distributed builds: use builders as binary caches

2026-05-02 00:03:09 +02:00 · 2026-05-02 00:03:09 +02:00 · 396e8121d0
commit 396e8121d0
parent cfa42f11b5
3 changed files with 54 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,36 @@
+# nixos-configuration
+
+Personal NixOS configuration for all machines. Devices are declared in `devices.nix`, per-device configs live in `nixosConfigurations/<name>/`, and shared modules in `nixosModules/`.
+
+## Distributed builds
+
+Machines are configured to act as build servers / binary caches for each other in devices.nix.
+
+### Onboarding a device as a build client
+
+1. Generate a key pair on the device:
+   ```
+   sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds"
+   ```
+2. Add the public key to the device entry in `devices.nix`:
+   ```nix
+   distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds";
+   ```
+3. Rebuild all build machines so they pick up the new authorized key.
+
+### Adding a build server
+
+1. Add to its entry in `devices.nix`:
+   ```nix
+   distributedBuilds.isBuilder = true;
+   distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 <hostname>
+   ```
+2. Generate a store signing key on the builder:
+   ```
+   sudo nix key generate-secret --key-name "$(hostname)" | sudo tee /etc/nix/signing-key.sec | sudo nix key convert-secret-to-public
+   ```
+3. Add the printed public key to `devices.nix`:
+   ```nix
+   distributedBuilds.storeSigningPublicKey = "<hostname>:<base64...>";
+   ```
+4. Rebuild all machines so they trust the new signing key.