My personal NixOS configurations
| homeConfigurations | ||
| homeModules | ||
| nixosConfigurations | ||
| nixosModules | ||
| .gitignore | ||
| devices.nix | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| nixosConfigurations.nix | ||
| README.md | ||
nixos-configuration
Personal NixOS configuration for all machines. Devices are declared in devices.nix, per-device configs live in nixosConfigurations/<name>/, and shared modules in nixosModules/.
Distributed builds
Machines are configured to act as build servers / binary caches for each other in devices.nix.
Onboarding a device as a build client
- Generate a key pair on the device:
sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds" - Add the public key to the device entry in
devices.nix:distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds"; - Rebuild all build machines so they pick up the new authorized key.
Adding a build server
- Add to its entry in
devices.nix:distributedBuilds.isBuilder = true; distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 <hostname> - Generate a store signing key on the builder:
sudo nix key generate-secret --key-name "$(hostname)" | sudo tee /etc/nix/signing-key.sec | sudo nix key convert-secret-to-public - Add the printed public key to
devices.nix:distributedBuilds.storeSigningPublicKey = "<hostname>:<base64...>"; - Rebuild all machines so they trust the new signing key.