/builder/keys/proxy
+++ b/users/builder/keys/proxy
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTrtuCcGH+gkfdVvD+BcpPTbmirXW7XieI6qNtBD7mJ root@proxy
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKt96oN09JnlyHzGbKpxjqmfzfU5okhCBpC0CT0pkSUC root@drone`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCDXelodQB8FgCJWqYgpOZKISN2RJw0IumQr98fy/m5 root@gitea`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTrtuCcGH+gkfdVvD+BcpPTbmirXW7XieI6qNtBD7mJ root@proxy`