lksjdlakjsdl

hosts/known-hosts.toml

@@ -13,6 +13,7 @@
 #ssh.userPublicKey   # sudo ssh-keygen -t ed25519 && sudo cat /root/.ssh/id_ed25519.pub
 #ssh.protocol
 #ssh.proxyJump
+#ssh.userPrivateKey # IdentityFile to use
 
 [__default__]
 systems = ["x86_64-linux"]
@@ -31,14 +32,14 @@ ssh.protocol = "ssh" # "ssh-ng"
 
 ["bolle.pbsds.net"]
 maxJobs = 3 # 12 threads 32GB
-speedFactor = 5
+speedFactor = 4
 supportedFeatures = ["kvm","big-parallel","nixos-test"]
 ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeOB/57N1fQPVorIUlkkJZaQduBo+4+km2Qbj4ebd/k"
 ssh.proxyJump = "isvegg.pvv.ntnu.no"
 
 ["eple.pbsds.net"] # r9 290x
 maxJobs = 3 # 12 threads 32GB
-speedFactor = 5
+speedFactor = 4
 supportedFeatures = ["kvm","big-parallel","nixos-test"]
 ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH03MEINNnjBvtmvN2QsCDCLkvF9ow5FQJp9uiyQ1Iwi"
 ssh.proxyJump = "isvegg.pvv.ntnu.no"
@@ -52,7 +53,7 @@ ssh.proxyJump = "isvegg.pvv.ntnu.no"
 
 ["noximilien.pbsds.net"]
 #maxJobs = 1 # 8 threads 8GB
-speedFactor = 2
+speedFactor = 1
 ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ3QhTGS03Sqm6OeCEz5AIGqJnBttKaBqMgNXp3Md7t4"
 ssh.userPublicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7fYndgIXJM+tLSfkbprWc8ClOI58wlaZCg6I+wMYINeOwxLU24BmIyQAhNeqhHYBdXiyIAl5KN3+YajN1nx6zq2XPXLut31Xtf+0yMdRMX4rXgqOnsBeG4eTfNsPx+v7VNANth8dIADpk59Y9ioWB6JI6NF0wfkqrCSTpt2q9gpTA35MBe41hlaxqxYGq+PlfZyJbN4TJCORZROkjw1P6K+EoYUHTHmduMZSAnpzx5bTHL2r1VK1jLRL4q2O1LP9G7eVYUsZKxKznJqtAeoOGBL4OX2JeIXT51/pXTW0NNyVPELD6aUUZjK8aVK2JDXupXegYO8cHqwLaz7rZj3G8evGamSlGvAYR4Gwvvp4Du8ZRZVM3Gt1allhPMTLnm/gy9Lta35D8SHH0IUKWD3buo5HZliZgSMAvoSrT03vpuGILLoWEkTjpPT0qKIlBd/qlACBzKC9Wwmda5WWgMsfe0zP4zNLVdves5nkMrbY91TYSFM0FuDCaRsK5Mrhx7i0= root@noximilien"
 
@@ -66,7 +67,7 @@ ssh.userPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6eTQkxO/1XflHpGf3478+
 
 ["nord.pbsds.net"] # rx 580
 #maxJobs = 1 # 4 threads 32GB
-speedFactor = 2
+speedFactor = 1
 supportedFeatures = ["kvm","nixos-test"]
 ssh.listenPort = 24
 ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBSdIUtUfAxnVbPDmDDFdP2S3Wd3+CC8IfZAANJ76oh"
@@ -138,20 +139,20 @@ ssh.listenPublicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIb
 #ssh.listenUser = "pederbs"
 #ssh.listenPublicKey = "TODO"
 
-#["darwin-build-box.winter.cafe"]
-#systems = [ "aarch64-darwin", "x86_64-darwin" ];
-#maxJobs = 1; # TODO
-#ssh.listenUser = "TODO";
-#ssh.listenPublicKey  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0io9E0eXiDIEHvsibXOxOPveSjUPIr1RnNKbUkw3fD";
-#ssh.egressPrivateKey = "/run/secrets/nix-community-builders-ssh-key";
+["darwin-build-box.nix-community.org"] # https://nix-community.org/community-builder/
+systems = [ "aarch64-darwin", "x86_64-darwin" ]
+maxJobs = 1
+ssh.listenUser = "pbsds"
+ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFz8FXSVEdf8FvDMfboxhB5VjSe7y2WgSa09q1L4t099"
+ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key"
 
-#["aarch64.nixos.community"]
-#systems = [ "aarch64-linux" ];
-#supportedFeatures = [ "big-parallel" ];
-#maxJobs = 1; # TODO: 64 threads?
-#ssh.listenUser = "TODO";
-#ssh.listenPublicKey  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUTz5i9u5H2FHNAmZJyoJfIGyUm/HfGhfwnc142L3ds";
-#ssh.egressPrivateKey = "/run/secrets/nix-community-builders-ssh-key";
+#["aarch64.nixos.community"] # https://github.com/NixOS/aarch64-build-box
+#systems = [ "aarch64-linux" ]
+# maxJobs = 1 # 64 threads?
+#supportedFeatures = [ "big-parallel" ]
+#ssh.listenUser = "TODO"
+#ssh.listenPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUTz5i9u5H2FHNAmZJyoJfIGyUm/HfGhfwnc142L3ds"
+#ssh.userPrivateKey = "/run/secrets/nix-community-builders-ssh-key"
 
 
 ["clab01.idi.ntnu.no"] # gtx 4090

profiles/http/default.nix

@@ -18,6 +18,7 @@ in
   #security.acme.defaults.reloadServices
 
   # https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/
+  #security.acme.defaults.server = "https://acme-v02.api.letsencrypt.org/directory" # default
   #security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # STAGING
   #security.acme.defaults.server = "https://api.buypass.com/acme/directory"; # no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
   #security.acme.defaults.server = "https://api.test4.buypass.no/acme/directory"; # STAGING. no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week

profiles/remote-builders.nix

@@ -43,7 +43,7 @@ let
       programs.ssh.knownHosts.${fqdn}.publicKey = host.ssh.listenPublicKey;
       # TODO: use nix.buildMachines.*.publicHostKey ?
 
-      # timeouts are great when remote is unresponsive. nix doesn't care
+      # timeouts are great when remote is unresponsive. nix doesn't care, lix is way and tests each remote only once
       programs.ssh.extraConfig = ''
         Host ${fqdn}
           ConnectTimeout 3
@@ -51,6 +51,9 @@ let
           ${lib.optionalString (host.ssh ? proxyJump) ''
             ProxyJump ${jump.ssh.listenUser}@${host.ssh.proxyJump}:${builtins.toString jump.ssh.listenPort}
           ''}
+          ${lib.optionalString (host.ssh ? userPrivateKey) ''
+            IdentityFile ${host.ssh.userPrivateKey}
+          ''}
       '';
     })
     # in
@@ -79,4 +82,7 @@ in {
 
   imports = lib.forEach hostNames mkRemoteConfig;
 
+  # TODO: derive this one from known-hosts.toml
+  sops.secrets.nix-community-builders-ssh-key = {};
+
 }

users/pbsds/home/default.nix

@@ -84,6 +84,7 @@
     /* nix-template */
     nix-output-monitor
     (pkgs.nix-inspect or unstable.nix-inspect)
+    (pkgs.nix-btm or unstable.nix-btm)
     unstable.nixpkgs-review
     unstable.nixpkgs-hammering
     unstable.nix-update