vinzenz/nixos-configuration
0
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

distributed builds: add assertions, nix fmt

Browse source
This commit is contained in:
müde 2026-05-03 16:13:47 +02:00
parent 9bff3f718f
commit 7de5751743
2 changed files with 38 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

8
homeModules/tailscale.nix
View file

@ -1,4 +1,10 @@
{ lib, config, osConfig, thisDevice, ... }: {
lib,
config,
osConfig,
thisDevice,
...
}:
{ {
options.my.tailscale.enable = lib.mkOption { options.my.tailscale.enable = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;

41
nixosModules/distributed-builds.nix
View file

@ -25,15 +25,17 @@ let
buildServerKnownHosts = lib.pipe buildServerDevices [ buildServerKnownHosts = lib.pipe buildServerDevices [
(lib.filterAttrs (_: v: v.distributedBuilds ? hostPublicKey)) (lib.filterAttrs (_: v: v.distributedBuilds ? hostPublicKey))
(lib.mapAttrs (name: v: { (lib.mapAttrs (
publicKey = v.distributedBuilds.hostPublicKey; name: v: {
hostNames = [ (v.publicFqdn or name) ]; publicKey = v.distributedBuilds.hostPublicKey;
})) hostNames = [ (v.publicFqdn or name) ];
}
))
]; ];
remoteBuildServerDevices = builtins.filter ( remoteBuildServerDevices = builtins.filter (m: m.hostName != config.networking.hostName) (
m: m.hostName != config.networking.hostName lib.mapAttrsToList (name: v: v // { hostName = name; }) buildServerDevices
) (lib.mapAttrsToList (name: v: v // { hostName = name; }) buildServerDevices); );
buildMachines = map ( buildMachines = map (
m: m:
@ -65,6 +67,20 @@ in
# All machines # All machines
{ {
assertions =
lib.mapAttrsToList (name: v: {
assertion = v.distributedBuilds ? hostPublicKey && v.distributedBuilds ? storeSigningPublicKey;
message = "devices.${name}: isBuilder = true requires distributedBuilds.hostPublicKey and distributedBuilds.storeSigningPublicKey";
}) buildServerDevices
++ lib.mapAttrsToList (name: v: {
assertion = lib.hasPrefix "ssh-" v.distributedBuilds.clientPublicKey;
message = "devices.${name}: distributedBuilds.clientPublicKey must start with 'ssh-'";
}) (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? clientPublicKey) allDevices)
++ lib.mapAttrsToList (name: v: {
assertion = builtins.match ".+:.+" v.distributedBuilds.storeSigningPublicKey != null;
message = "devices.${name}: distributedBuilds.storeSigningPublicKey must be in '<name>:<base64>' format";
}) (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? storeSigningPublicKey) allDevices);
nix.settings = { nix.settings = {
#fallback = true; #fallback = true;
connect-timeout = 5; connect-timeout = 5;
@ -106,15 +122,20 @@ in
programs.ssh = { programs.ssh = {
knownHosts = buildServerKnownHosts; knownHosts = buildServerKnownHosts;
extraConfig = lib.concatStringsSep "\n" ( extraConfig = lib.concatStringsSep "\n" (
lib.mapAttrsToList (name: v: lib.mapAttrsToList (
name: v:
let let
names = lib.unique [ name (v.publicFqdn or name) ]; names = lib.unique [
name
(v.publicFqdn or name)
];
in in
'' ''
Match originalhost ${lib.concatStringsSep "," names} user ${buildUser} Match originalhost ${lib.concatStringsSep "," names} user ${buildUser}
IdentityFile ${clientSshKeyPath} IdentityFile ${clientSshKeyPath}
IdentitiesOnly yes IdentitiesOnly yes
'') buildServerDevices ''
) buildServerDevices
); );
}; };
nix = { nix = {