From 425dcd0bed68c2d24e07dc046d5a8f74bcb329bb Mon Sep 17 00:00:00 2001 From: zimbatm Date: Sat, 29 Jul 2023 18:46:27 +0200 Subject: [PATCH] no1: add remote nix builders --- .sops.yaml | 12 ++++++----- nixosConfigurations/no1/default.nix | 6 +++++- nixosConfigurations/no1/secrets.yaml | 30 +++++++++++++++++++++++++++ nixosModules/default.nix | 1 + nixosModules/nix-remote-builders.nix | 31 ++++++++++++++++++++++++++++ 5 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 nixosConfigurations/no1/secrets.yaml create mode 100644 nixosModules/nix-remote-builders.nix diff --git a/.sops.yaml b/.sops.yaml index 1b490e5..ce76afc 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,9 +3,11 @@ creation_rules: - key_groups: - age: - # ztm.io - - age1ym929q4ksluqsjquzpq9573mvalplaf55a5wnpm4z8zjqahnfc9sj7j7t7 - - # zimbatm - - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h + - age18rs3vr8rp5dtyxpc0t6fz3m7suyjpve0whs0qpajhxdg0aq7u32qd2wvce # no1.zt + - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h # zimbatm + path_regex: ^nixosConfigurations/no1/secrets.yaml$ + - key_groups: + - age: + - age1ym929q4ksluqsjquzpq9573mvalplaf55a5wnpm4z8zjqahnfc9sj7j7t7 # ztm.io + - age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h # zimbatm path_regex: ^nixosConfigurations/web1/secrets.yaml$ diff --git a/nixosConfigurations/no1/default.nix b/nixosConfigurations/no1/default.nix index 5a6462c..60add0c 100644 --- a/nixosConfigurations/no1/default.nix +++ b/nixosConfigurations/no1/default.nix @@ -8,11 +8,15 @@ imports = [ ./hardware-configuration-extra.nix ./hardware-configuration.nix - inputs.srvos.nixosModules.mixins-systemd-boot inputs.self.nixosModules.desktop inputs.self.nixosModules.gnome + inputs.self.nixosModules.nix-remote-builders + inputs.sops-nix.nixosModules.default + inputs.srvos.nixosModules.mixins-systemd-boot ]; + sops.defaultSopsFile = ./secrets.yaml; + boot.extraModprobeConfig = '' options kvm_intel nested=1 options kvm_intel emulate_invalid_guest_state=0 diff --git a/nixosConfigurations/no1/secrets.yaml b/nixosConfigurations/no1/secrets.yaml new file mode 100644 index 0000000..3714018 --- /dev/null +++ b/nixosConfigurations/no1/secrets.yaml @@ -0,0 +1,30 @@ +nix-remote-builder-key: ENC[AES256_GCM,data:5rkYPyN9yo/Bmg96yjXrthaNvkM/bhmjGI8a0+QPk5GLMK5trOl1sFZObNAEFr9Qkhg9rR+khAe9tzXSXOHVrjFWUgs4fxPPcyyaxrMz+62iPYK/5vkvPMSHWs8ioS/t0rrs9loNvrA6YHq77JVxjMHa4h0HyyidGSkr+xwm1dwuVptowlzQHA9MbXbK8Y3mtiyKvBFhV7cUvSFVI/g1lbctcGDmQanHps02qH/bA0CV/a7zGD1bHwDf30UaVRKy4++/M2rowDu7BNNJ/LLmhO+AUAz05FVNgaKUY8woQacGexsZxDYBQ2/qrsu4KTb+0Ey70lX6GEIFBhFGcUMj3wErH2WgFakFc4YFxUR6cpPA5jseJtrZtOIY+OkddPCzpEz4oBbaHOM8VdWk1d+28p4szVeetpfmNebr2kdtBe5l6qkzkYVp4Ax9bZr6eziI0j1HpbqvrtNlKru+jBlul7o6Kq4Lf69KCRDFZL7IVPJgtWixAa7b2dJbXoj6r9X2eIJuczqWEovDASRtlt0RYsdp8YmGSlY+Esve,iv:3nPFoO+hBPpNQt4i7E0+fTuG9/Mhls97n28qVGM2T34=,tag:yyh6GlKHvM4UZaOuKaymcA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18rs3vr8rp5dtyxpc0t6fz3m7suyjpve0whs0qpajhxdg0aq7u32qd2wvce + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJREdGYU9JUi9MRnF4dzJP + dC9yZ3VVR1pHMXpsalFuQ202Z0VyeXFOZVYwCkg3S2UvKzF2RUxpVVJ6ckgyQ1hY + Qy9FZnhrcEJJYkR6NndDU1lIclpvR0UKLS0tIHppVFBtVTlFSkhJWC9OK1BkcVRG + VWtSMk4zR21PeXlIQ3pMRHp4YlM2YkEKJwsFc+gJK1yacN7CiF8scNFtXSDVfpOa + tZMsJ5MP7IY9TwiIMg8DYEDdoqWY0POSiI50qccxY/ftD6UQvnVDzA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1K0ZGOUs2eUUzNFV0TG9r + WkRkUVg4eGlmZGh6TVpxeHBJMDN1R0ExQmxzCk40dndmaVR6Uld1cCt0YkZUbTdR + bXBWclJyMmlHaDBKTFpvY3pOMGUva2MKLS0tIGJFU1VjcWtOY09oeGtlaFk2NXAx + Q2Z6NDZlSGFpV2NyV2N1RllsRVJFYmcK4EchqHHogWwnFjuXWqR3yeYuDFIBRPcW + mVg7ysAIEVpDCsmmK1wANXMOore6qXVV7coDHfWq7WnK2Ol1+nHjGA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-29T16:42:28Z" + mac: ENC[AES256_GCM,data:KpyqErK80u4r6DA2I9owS76Higd60K9+xSj2jK+C7kHpNjIKk3udOrDheh81tB9QQEvvP/xrVmcX8sMNIhuns1UUVk0X1+u9gmCgk+SQkdgVv200Cj9caqhiyDdzmrCOECEPd3hMzyUV1AvYo58JsswRsAzW4QyRY4y4X0aK2N0=,iv:j0R5y0ZrubsRY63MKKTywlkD+gIx29jfWT5fv6WzvKc=,tag:by6uO6QmkaIpK3Ec4gXT2g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixosModules/default.nix b/nixosModules/default.nix index a80222a..f31fb69 100644 --- a/nixosModules/default.nix +++ b/nixosModules/default.nix @@ -5,6 +5,7 @@ desktop = ./desktop.nix; gnome = ./gnome.nix; gotosocial = ./gotosocial.nix; + nix-remote-builders = ./nix-remote-builders.nix; server = ./server.nix; }; } diff --git a/nixosModules/nix-remote-builders.nix b/nixosModules/nix-remote-builders.nix new file mode 100644 index 0000000..8bed3f2 --- /dev/null +++ b/nixosModules/nix-remote-builders.nix @@ -0,0 +1,31 @@ +{ config, ... }: +{ + nix.distributedBuilds = true; + nix.buildMachines = [ + { + hostName = "mac01.numtide.com"; + sshUser = "hetzner"; + protocol = "ssh-ng"; + sshKey = config.sops.secrets.nix-remote-builder-key.path; + system = "aarch64-darwin"; + maxJobs = 8; + } + { + hostName = "mac01.numtide.com"; + sshUser = "hetzner"; + protocol = "ssh-ng"; + sshKey = config.sops.secrets.nix-remote-builder-key.path; + system = "x86_64-darwin"; + maxJobs = 8; + } + { + hostName = "bld3.numtide.com"; + sshUser = "nix-remote-builder"; + protocol = "ssh-ng"; + sshKey = config.sops.secrets.nix-remote-builder-key.path; + system = "aarch64-linux"; + maxJobs = 8; + } + ]; + sops.secrets.nix-remote-builder-key = { }; +}