78 lines
2.3 KiB
Nix
78 lines
2.3 KiB
Nix
|
{}
|
||
|
/** /
|
||
|
{ config, lib, ... }:
|
||
|
|
||
|
# TODO: make a remote-build user on nixos boxes, instead of giving access to pbsds
|
||
|
# TODO: https://exozy.me/quickstart
|
||
|
# TODO: https://github.com/winterqt/darwin-build-box
|
||
|
|
||
|
let
|
||
|
inherit (builtins) map fromTOML readFile elem attrNames;
|
||
|
inherit (lib) mkIf;
|
||
|
|
||
|
hosts' = fromTOML (readFile ../../hosts/known-hosts.toml); # eww
|
||
|
hosts = lib.pipe hosts' [
|
||
|
(lib.filterAttrs (name: host: name != "default"))
|
||
|
(lib.mapAttrs (name: host:
|
||
|
lib.recursiveUpdate (hosts'."default" or {}) host
|
||
|
))
|
||
|
];
|
||
|
hostNames = attrNames hosts;
|
||
|
thisHost = hosts.${config.networking.fqdn};
|
||
|
thisHostIsBuilder = thisHost.maxJobs > 0;
|
||
|
|
||
|
mkRemoteConfig = fqdn: let
|
||
|
host = hosts.${fqdn};
|
||
|
jump = hosts.${host.ssh.proxyJump};
|
||
|
buildMachine = (lib.filterAttrs (key: _: !elem key ["ssh"]) host) // {
|
||
|
hostName = fqdn;
|
||
|
sshUser = fqdn.ssh.user;
|
||
|
};
|
||
|
isBuilder = host.maxJobs > 0;
|
||
|
isConsumer = host.ssh ? publicKeyUser && thisHostIsBuilder;
|
||
|
isThis = fqdn == config.networking.fqdn;
|
||
|
in mkIf (!isThis) {
|
||
|
|
||
|
# out
|
||
|
nix.buildMachines = mkIf isBuilder [ buildMachine ];
|
||
|
programs.ssh.knownHosts.${fqdn}.publicKey = mkIf isBuilder host.ssh.publicKeyListen;
|
||
|
|
||
|
# timeout is great when remote is unresponsive. nix doesn't care
|
||
|
programs.ssh.extraConfig = ''
|
||
|
Host ${fqdn}
|
||
|
ConnectTimeout 3
|
||
|
Port ${builtins.toString (host.ssh.port or 22)}
|
||
|
${lib.optionalString (host.ssh ? proxyJump) ''
|
||
|
ProxyJump ${host.ssh.proxyJump}
|
||
|
''}
|
||
|
'';
|
||
|
|
||
|
# in
|
||
|
users = mkIf isConsumer {
|
||
|
users.${thisHost.ssh.user} = {
|
||
|
isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.user}.isNormalUser);
|
||
|
openssh.authorizedKeys.keys = [
|
||
|
host.ssh.publicKeyUser
|
||
|
];
|
||
|
group = lib.mkDefault "nogroup";
|
||
|
};
|
||
|
};
|
||
|
nix.settings.allowed-users = mkIf isConsumer [ thisHost.ssh.user ];
|
||
|
nix.settings.trusted-users = mkIf isConsumer [ thisHost.ssh.user ];
|
||
|
};
|
||
|
|
||
|
in {
|
||
|
|
||
|
nix.distributedBuilds = true;
|
||
|
|
||
|
# TODO: Allow setting speedFactor for local builds, as local is currently fixed to 0
|
||
|
# https://github.com/NixOS/nix/issues/2457
|
||
|
|
||
|
# useful when the builder has a faster internet connection than i do
|
||
|
nix.settings.builders-use-substitutes = true;
|
||
|
|
||
|
imports = lib.forEach hostNames mkRemoteConfig;
|
||
|
|
||
|
}
|
||
|
/**/
|