no1: add remote nix builders

zimbatm · Jul 29, 2023 · 425dcd0 · 425dcd0
1 parent 859c162
commit 425dcd0
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 6 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -3,9 +3,11 @@
 creation_rules:
   - key_groups:
       - age:
-          # ztm.io
-          - age1ym929q4ksluqsjquzpq9573mvalplaf55a5wnpm4z8zjqahnfc9sj7j7t7
-
-          # zimbatm
-          - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+          - age18rs3vr8rp5dtyxpc0t6fz3m7suyjpve0whs0qpajhxdg0aq7u32qd2wvce # no1.zt
+          - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h # zimbatm
+    path_regex: ^nixosConfigurations/no1/secrets.yaml$
+  - key_groups:
+      - age:
+          - age1ym929q4ksluqsjquzpq9573mvalplaf55a5wnpm4z8zjqahnfc9sj7j7t7 # ztm.io
+          - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h # zimbatm
     path_regex: ^nixosConfigurations/web1/secrets.yaml$
diff --git a/nixosConfigurations/no1/default.nix b/nixosConfigurations/no1/default.nix
@@ -8,11 +8,15 @@
   imports = [
     ./hardware-configuration-extra.nix
     ./hardware-configuration.nix
-    inputs.srvos.nixosModules.mixins-systemd-boot
     inputs.self.nixosModules.desktop
     inputs.self.nixosModules.gnome
+    inputs.self.nixosModules.nix-remote-builders
+    inputs.sops-nix.nixosModules.default
+    inputs.srvos.nixosModules.mixins-systemd-boot
   ];
 
+  sops.defaultSopsFile = ./secrets.yaml;
+
   boot.extraModprobeConfig = ''
     options kvm_intel nested=1
     options kvm_intel emulate_invalid_guest_state=0

diff --git a/nixosConfigurations/no1/secrets.yaml b/nixosConfigurations/no1/secrets.yaml
@@ -0,0 +1,30 @@
+nix-remote-builder-key: ENC[AES256_GCM,data:5rkYPyN9yo/Bmg96yjXrthaNvkM/bhmjGI8a0+QPk5GLMK5trOl1sFZObNAEFr9Qkhg9rR+khAe9tzXSXOHVrjFWUgs4fxPPcyyaxrMz+62iPYK/5vkvPMSHWs8ioS/t0rrs9loNvrA6YHq77JVxjMHa4h0HyyidGSkr+xwm1dwuVptowlzQHA9MbXbK8Y3mtiyKvBFhV7cUvSFVI/g1lbctcGDmQanHps02qH/bA0CV/a7zGD1bHwDf30UaVRKy4++/M2rowDu7BNNJ/LLmhO+AUAz05FVNgaKUY8woQacGexsZxDYBQ2/qrsu4KTb+0Ey70lX6GEIFBhFGcUMj3wErH2WgFakFc4YFxUR6cpPA5jseJtrZtOIY+OkddPCzpEz4oBbaHOM8VdWk1d+28p4szVeetpfmNebr2kdtBe5l6qkzkYVp4Ax9bZr6eziI0j1HpbqvrtNlKru+jBlul7o6Kq4Lf69KCRDFZL7IVPJgtWixAa7b2dJbXoj6r9X2eIJuczqWEovDASRtlt0RYsdp8YmGSlY+Esve,iv:3nPFoO+hBPpNQt4i7E0+fTuG9/Mhls97n28qVGM2T34=,tag:yyh6GlKHvM4UZaOuKaymcA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18rs3vr8rp5dtyxpc0t6fz3m7suyjpve0whs0qpajhxdg0aq7u32qd2wvce
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJREdGYU9JUi9MRnF4dzJP
+            dC9yZ3VVR1pHMXpsalFuQ202Z0VyeXFOZVYwCkg3S2UvKzF2RUxpVVJ6ckgyQ1hY
+            Qy9FZnhrcEJJYkR6NndDU1lIclpvR0UKLS0tIHppVFBtVTlFSkhJWC9OK1BkcVRG
+            VWtSMk4zR21PeXlIQ3pMRHp4YlM2YkEKJwsFc+gJK1yacN7CiF8scNFtXSDVfpOa
+            tZMsJ5MP7IY9TwiIMg8DYEDdoqWY0POSiI50qccxY/ftD6UQvnVDzA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1K0ZGOUs2eUUzNFV0TG9r
+            WkRkUVg4eGlmZGh6TVpxeHBJMDN1R0ExQmxzCk40dndmaVR6Uld1cCt0YkZUbTdR
+            bXBWclJyMmlHaDBKTFpvY3pOMGUva2MKLS0tIGJFU1VjcWtOY09oeGtlaFk2NXAx
+            Q2Z6NDZlSGFpV2NyV2N1RllsRVJFYmcK4EchqHHogWwnFjuXWqR3yeYuDFIBRPcW
+            mVg7ysAIEVpDCsmmK1wANXMOore6qXVV7coDHfWq7WnK2Ol1+nHjGA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-29T16:42:28Z"
+    mac: ENC[AES256_GCM,data:KpyqErK80u4r6DA2I9owS76Higd60K9+xSj2jK+C7kHpNjIKk3udOrDheh81tB9QQEvvP/xrVmcX8sMNIhuns1UUVk0X1+u9gmCgk+SQkdgVv200Cj9caqhiyDdzmrCOECEPd3hMzyUV1AvYo58JsswRsAzW4QyRY4y4X0aK2N0=,iv:j0R5y0ZrubsRY63MKKTywlkD+gIx29jfWT5fv6WzvKc=,tag:by6uO6QmkaIpK3Ec4gXT2g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/nixosModules/default.nix b/nixosModules/default.nix
@@ -5,6 +5,7 @@
     desktop = ./desktop.nix;
     gnome = ./gnome.nix;
     gotosocial = ./gotosocial.nix;
+    nix-remote-builders = ./nix-remote-builders.nix;
     server = ./server.nix;
   };
 }
diff --git a/nixosModules/nix-remote-builders.nix b/nixosModules/nix-remote-builders.nix
@@ -0,0 +1,31 @@
+{ config, ... }:
+{
+  nix.distributedBuilds = true;
+  nix.buildMachines = [
+    {
+      hostName = "mac01.numtide.com";
+      sshUser = "hetzner";
+      protocol = "ssh-ng";
+      sshKey = config.sops.secrets.nix-remote-builder-key.path;
+      system = "aarch64-darwin";
+      maxJobs = 8;
+    }
+    {
+      hostName = "mac01.numtide.com";
+      sshUser = "hetzner";
+      protocol = "ssh-ng";
+      sshKey = config.sops.secrets.nix-remote-builder-key.path;
+      system = "x86_64-darwin";
+      maxJobs = 8;
+    }
+    {
+      hostName = "bld3.numtide.com";
+      sshUser = "nix-remote-builder";
+      protocol = "ssh-ng";
+      sshKey = config.sops.secrets.nix-remote-builder-key.path;
+      system = "aarch64-linux";
+      maxJobs = 8;
+    }
+  ];
+  sops.secrets.nix-remote-builder-key = { };
+}