My personal NixOS configurations
| homeConfigurations | ||
| homeModules | ||
| nixosConfigurations | ||
| nixosModules | ||
| .gitignore | ||
| devices.nix | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| nixosConfigurations.nix | ||
| README.md | ||
nixos-configuration
Personal NixOS configuration for all machines. Devices are declared in devices.nix, per-device configs live in nixosConfigurations/<name>/, and shared modules in nixosModules/.
Distributed builds
Machines are configured to act as build servers / binary caches for each other in devices.nix.
Onboarding a device as a build client
-
Generate a key pair on the device:
sudo ssh-keygen -t ed25519 -f /etc/nix/distributed-build-key -N "" -C "$(hostname)-nix-builds" && sudo cat /etc/nix/distributed-build-key.pub -
Add the public key to the device entry in
devices.nix:distributedBuilds.clientPublicKey = "ssh-ed25519 AAAA... <hostname>-nix-builds"; -
Rebuild all build machines so they pick up the new authorized key.
Adding a build server
-
Add to its entry in
devices.nix:distributedBuilds.isBuilder = true; distributedBuilds.hostPublicKey = "ssh-ed25519 AAAA..."; # from: ssh-keyscan -t ed25519 "$(hostname)" -
Generate a store signing key on the builder:
sudo nix key generate-secret --key-name "$(hostname)" | sudo tee /etc/nix/signing-key.sec | sudo nix key convert-secret-to-public -
Add the printed public key to
devices.nix:distributedBuilds.storeSigningPublicKey = "<hostname>:<base64...>"; -
Rebuild all machines so they trust the new signing key.