From cf98cb7880851e980567b1c245befd4e3daacc4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?m=C3=BCde?= <git@darkest.space>
Date: Sat, 2 May 2026 11:37:32 +0200
Subject: [PATCH] ditributed builds: add forgejo-runner-1

it may be a bad idea to have it act as a client, but only one way to find out
---
 README.md   | 18 ++++++++++++++----
 devices.nix |  6 ++++++
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index f97d4b5..3ad5e88 100644
--- a/README.md
+++ b/README.md
@@ -9,28 +9,38 @@ Machines are configured to act as build servers / binary caches for each other i
 ### Onboarding a device as a build client
 
 1. Generate a key pair on the device:
+
+   ```sh
+   sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds" && sudo cat /etc/nix/distributed-build-key.pub
    ```
-   sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds"
-   ```
+
 2. Add the public key to the device entry in `devices.nix`:
+
    ```nix
    distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds";
    ```
+
 3. Rebuild all build machines so they pick up the new authorized key.
 
 ### Adding a build server
 
 1. Add to its entry in `devices.nix`:
+
    ```nix
    distributedBuilds.isBuilder = true;
-   distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 <hostname>
+   distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 "$(hostname)"
    ```
+
 2. Generate a store signing key on the builder:
-   ```
+
+   ```sh
    sudo nix key generate-secret --key-name "$(hostname)" | sudo tee /etc/nix/signing-key.sec | sudo nix key convert-secret-to-public
    ```
+
 3. Add the printed public key to `devices.nix`:
+
    ```nix
    distributedBuilds.storeSigningPublicKey = "<hostname>:<base64...>";
    ```
+
 4. Rebuild all machines so they trust the new signing key.
diff --git a/devices.nix b/devices.nix
index c17d02e..ea3c6f6 100644
--- a/devices.nix
+++ b/devices.nix
@@ -26,6 +26,12 @@ in
   };
   forgejo-runner-1 = {
     system = "aarch64-linux";
+    distributedBuilds = {
+      isBuilder = true;
+      clientPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0NLgg0sFobBWz/bjYs9WkrMvlcvJC5F6+3jQ/b+AnD forgejo-runner-1-nix-builds";
+      hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANGC89GiT5xCsFICwrharrbV3q7acWHqk6ZwOUXbtGT";
+      storeSigningPublicKey = "forgejo-runner-1:ln1FVLL8G5+IveQuBi/Kn3SaqFZ1gaiQrE3yPlMhCMA=";
+    };
   };
   hetzner-vpn2 = {
     system = "aarch64-linux";