distributed builds: add builders to known hosts

2026-05-01 21:54:54 +02:00 · 2026-05-01 21:54:54 +02:00 · b995113f56
commit b995113f56
parent 05645a2c46
2 changed files with 22 additions and 6 deletions
--- a/flake.nix
+++ b/flake.nix
@ -150,7 +150,8 @@
          };
          distributedBuilds = {
            isBuilder = true;
-            publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAbojdhb3PfazSRmudvo381Y+zUFVLMa7AbWbfK/Zp2 muede-lpt2-nix-builds";
+            hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGKoZ68wwyVRmPB0SkvpJUyUMDWeFbC5Je9zukyEOh7";
            clientPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAbojdhb3PfazSRmudvo381Y+zUFVLMa7AbWbfK/Zp2 muede-lpt2-nix-builds";
          };
        };
        muede-pc2 = {
@ -160,7 +161,9 @@
          };
          distributedBuilds = {
            isBuilder = true;
-            publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmnyhP6L+kGHV15cb/d31AQr50wSEaQhkUBwy2+OEKk muede-pc2-nix-builds";
+            speedFactor = 2;
            hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEQQS5XNoj62Oj85xQfIuLORwoBRwfqjvfBHHsiI+RH";
            clientPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmnyhP6L+kGHV15cb/d31AQr50wSEaQhkUBwy2+OEKk muede-pc2-nix-builds";
          };
        };
        ronja-pc = {
--- a/nixosModules/distributed-builds.nix
+++ b/nixosModules/distributed-builds.nix
@ -10,8 +10,8 @@ let
  # Collect all per-device public keys that have been registered.
  authorizedPublicKeys = lib.pipe devices [
-    (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? publicKey))
+    (lib.filterAttrs (_: v: (v.distributedBuilds or { }) ? clientPublicKey))
-    (lib.mapAttrsToList (_: v: v.distributedBuilds.publicKey))
+    (lib.mapAttrsToList (_: v: v.distributedBuilds.clientPublicKey))
  ];
  # === Onboarding a device as a build client ===
@ -21,7 +21,7 @@ let
  #    (owned by root, mode 0600)
  #
  # 2. Add the public key to the device entry in flake.nix:
-  #      distributedBuilds.publicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds";
+  #      distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds";
  #
  # 3. Rebuild all machines so they pick up the new authorized key.
  #
@ -29,16 +29,27 @@ let
  #
  # Add to its entry in flake.nix:
  #   distributedBuilds.isBuilder = true;
  #   distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA...";  # from: ssh-keyscan -t ed25519 <hostname>
  # All machines automatically discover and use it after the next rebuild.
  buildServerDevices = lib.filterAttrs (_: v: (v.distributedBuilds or { }).isBuilder or false) devices;
  knownHosts = lib.pipe buildServerDevices [
    (lib.filterAttrs (_: v: v.distributedBuilds ? hostPublicKey))
    (lib.mapAttrs (hostName: v: {
      publicKey = v.distributedBuilds.hostPublicKey;
    }))
  ];
  buildMachineList = lib.mapAttrsToList (hostName: v: {
    inherit hostName;
    systems = [ v.system ];
    sshUser = buildUser;
    sshKey = sshKeyPath;
    protocol = "ssh-ng";
  } // lib.optionalAttrs (v.distributedBuilds ? speedFactor) {
    speedFactor = v.distributedBuilds.speedFactor;
  } // {
    supportedFeatures = [
      "nixos-test"
      "big-parallel"
@ -51,11 +62,13 @@ let
 in
 {
  # Dedicated user for receiving distributed build connections
  programs.ssh.knownHosts = knownHosts;
  users.users.${buildUser} = {
    isSystemUser = true;
    group = buildUser;
    useDefaultShell = true;
-    openssh.authorizedKeys.keys = authorizedPublicKeys;
+    openssh.authorizedKeys.keys = map (k: ''command="nix daemon --stdio",restrict ${k}'') authorizedPublicKeys;
  };
  users.groups.${buildUser} = { };