2024-04-16 06:10:04 +02:00
|
|
|
{ config, lib, ... }:
|
|
|
|
|
|
|
|
|
|
# TODO: make a remote-build user on nixos boxes, instead of giving access to pbsds
|
|
|
|
|
# TODO: https://exozy.me/quickstart
|
|
|
|
|
# TODO: https://github.com/winterqt/darwin-build-box
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
inherit (builtins) map fromTOML readFile elem attrNames;
|
|
|
|
|
inherit (lib) mkIf;
|
|
|
|
|
|
2024-07-10 00:34:38 +02:00
|
|
|
hosts' = fromTOML (readFile ../hosts/known-hosts.toml); # TODO: eww
|
2024-04-16 06:10:04 +02:00
|
|
|
hosts = lib.pipe hosts' [
|
2024-07-10 00:34:38 +02:00
|
|
|
(lib.filterAttrs (name: host: name != "__default__"))
|
2024-04-16 06:10:04 +02:00
|
|
|
(lib.mapAttrs (name: host:
|
2024-07-10 00:34:38 +02:00
|
|
|
lib.recursiveUpdate (hosts'."__default__" or {}) host
|
2024-04-16 06:10:04 +02:00
|
|
|
))
|
|
|
|
|
];
|
|
|
|
|
hostNames = attrNames hosts;
|
|
|
|
|
thisHost = hosts.${config.networking.fqdn};
|
|
|
|
|
thisHostIsBuilder = thisHost.maxJobs > 0;
|
2024-07-10 00:34:38 +02:00
|
|
|
thisHostIsHopHost = builtins.elem config.networking.fqdn (lib.forEach hosts (host: host.ssh.proxyJump or null));
|
2024-07-10 01:12:00 +02:00
|
|
|
thisHostIsConsumer = thisHost.ssh ? userPublicKey;
|
2024-04-16 06:10:04 +02:00
|
|
|
|
|
|
|
|
mkRemoteConfig = fqdn: let
|
|
|
|
|
host = hosts.${fqdn};
|
|
|
|
|
jump = hosts.${host.ssh.proxyJump};
|
|
|
|
|
buildMachine = (lib.filterAttrs (key: _: !elem key ["ssh"]) host) // {
|
|
|
|
|
hostName = fqdn;
|
2024-04-27 23:31:32 +02:00
|
|
|
sshUser = host.ssh.listenUser;
|
2024-04-16 06:10:04 +02:00
|
|
|
};
|
|
|
|
|
isBuilder = host.maxJobs > 0;
|
2024-07-10 00:34:38 +02:00
|
|
|
isConsumer = host.ssh ? userPublicKey && thisHostIsBuilder;
|
2024-04-16 06:10:04 +02:00
|
|
|
isThis = fqdn == config.networking.fqdn;
|
2024-07-10 00:34:38 +02:00
|
|
|
in mkIf (!isThis) ( lib.mkMerge [
|
2024-04-16 06:10:04 +02:00
|
|
|
# out
|
2024-07-10 01:12:00 +02:00
|
|
|
(lib.mkIf (isBuilder && thisHostIsConsumer) {
|
2024-07-10 00:34:38 +02:00
|
|
|
|
|
|
|
|
nix.buildMachines = [ buildMachine ];
|
2024-04-16 06:10:04 +02:00
|
|
|
|
2024-07-10 00:34:38 +02:00
|
|
|
})
|
|
|
|
|
# out or jump
|
2024-07-10 01:12:00 +02:00
|
|
|
(lib.mkIf (host.ssh ? listenPublicKey && thisHostIsConsumer) {
|
2024-07-10 00:34:38 +02:00
|
|
|
programs.ssh.knownHosts.${fqdn}.publicKey = host.ssh.listenPublicKey;
|
2024-04-16 06:10:04 +02:00
|
|
|
|
2024-07-10 00:34:38 +02:00
|
|
|
# timeouts are great when remote is unresponsive. nix doesn't care
|
|
|
|
|
programs.ssh.extraConfig = ''
|
|
|
|
|
Host ${fqdn}
|
|
|
|
|
ConnectTimeout 3
|
|
|
|
|
Port ${builtins.toString host.ssh.listenPort}
|
|
|
|
|
${lib.optionalString (host.ssh ? proxyJump) ''
|
|
|
|
|
ProxyJump ${host.ssh.proxyJump}
|
|
|
|
|
''}
|
|
|
|
|
'';
|
|
|
|
|
})
|
2024-04-16 06:10:04 +02:00
|
|
|
# in
|
2024-07-10 00:34:38 +02:00
|
|
|
(mkIf (isConsumer && (thisHostIsBuilder || thisHostIsHopHost) ) {
|
|
|
|
|
|
|
|
|
|
nix.settings.allowed-users = [ thisHost.ssh.listenUser ];
|
|
|
|
|
nix.settings.trusted-users = [ thisHost.ssh.listenUser ];
|
|
|
|
|
users.users.${thisHost.ssh.listenUser} = {
|
2024-04-27 23:31:32 +02:00
|
|
|
isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser);
|
2024-07-10 00:34:38 +02:00
|
|
|
openssh.authorizedKeys.keys = [ host.ssh.userPublicKey ];
|
|
|
|
|
group = lib.mkOptionDefault "nogroup";
|
2024-04-16 06:10:04 +02:00
|
|
|
};
|
2024-07-10 00:34:38 +02:00
|
|
|
|
|
|
|
|
})
|
|
|
|
|
]);
|
2024-04-16 06:10:04 +02:00
|
|
|
|
|
|
|
|
in {
|
|
|
|
|
|
|
|
|
|
nix.distributedBuilds = true;
|
|
|
|
|
|
|
|
|
|
# TODO: Allow setting speedFactor for local builds, as local is currently fixed to 0
|
|
|
|
|
# https://github.com/NixOS/nix/issues/2457
|
|
|
|
|
|
|
|
|
|
# useful when the builder has a faster internet connection than i do
|
|
|
|
|
nix.settings.builders-use-substitutes = true;
|
|
|
|
|
|
|
|
|
|
imports = lib.forEach hostNames mkRemoteConfig;
|
|
|
|
|
|
|
|
|
|
}
|
