distributed builds: add assertions, nix fmt

2026-05-03 16:13:47 +02:00 · 2026-05-03 16:13:47 +02:00 · 7de5751743
commit 7de5751743
parent 9bff3f718f
2 changed files with 38 additions and 11 deletions
--- a/homeModules/tailscale.nix
+++ b/homeModules/tailscale.nix
@ -1,4 +1,10 @@
-{ lib, config, osConfig, thisDevice, ... }:
+{
+  lib,
+  config,
+  osConfig,
+  thisDevice,
+  ...
+}:
 {
  options.my.tailscale.enable = lib.mkOption {
    type = lib.types.bool;
--- a/nixosModules/distributed-builds.nix
+++ b/nixosModules/distributed-builds.nix
@ -25,15 +25,17 @@ let

  buildServerKnownHosts = lib.pipe buildServerDevices [
    (lib.filterAttrs (_: v: v.distributedBuilds ? hostPublicKey))
-    (lib.mapAttrs (name: v: {
-      publicKey = v.distributedBuilds.hostPublicKey;
-      hostNames = [ (v.publicFqdn or name) ];
-    }))
+    (lib.mapAttrs (
+      name: v: {
+        publicKey = v.distributedBuilds.hostPublicKey;
+        hostNames = [ (v.publicFqdn or name) ];
+      }
+    ))
  ];

-  remoteBuildServerDevices = builtins.filter (
-    m: m.hostName != config.networking.hostName
-  ) (lib.mapAttrsToList (name: v: v // { hostName = name; }) buildServerDevices);
+  remoteBuildServerDevices = builtins.filter (m: m.hostName != config.networking.hostName) (
+    lib.mapAttrsToList (name: v: v // { hostName = name; }) buildServerDevices
+  );

  buildMachines = map (
    m:
@ -65,6 +67,20 @@ in

      # All machines
      {
+        assertions =
+          lib.mapAttrsToList (name: v: {
+            assertion = v.distributedBuilds ? hostPublicKey && v.distributedBuilds ? storeSigningPublicKey;
+            message = "devices.${name}: isBuilder = true requires distributedBuilds.hostPublicKey and distributedBuilds.storeSigningPublicKey";
+          }) buildServerDevices
+          ++ lib.mapAttrsToList (name: v: {
+            assertion = lib.hasPrefix "ssh-" v.distributedBuilds.clientPublicKey;
+            message = "devices.${name}: distributedBuilds.clientPublicKey must start with 'ssh-'";
+          }) (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? clientPublicKey) allDevices)
+          ++ lib.mapAttrsToList (name: v: {
+            assertion = builtins.match ".+:.+" v.distributedBuilds.storeSigningPublicKey != null;
+            message = "devices.${name}: distributedBuilds.storeSigningPublicKey must be in '<name>:<base64>' format";
+          }) (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? storeSigningPublicKey) allDevices);
+
        nix.settings = {
          #fallback = true;
          connect-timeout = 5;
@ -106,15 +122,20 @@ in
        programs.ssh = {
          knownHosts = buildServerKnownHosts;
          extraConfig = lib.concatStringsSep "\n" (
-            lib.mapAttrsToList (name: v:
+            lib.mapAttrsToList (
+              name: v:
              let
-                names = lib.unique [ name (v.publicFqdn or name) ];
+                names = lib.unique [
+                  name
+                  (v.publicFqdn or name)
+                ];
              in
              ''
                Match originalhost ${lib.concatStringsSep "," names} user ${buildUser}
                  IdentityFile ${clientSshKeyPath}
                  IdentitiesOnly yes
-              '') buildServerDevices
+              ''
+            ) buildServerDevices
          );
        };
        nix = {