~sumner/nixos-configuration

nixos-configuration/modules/nix.nix -rw-r--r-- 4.9 KiB
feec9300Sumner Evans matrix: add shared secret auth for double puppeting 18 hours ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
{ config, lib, pkgs, ... }: with lib; let
  nixCfg = config.nix;
in
{
  options = {
    nix.enableRemoteBuildOnCoruscant = mkEnableOption "Enable remote builds on coruscant";
    nix.enableRemoteBuildOnTatooine = mkEnableOption "Enable remote builds on tatooine";
  };

  config = mkMerge [
    # Allow unfree software.
    {
      nixpkgs.config.allowUnfree = true;
      environment.variables.NIXPKGS_ALLOW_UNFREE = "1";

      nix.trustedBinaryCaches = [
        "https://sumnerevans.cachix.org"
        "https://nixpkgs-wayland.cachix.org"
      ];
    }

    # If automatic garbage collection is enabled, delete 30 days.
    (
      mkIf nixCfg.gc.automatic {
        nix.gc.options = "--delete-older-than 30d";
      }
    )

    # Use nix flakes
    {
      # https://github.com/nix-community/nix-direnv#via-configurationnix-in-nixos
      # Persist direnv derivations across garbage collections.
      nix.extraOptions = ''
        experimental-features = nix-command flakes
      '';
      nix.package = pkgs.nixUnstable;
    }

    # nix-direnv
    {
      # https://github.com/nix-community/nix-direnv#via-configurationnix-in-nixos
      # Persist direnv derivations across garbage collections.
      nix.extraOptions = ''
        keep-outputs = true
        keep-derivations = true
      '';
      environment.pathsToLink = [ "/share/nix-direnv" ];
    }

    # Allow builds to happen on coruscant
    (
      mkIf nixCfg.enableRemoteBuildOnCoruscant {
        nix = {
          buildMachines = [
            {
              hostName = "coruscant";
              system = "x86_64-linux";
              maxJobs = 1;
              speedFactor = 2;
              supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
              mandatoryFeatures = [ ];
            }
            {
              hostName = "coruscant-lan";
              system = "x86_64-linux";
              maxJobs = 1;
              speedFactor = 2;
              supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
              mandatoryFeatures = [ ];
            }
          ];
          distributedBuilds = true;
          extraOptions = ''
            builders-use-substitutes = true
          '';
        };
      }
    )

    # Allow builds to happen on tatooine
    (
      mkIf nixCfg.enableRemoteBuildOnTatooine {
        nix = {
          buildMachines = [
            {
              hostName = "tatooine";
              system = "x86_64-linux";
              maxJobs = 4;
              speedFactor = 2;
              supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
              mandatoryFeatures = [ ];
            }
          ];
          distributedBuilds = true;
          extraOptions = ''
            builders-use-substitutes = true
          '';
        };
      }
    )

    (
      {
        programs.ssh =
          let
            coruscantPublicIp = lib.removeSuffix "\n" (builtins.readFile ../secrets/coruscant-ip);
          in
          {
            extraConfig = ''
              Host coruscant
                  IdentityFile /etc/nixos/secrets/nix-remote-build
                  HostName ${coruscantPublicIp}
                  Port 32

              Host coruscant-lan
                  IdentityFile /etc/nixos/secrets/nix-remote-build
                  HostName 192.168.0.14
                  Port 32

              Host tatooine
                  IdentityFile /etc/nixos/secrets/nix-remote-build
                  HostName 5.161.50.43
            '';
            knownHosts = {
              tatooine = {
                hostNames = [ "tatooine.sumnerevans.com" ];
                publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3oHcGiwPtWbee1x+6rKdovw4/CNIyE6MbBqC+irqZnyBLchboLKF+n9Vw9XRZxBPHppcb57oUTjh4gFA8N2vKqjVIacMNHSGFhRXBfUYtaTnmhzNj8sFWPwWpYAneTEe0hFdDKhL63nHZsi3XySh7R+BEIFZrDeyvKH86/GRpQwepVpQV3giqtqDA4GVgla/Zcea5ES1uxEolgDQKszXv8Z8iRUnrohrSAgsanjw6B+41X4qrwVnsStYhVN42tT8I7BM6kko9bdsLf4bg/WqdYDwPA4cbg1RkppqI0k7eBXPNfyaUKquiWz6tmrX5IMeIejjV+2BHgu0Q0iweMtPy41DGX6MaaKawWx5hoLds8fszVK02GUoCee26B8oEX+3TGKF9gj62gDcBOEmjLaGjxFrnk/DEkm3zSahwaIjxsbLK0/tFLh5B9Bha5mNF7tU88JwwJl+Zh3R7vGzHTqfZ7XVvSVSfpOPpVm0q3RSHMvVPSulOI+pTbA6GAQn0dT8= sumner@tatooine";
              };
              coruscant = {
                hostNames = [ "192.168.0.14" coruscantPublicIp ];
                publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcO1lMaMPbL2cr4XdKc6bQJIbQylIXaYfX0S+NN3z0AMw3HCfsNCwlWoxyjIbZBlP3aSrdTITq3eB0gw3l25029h3Q4Dve+I2hf6jpltaGVlpsyhMN8xu9yoqadd0cG71kn6Wn5/BlpaWZtrJy7Px9luCyeuDx+vkC05CLb28sjwYVdTzbuePygUONL7cH6Xd2ulLDW+dFoZIHwraEsqHk9AQRV3f2hokxG/VpbxbVAY7XNOkIrsfmX6y4IccUddffgs8uqsObHEWniPdWOcEocRJ4exORBoyS5SXvcHzUtGi8Q0jGPfKkSFPEYUNcgw0QlU4dzrT/xqm0COcOoXKK58+tZH/YMu0bshp+vIK3HDCCfcRtuv1ZMF/AFbHdY3fglUu3YK2Jpm5Vr8KzljqQXW3ekboILxZpuP2LA3YErS1lpaj3sbOlsfxNQhG7V8/gqo1PBQ4w//7wlav0TOY5GZD1Tw2lduaSAFuFHxVGBOy4Xu31mxa2Qej5YKc71VU= sumner@coruscant-nixos";
              };
            };
          };
      }
    )
  ];
}