From 4b81028cde8bd696bc0e08ce048c45055db7f577 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Sat, 27 Sep 2025 16:31:05 -0600 Subject: [PATCH] made a build and nixremote modules. --- config/base.nix | 81 ++++++++++++----------------- hosts/miniserver/configuration.nix | 65 ++++++++--------------- hosts/server/configuration.nix | 63 +++++++--------------- hosts/workstation/configuration.nix | 55 ++++++++------------ modules/modules.nix | 6 ++- modules/nix/build.nix | 53 +++++++++++++++++++ modules/users/nixremote.nix | 41 +++++++++++++++ 7 files changed, 198 insertions(+), 166 deletions(-) create mode 100644 modules/nix/build.nix create mode 100644 modules/users/nixremote.nix diff --git a/config/base.nix b/config/base.nix index c76317d..f45343b 100644 --- a/config/base.nix +++ b/config/base.nix @@ -78,55 +78,42 @@ "dotnet-sdk-6.0.428" ]; }; - nix = - let - featuresList = [ - "nixos-test" - "benchmark" - "big-parallel" - "kvm" - "gccarch-znver3" - "gccarch-skylake" - "gccarch-alderlake" + nix = { + distributedBuilds = true; + optimise.automatic = true; + settings = { + use-xdg-base-directories = true; + auto-optimise-store = true; + trusted-users = [ + "jawz" + "root" + "nixremote" + ]; + experimental-features = [ + "nix-command" + "flakes" + "pipe-operators" + ]; + substituters = [ + "https://nix-gaming.cachix.org" + "https://nixpkgs-python.cachix.org" + "https://devenv.cachix.org" + "https://cuda-maintainers.cachix.org" + "https://ai.cachix.org" + "https://cache.lix.systems" + "https://cosmic.cachix.org" + ]; + trusted-public-keys = [ + "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4=" + "nixpkgs-python.cachix.org-1:hxjI7pFxTyuTHn2NkvWCrAUcNZLNS3ZAvfYNuYifcEU=" + "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" + "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E=" + "ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc=" + "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" + "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" ]; - in - { - distributedBuilds = true; - optimise.automatic = true; - settings = { - use-xdg-base-directories = true; - auto-optimise-store = true; - trusted-users = [ - "jawz" - "root" - "nixremote" - ]; - system-features = featuresList; - experimental-features = [ - "nix-command" - "flakes" - "pipe-operators" - ]; - substituters = [ - "https://nix-gaming.cachix.org" - "https://nixpkgs-python.cachix.org" - "https://devenv.cachix.org" - "https://cuda-maintainers.cachix.org" - "https://ai.cachix.org" - "https://cache.lix.systems" - "https://cosmic.cachix.org" - ]; - trusted-public-keys = [ - "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4=" - "nixpkgs-python.cachix.org-1:hxjI7pFxTyuTHn2NkvWCrAUcNZLNS3ZAvfYNuYifcEU=" - "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" - "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E=" - "ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc=" - "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" - "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" - ]; - }; }; + }; documentation.enable = false; environment = { systemPackages = builtins.attrValues { diff --git a/hosts/miniserver/configuration.nix b/hosts/miniserver/configuration.nix index 47ec3ca..0b58cbe 100644 --- a/hosts/miniserver/configuration.nix +++ b/hosts/miniserver/configuration.nix @@ -1,11 +1,32 @@ -{ ... }: +{ config, ... }: { imports = [ ./hardware-configuration.nix ../../config/base.nix ../../config/stylix.nix ]; - my = import ./toggles.nix; + my = import ./toggles.nix // { + nix.cores = 3; + nix.maxJobs = 8; + users.nixremote.enable = true; + users.nixremote.authorizedKeys = [ + ../../secrets/ssh/ed25519_nixworkstation.pub + ../../secrets/ssh/ed25519_nixserver.pub + ]; + }; + nix.buildMachines = + let + buildMachine = hostName: maxJobs: speedFactor: { + inherit hostName maxJobs speedFactor; + system = "x86_64-linux"; + sshUser = "nixremote"; + supportedFeatures = config.my.nix.features; + }; + in + [ + (buildMachine "workstation" 16 40) + (buildMachine "server" 16 17) + ]; networking = { hostName = "miniserver"; firewall = { @@ -13,47 +34,7 @@ allowedUDPPorts = [ 2049 ]; }; }; - nix = { - settings = { - cores = 3; - max-jobs = 8; - }; - buildMachines = - let - buildMachine = hostName: maxJobs: speedFactor: { - inherit hostName maxJobs speedFactor; - system = "x86_64-linux"; - sshUser = "nixremote"; - supportedFeatures = [ - "nixos-test" - "benchmark" - "big-parallel" - "kvm" - "gccarch-znver3" - "gccarch-skylake" - "gccarch-alderlake" - ]; - }; - in - [ - (buildMachine "workstation" 16 40) - (buildMachine "server" 16 17) - ]; - }; nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ]; - users = { - groups.nixremote.gid = 555; - users.nixremote = { - isNormalUser = true; - createHome = true; - group = "nixremote"; - home = "/var/nixremote/"; - openssh.authorizedKeys.keyFiles = [ - ../../secrets/ssh/ed25519_nixworkstation.pub - ../../secrets/ssh/ed25519_nixserver.pub - ]; - }; - }; services = { btrfs.autoScrub = { enable = true; diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 95281fd..e3cdd1b 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -10,7 +10,24 @@ ../../config/base.nix ../../config/stylix.nix ]; - my = import ./toggles.nix { inherit config; }; + my = import ./toggles.nix { inherit config; } // { + nix.cores = 6; + users.nixremote.enable = true; + users.nixremote.authorizedKeys = [ + ../../secrets/ssh/ed25519_nixworkstation.pub + ../../secrets/ssh/ed25519_nixminiserver.pub + ]; + }; + nix.buildMachines = [ + { + hostName = "workstation"; + system = "x86_64-linux"; + sshUser = "nixremote"; + maxJobs = 12; + speedFactor = 1; + supportedFeatures = config.my.nix.features; + } + ]; sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml; networking = let @@ -51,48 +68,8 @@ ]; }; }; - nix = - let - featuresList = [ - "nixos-test" - "benchmark" - "big-parallel" - "kvm" - "gccarch-znver3" - "gccarch-skylake" - "gccarch-alderlake" - ]; - in - { - settings.cores = 6; - buildMachines = [ - { - hostName = "workstation"; - system = "x86_64-linux"; - sshUser = "nixremote"; - maxJobs = 12; - speedFactor = 1; - supportedFeatures = featuresList; - } - ]; - }; - users = { - groups.nixremote.gid = 555; - users = { - jawz.packages = builtins.attrValues { - inherit (pkgs) podman-compose; - }; - nixremote = { - isNormalUser = true; - createHome = true; - group = "nixremote"; - home = "/var/nixremote/"; - openssh.authorizedKeys.keyFiles = [ - ../../secrets/ssh/ed25519_nixworkstation.pub - ../../secrets/ssh/ed25519_nixminiserver.pub - ]; - }; - }; + users.users.jawz.packages = builtins.attrValues { + inherit (pkgs) podman-compose; }; services.btrfs.autoScrub = { enable = true; diff --git a/hosts/workstation/configuration.nix b/hosts/workstation/configuration.nix index edf4428..e157485 100644 --- a/hosts/workstation/configuration.nix +++ b/hosts/workstation/configuration.nix @@ -21,7 +21,15 @@ in ../../config/stylix.nix ../../environments/gnome.nix ]; - my = import ./toggles.nix; + my = import ./toggles.nix // { + nix.cores = 8; + nix.maxJobs = 8; + users.nixremote.enable = true; + users.nixremote.authorizedKeys = [ + ../../secrets/ssh/ed25519_nixserver.pub + ../../secrets/ssh/ed25519_nixminiserver.pub + ]; + }; home-manager.users.jawz = { programs = { vscode = { @@ -60,38 +68,19 @@ in allowedUDPPortRanges = openPortRanges; }; }; - nix.settings = { - cores = 8; - max-jobs = 8; - }; - users = { - groups.nixremote.gid = 555; - users = { - jawz.packages = [ - (pkgs.google-cloud-sdk.withExtraComponents [ - pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin - ]) - ] - ++ builtins.attrValues { - inherit (pkgs) - distrobox # install packages from other os - gocryptfs # encrypted filesystem! shhh!!! - vcsi # video thumbnails for torrents, can I replace it with ^? - keypunch # practice typing - google-cloud-sdk-gce - ; - }; - nixremote = { - isNormalUser = true; - createHome = true; - group = "nixremote"; - home = "/var/nixremote/"; - openssh.authorizedKeys.keyFiles = [ - ../../secrets/ssh/ed25519_nixserver.pub - ../../secrets/ssh/ed25519_nixminiserver.pub - ]; - }; - }; + users.users.jawz.packages = [ + (pkgs.google-cloud-sdk.withExtraComponents [ + pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin + ]) + ] + ++ builtins.attrValues { + inherit (pkgs) + distrobox # install packages from other os + gocryptfs # encrypted filesystem! shhh!!! + vcsi # video thumbnails for torrents, can I replace it with ^? + keypunch # practice typing + google-cloud-sdk-gce + ; }; environment = { pathsToLink = [ "share/thumbnailers" ]; diff --git a/modules/modules.nix b/modules/modules.nix index a0ba400..090bc01 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -30,7 +30,11 @@ in ++ autoImport "scripts" ++ autoImport "servers" ++ autoImport "services" - ++ autoImport "shell"; + ++ autoImport "shell" + ++ [ + ./nix/build.nix + ./users/nixremote.nix + ]; options.my = { localhost = lib.mkOption { type = lib.types.str; diff --git a/modules/nix/build.nix b/modules/nix/build.nix new file mode 100644 index 0000000..a3b94e0 --- /dev/null +++ b/modules/nix/build.nix @@ -0,0 +1,53 @@ +{ lib, config, ... }: +{ + options.my.nix = { + features = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ + "nixos-test" + "benchmark" + "big-parallel" + "kvm" + "gccarch-znver3" + "gccarch-skylake" + "gccarch-alderlake" + ]; + description = "List of supported nix build features for this system"; + }; + + buildMachines = lib.mkOption { + type = lib.types.listOf lib.types.attrs; + default = []; + description = "List of remote build machines configuration"; + }; + + cores = lib.mkOption { + type = lib.types.nullOr lib.types.int; + default = null; + description = "Number of cores to use for builds (null = auto-detect)"; + }; + + maxJobs = lib.mkOption { + type = lib.types.nullOr lib.types.int; + default = null; + description = "Maximum number of parallel jobs (null = auto-detect)"; + }; + }; + + config = { + nix.settings = lib.mkMerge [ + { + system-features = config.my.nix.features; + } + (lib.mkIf (config.my.nix.cores != null) { + cores = config.my.nix.cores; + }) + (lib.mkIf (config.my.nix.maxJobs != null) { + max-jobs = config.my.nix.maxJobs; + }) + ]; + + nix.buildMachines = lib.mkIf (config.my.nix.buildMachines != []) + config.my.nix.buildMachines; + }; +} \ No newline at end of file diff --git a/modules/users/nixremote.nix b/modules/users/nixremote.nix new file mode 100644 index 0000000..3355e0d --- /dev/null +++ b/modules/users/nixremote.nix @@ -0,0 +1,41 @@ +{ lib, config, ... }: +{ + options.my.users.nixremote = { + enable = lib.mkEnableOption "nixremote user for distributed builds"; + + authorizedKeys = lib.mkOption { + type = lib.types.listOf lib.types.path; + default = [ + ../../secrets/ssh/ed25519_nixworkstation.pub + ../../secrets/ssh/ed25519_nixserver.pub + ../../secrets/ssh/ed25519_nixminiserver.pub + ]; + description = "List of SSH public key files to authorize for nixremote user"; + }; + + gid = lib.mkOption { + type = lib.types.int; + default = 555; + description = "Group ID for the nixremote group"; + }; + + home = lib.mkOption { + type = lib.types.str; + default = "/var/nixremote/"; + description = "Home directory for the nixremote user"; + }; + }; + + config = lib.mkIf config.my.users.nixremote.enable { + users = { + groups.nixremote.gid = config.my.users.nixremote.gid; + users.nixremote = { + isNormalUser = true; + createHome = true; + group = "nixremote"; + home = config.my.users.nixremote.home; + openssh.authorizedKeys.keyFiles = config.my.users.nixremote.authorizedKeys; + }; + }; + }; +} \ No newline at end of file