vinzenz/nixos-configuration
0
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: vinzenz:396e8121d03be47a940c0456ac36bbb55412cd62
Branches Tags
vinzenz:main
vinzenz:qs
vinzenz:headscale
vinzenz:vpn1-wg
..
compare: vinzenz:c2aa932494fbab644471b96089b88bcc3113b5df
Branches Tags
vinzenz:main
vinzenz:qs
vinzenz:headscale
vinzenz:vpn1-wg

No commits in common. "396e8121d03be47a940c0456ac36bbb55412cd62" and "c2aa932494fbab644471b96089b88bcc3113b5df" have entirely different histories.
396e8121d0 ... c2aa932494

4 changed files with 18 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

36
README.md
View file

@ -1,36 +0,0 @@
# nixos-configuration
Personal NixOS configuration for all machines. Devices are declared in `devices.nix`, per-device configs live in `nixosConfigurations/<name>/`, and shared modules in `nixosModules/`.
## Distributed builds
Machines are configured to act as build servers / binary caches for each other in devices.nix.
### Onboarding a device as a build client
1. Generate a key pair on the device:
```
sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds"
```
2. Add the public key to the device entry in `devices.nix`:
```nix
distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds";
```
3. Rebuild all build machines so they pick up the new authorized key.
### Adding a build server
1. Add to its entry in `devices.nix`:
```nix
distributedBuilds.isBuilder = true;
distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 <hostname>
```
2. Generate a store signing key on the builder:
```
sudo nix key generate-secret --key-name "$(hostname)" | sudo tee /etc/nix/signing-key.sec | sudo nix key convert-secret-to-public
```
3. Add the printed public key to `devices.nix`:
```nix
distributedBuilds.storeSigningPublicKey = "<hostname>:<base64...>";
```
4. Rebuild all machines so they trust the new signing key.

2
devices.nix
View file

@ -39,7 +39,6 @@ in
isBuilder = true; isBuilder = true;
hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGKoZ68wwyVRmPB0SkvpJUyUMDWeFbC5Je9zukyEOh7"; hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGKoZ68wwyVRmPB0SkvpJUyUMDWeFbC5Je9zukyEOh7";
clientPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAbojdhb3PfazSRmudvo381Y+zUFVLMa7AbWbfK/Zp2 muede-lpt2-nix-builds"; clientPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAbojdhb3PfazSRmudvo381Y+zUFVLMa7AbWbfK/Zp2 muede-lpt2-nix-builds";
storeSigningPublicKey = "muede-lpt2:3csut7FW6oZK/ztRLBRC80LSBfFE3qzl+aIYgOixB6U=";
}; };
}; };
muede-pc2 = { muede-pc2 = {
@ -52,7 +51,6 @@ in
speedFactor = 2; speedFactor = 2;
hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEQQS5XNoj62Oj85xQfIuLORwoBRwfqjvfBHHsiI+RH"; hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEQQS5XNoj62Oj85xQfIuLORwoBRwfqjvfBHHsiI+RH";
clientPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmnyhP6L+kGHV15cb/d31AQr50wSEaQhkUBwy2+OEKk muede-pc2-nix-builds"; clientPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmnyhP6L+kGHV15cb/d31AQr50wSEaQhkUBwy2+OEKk muede-pc2-nix-builds";
storeSigningPublicKey = "muede-pc2:fqQO0E0y65MjUWlQnrgWt5ZsmQKlKCv4jls3CmUXDEQ=";
}; };
}; };
ronja-pc = { ronja-pc = {

1
nixosConfigurations/muede-pc2/default.nix
View file

@ -15,7 +15,6 @@
my.amdGraphics.enable = true; my.amdGraphics.enable = true;
my.secureBoot.enable = true; my.secureBoot.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
nix.settings.extra-platforms = [ nix.settings.extra-platforms = [
"aarch64-linux" "aarch64-linux"
"i686-linux" "i686-linux"

34
nixosModules/distributed-builds.nix
View file

@ -14,6 +14,24 @@ let
(lib.mapAttrsToList (_: v: v.distributedBuilds.clientPublicKey)) (lib.mapAttrsToList (_: v: v.distributedBuilds.clientPublicKey))
]; ];
# === Onboarding a device as a build client ===
#
# 1. Generate a key pair on the device:
# sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds"
# (owned by root, mode 0600)
#
# 2. Add the public key to the device entry in flake.nix:
# distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds";
#
# 3. Rebuild all machines so they pick up the new authorized key.
#
# === Marking a device as a build server ===
#
# Add to its entry in flake.nix:
# distributedBuilds.isBuilder = true;
# distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 <hostname>
# All machines automatically discover and use it after the next rebuild.
buildServerDevices = lib.filterAttrs ( buildServerDevices = lib.filterAttrs (
_: v: (v.distributedBuilds or { }).isBuilder or false _: v: (v.distributedBuilds or { }).isBuilder or false
) devices; ) devices;
@ -74,22 +92,6 @@ in
settings = { settings = {
trusted-users = [ buildUser ]; trusted-users = [ buildUser ];
builders-use-substitutes = true; builders-use-substitutes = true;
# Use build machines as binary caches so already-built paths are downloaded
# rather than rebuilt. Only machines with a storeSigningPublicKey are used.
substituters = lib.pipe buildServerDevices [
(lib.filterAttrs (_: v: v.distributedBuilds ? storeSigningPublicKey))
(lib.mapAttrsToList (hostName: _: "ssh-ng://${buildUser}@${hostName}"))
(lib.filter (s: s != "ssh-ng://${buildUser}@${config.networking.hostName}"))
];
trusted-public-keys = lib.pipe buildServerDevices [
(lib.mapAttrsToList (_: v: v.distributedBuilds.storeSigningPublicKey or null))
(builtins.filter (k: k != null))
];
secret-key-files =
let
thisDevice = devices.${config.networking.hostName} or { };
in
lib.optional (thisDevice.distributedBuilds.isBuilder or false) "/etc/nix/signing-key.sec";
max-jobs = (devices.${config.networking.hostName}.distributedBuilds or { }).maxJobs or "auto"; max-jobs = (devices.${config.networking.hostName}.distributedBuilds or { }).maxJobs or "auto";
cores = 0; cores = 0;
min-free = 10 * 1024 * 1024; min-free = 10 * 1024 * 1024;