diff --git a/hosts/known-hosts.toml b/hosts/known-hosts.toml index f37b26a..f6b7a00 100644 --- a/hosts/known-hosts.toml +++ b/hosts/known-hosts.toml @@ -13,6 +13,7 @@ #ssh.userPublicKey # sudo ssh-keygen -t ed25519 && sudo cat /root/.ssh/id_ed25519.pub #ssh.protocol #ssh.proxyJump +#ssh.userPrivateKey # IdentityFile to use [__default__] systems = ["x86_64-linux"] @@ -31,14 +32,14 @@ ssh.protocol = "ssh" # "ssh-ng" ["bolle.pbsds.net"] maxJobs = 3 # 12 threads 32GB -speedFactor = 5 +speedFactor = 4 supportedFeatures = ["kvm","big-parallel","nixos-test"] ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeOB/57N1fQPVorIUlkkJZaQduBo+4+km2Qbj4ebd/k" ssh.proxyJump = "isvegg.pvv.ntnu.no" ["eple.pbsds.net"] # r9 290x maxJobs = 3 # 12 threads 32GB -speedFactor = 5 +speedFactor = 4 supportedFeatures = ["kvm","big-parallel","nixos-test"] ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH03MEINNnjBvtmvN2QsCDCLkvF9ow5FQJp9uiyQ1Iwi" ssh.proxyJump = "isvegg.pvv.ntnu.no" @@ -52,7 +53,7 @@ ssh.proxyJump = "isvegg.pvv.ntnu.no" ["noximilien.pbsds.net"] #maxJobs = 1 # 8 threads 8GB -speedFactor = 2 +speedFactor = 1 ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ3QhTGS03Sqm6OeCEz5AIGqJnBttKaBqMgNXp3Md7t4" ssh.userPublicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7fYndgIXJM+tLSfkbprWc8ClOI58wlaZCg6I+wMYINeOwxLU24BmIyQAhNeqhHYBdXiyIAl5KN3+YajN1nx6zq2XPXLut31Xtf+0yMdRMX4rXgqOnsBeG4eTfNsPx+v7VNANth8dIADpk59Y9ioWB6JI6NF0wfkqrCSTpt2q9gpTA35MBe41hlaxqxYGq+PlfZyJbN4TJCORZROkjw1P6K+EoYUHTHmduMZSAnpzx5bTHL2r1VK1jLRL4q2O1LP9G7eVYUsZKxKznJqtAeoOGBL4OX2JeIXT51/pXTW0NNyVPELD6aUUZjK8aVK2JDXupXegYO8cHqwLaz7rZj3G8evGamSlGvAYR4Gwvvp4Du8ZRZVM3Gt1allhPMTLnm/gy9Lta35D8SHH0IUKWD3buo5HZliZgSMAvoSrT03vpuGILLoWEkTjpPT0qKIlBd/qlACBzKC9Wwmda5WWgMsfe0zP4zNLVdves5nkMrbY91TYSFM0FuDCaRsK5Mrhx7i0= root@noximilien" @@ -66,7 +67,7 @@ ssh.userPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6eTQkxO/1XflHpGf3478+ ["nord.pbsds.net"] # rx 580 #maxJobs = 1 # 4 threads 32GB -speedFactor = 2 +speedFactor = 1 supportedFeatures = ["kvm","nixos-test"] ssh.listenPort = 24 ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBSdIUtUfAxnVbPDmDDFdP2S3Wd3+CC8IfZAANJ76oh" @@ -138,20 +139,20 @@ ssh.listenPublicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIb #ssh.listenUser = "pederbs" #ssh.listenPublicKey = "TODO" -#["darwin-build-box.winter.cafe"] -#systems = [ "aarch64-darwin", "x86_64-darwin" ]; -#maxJobs = 1; # TODO -#ssh.listenUser = "TODO"; -#ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0io9E0eXiDIEHvsibXOxOPveSjUPIr1RnNKbUkw3fD"; -#ssh.egressPrivateKey = "/run/secrets/nix-community-builders-ssh-key"; +["darwin-build-box.nix-community.org"] # https://nix-community.org/community-builder/ +systems = [ "aarch64-darwin", "x86_64-darwin" ] +maxJobs = 1 +ssh.listenUser = "pbsds" +ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFz8FXSVEdf8FvDMfboxhB5VjSe7y2WgSa09q1L4t099" +ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key" -#["aarch64.nixos.community"] -#systems = [ "aarch64-linux" ]; -#supportedFeatures = [ "big-parallel" ]; -#maxJobs = 1; # TODO: 64 threads? -#ssh.listenUser = "TODO"; -#ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUTz5i9u5H2FHNAmZJyoJfIGyUm/HfGhfwnc142L3ds"; -#ssh.egressPrivateKey = "/run/secrets/nix-community-builders-ssh-key"; +#["aarch64.nixos.community"] # https://github.com/NixOS/aarch64-build-box +#systems = [ "aarch64-linux" ] +# maxJobs = 1 # 64 threads? +#supportedFeatures = [ "big-parallel" ] +#ssh.listenUser = "TODO" +#ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUTz5i9u5H2FHNAmZJyoJfIGyUm/HfGhfwnc142L3ds" +#ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key" ["clab01.idi.ntnu.no"] # gtx 4090 diff --git a/profiles/http/default.nix b/profiles/http/default.nix index ffedae0..729663c 100644 --- a/profiles/http/default.nix +++ b/profiles/http/default.nix @@ -18,6 +18,7 @@ in #security.acme.defaults.reloadServices # https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/ + #security.acme.defaults.server = "https://acme-v02.api.letsencrypt.org/directory" # default #security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # STAGING #security.acme.defaults.server = "https://api.buypass.com/acme/directory"; # no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week #security.acme.defaults.server = "https://api.test4.buypass.no/acme/directory"; # STAGING. no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week diff --git a/profiles/remote-builders.nix b/profiles/remote-builders.nix index a91b64d..7cac1de 100644 --- a/profiles/remote-builders.nix +++ b/profiles/remote-builders.nix @@ -43,7 +43,7 @@ let programs.ssh.knownHosts.${fqdn}.publicKey = host.ssh.listenPublicKey; # TODO: use nix.buildMachines.*.publicHostKey ? - # timeouts are great when remote is unresponsive. nix doesn't care + # timeouts are great when remote is unresponsive. nix doesn't care, lix is way and tests each remote only once programs.ssh.extraConfig = '' Host ${fqdn} ConnectTimeout 3 @@ -51,6 +51,9 @@ let ${lib.optionalString (host.ssh ? proxyJump) '' ProxyJump ${jump.ssh.listenUser}@${host.ssh.proxyJump}:${builtins.toString jump.ssh.listenPort} ''} + ${lib.optionalString (host.ssh ? userPrivateKey) '' + IdentityFile ${host.ssh.userPrivateKey} + ''} ''; }) # in @@ -79,4 +82,7 @@ in { imports = lib.forEach hostNames mkRemoteConfig; + # TODO: derive this one from known-hosts.toml + sops.secrets.nix-community-builders-ssh-key = {}; + } diff --git a/users/pbsds/home/default.nix b/users/pbsds/home/default.nix index 445b839..d582637 100644 --- a/users/pbsds/home/default.nix +++ b/users/pbsds/home/default.nix @@ -84,6 +84,7 @@ /* nix-template */ nix-output-monitor (pkgs.nix-inspect or unstable.nix-inspect) + (pkgs.nix-btm or unstable.nix-btm) unstable.nixpkgs-review unstable.nixpkgs-hammering unstable.nix-update