diff --git a/flake.nix b/flake.nix index 2c80aec..35739dc 100644 --- a/flake.nix +++ b/flake.nix @@ -150,7 +150,8 @@ }; distributedBuilds = { isBuilder = true; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAbojdhb3PfazSRmudvo381Y+zUFVLMa7AbWbfK/Zp2 muede-lpt2-nix-builds"; + hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGKoZ68wwyVRmPB0SkvpJUyUMDWeFbC5Je9zukyEOh7"; + clientPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAbojdhb3PfazSRmudvo381Y+zUFVLMa7AbWbfK/Zp2 muede-lpt2-nix-builds"; }; }; muede-pc2 = { @@ -160,7 +161,9 @@ }; distributedBuilds = { isBuilder = true; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmnyhP6L+kGHV15cb/d31AQr50wSEaQhkUBwy2+OEKk muede-pc2-nix-builds"; + speedFactor = 2; + hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEQQS5XNoj62Oj85xQfIuLORwoBRwfqjvfBHHsiI+RH"; + clientPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmnyhP6L+kGHV15cb/d31AQr50wSEaQhkUBwy2+OEKk muede-pc2-nix-builds"; }; }; ronja-pc = { diff --git a/nixosModules/distributed-builds.nix b/nixosModules/distributed-builds.nix index 27804ee..f0c45da 100644 --- a/nixosModules/distributed-builds.nix +++ b/nixosModules/distributed-builds.nix @@ -10,8 +10,8 @@ let # Collect all per-device public keys that have been registered. authorizedPublicKeys = lib.pipe devices [ - (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? publicKey)) - (lib.mapAttrsToList (_: v: v.distributedBuilds.publicKey)) + (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? clientPublicKey)) + (lib.mapAttrsToList (_: v: v.distributedBuilds.clientPublicKey)) ]; # === Onboarding a device as a build client === @@ -21,7 +21,7 @@ let # (owned by root, mode 0600) # # 2. Add the public key to the device entry in flake.nix: - # distributedBuilds.publicKey = "ssh-ed25519 AAAA... -nix-builds"; + # distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... -nix-builds"; # # 3. Rebuild all machines so they pick up the new authorized key. # @@ -29,16 +29,27 @@ let # # Add to its entry in flake.nix: # distributedBuilds.isBuilder = true; + # distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 # All machines automatically discover and use it after the next rebuild. buildServerDevices = lib.filterAttrs (_: v: (v.distributedBuilds or { }).isBuilder or false) devices; + knownHosts = lib.pipe buildServerDevices [ + (lib.filterAttrs (_: v: v.distributedBuilds ? hostPublicKey)) + (lib.mapAttrs (hostName: v: { + publicKey = v.distributedBuilds.hostPublicKey; + })) + ]; + buildMachineList = lib.mapAttrsToList (hostName: v: { inherit hostName; systems = [ v.system ]; sshUser = buildUser; sshKey = sshKeyPath; protocol = "ssh-ng"; + } // lib.optionalAttrs (v.distributedBuilds ? speedFactor) { + speedFactor = v.distributedBuilds.speedFactor; + } // { supportedFeatures = [ "nixos-test" "big-parallel" @@ -51,11 +62,13 @@ let in { # Dedicated user for receiving distributed build connections + programs.ssh.knownHosts = knownHosts; + users.users.${buildUser} = { isSystemUser = true; group = buildUser; useDefaultShell = true; - openssh.authorizedKeys.keys = authorizedPublicKeys; + openssh.authorizedKeys.keys = map (k: ''command="nix daemon --stdio",restrict ${k}'') authorizedPublicKeys; }; users.groups.${buildUser} = { };