vinzenz/nixos-configuration
0
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ditributed builds: add forgejo-runner-1

Browse source 
it may be a bad idea to have it act as a client, but only one way to find out
This commit is contained in:
müde 2026-05-02 11:37:32 +02:00
parent 736557bb8a
commit cf98cb7880
2 changed files with 20 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

18
README.md
View file

@ -9,28 +9,38 @@ Machines are configured to act as build servers / binary caches for each other i
### Onboarding a device as a build client ### Onboarding a device as a build client
1. Generate a key pair on the device: 1. Generate a key pair on the device:
```sh
sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds" && sudo cat /etc/nix/distributed-build-key.pub
``` ```
sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds"
```
2. Add the public key to the device entry in `devices.nix`: 2. Add the public key to the device entry in `devices.nix`:
```nix ```nix
distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds"; distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds";
``` ```
3. Rebuild all build machines so they pick up the new authorized key. 3. Rebuild all build machines so they pick up the new authorized key.
### Adding a build server ### Adding a build server
1. Add to its entry in `devices.nix`: 1. Add to its entry in `devices.nix`:
```nix ```nix
distributedBuilds.isBuilder = true; distributedBuilds.isBuilder = true;
distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 <hostname> distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 "$(hostname)"
``` ```
2. Generate a store signing key on the builder: 2. Generate a store signing key on the builder:
```
```sh
sudo nix key generate-secret --key-name "$(hostname)" | sudo tee /etc/nix/signing-key.sec | sudo nix key convert-secret-to-public sudo nix key generate-secret --key-name "$(hostname)" | sudo tee /etc/nix/signing-key.sec | sudo nix key convert-secret-to-public
``` ```
3. Add the printed public key to `devices.nix`: 3. Add the printed public key to `devices.nix`:
```nix ```nix
distributedBuilds.storeSigningPublicKey = "<hostname>:<base64...>"; distributedBuilds.storeSigningPublicKey = "<hostname>:<base64...>";
``` ```
4. Rebuild all machines so they trust the new signing key. 4. Rebuild all machines so they trust the new signing key.

6
devices.nix
View file

@ -26,6 +26,12 @@ in
}; };
forgejo-runner-1 = { forgejo-runner-1 = {
system = "aarch64-linux"; system = "aarch64-linux";
distributedBuilds = {
isBuilder = true;
clientPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0NLgg0sFobBWz/bjYs9WkrMvlcvJC5F6+3jQ/b+AnD forgejo-runner-1-nix-builds";
hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANGC89GiT5xCsFICwrharrbV3q7acWHqk6ZwOUXbtGT";
storeSigningPublicKey = "forgejo-runner-1:ln1FVLL8G5+IveQuBi/Kn3SaqFZ1gaiQrE3yPlMhCMA=";
};
}; };
hetzner-vpn2 = { hetzner-vpn2 = {
system = "aarch64-linux"; system = "aarch64-linux";