Add a nix_worker role for nix builders.

2025-05-04 15:31:13 -04:00 · 2025-05-04 15:31:13 -04:00 · 4a303d17d8
commit 4a303d17d8
parent 7f4c41bb32
7 changed files with 74 additions and 12 deletions
--- a/nix/configuration/configuration.nix
+++ b/nix/configuration/configuration.nix
@ -41,6 +41,7 @@
    ./roles/memtest86
    ./roles/network
    ./roles/nix_index
+    ./roles/nix_worker
    ./roles/nvme
    ./roles/pcsx2
    ./roles/python
--- a/nix/configuration/hosts/hydra/default.nix
+++ b/nix/configuration/hosts/hydra/default.nix
@ -45,13 +45,9 @@
  me.emacs_flavor = "plainmacs";
  me.graphical = false;
  me.hydra.enable = false;
+  me.nix_worker.enable = true;
  me.vm_disk.enable = true;
  me.wireguard.activated = [ ];
  me.wireguard.deactivated = [ ];
  me.zsh.enable = true;
-
-  # Trust this key so nix running as root can ssh into hydra.
-  users.users.talexander.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/IlYTQ0M5pFN5tdoswh37CDl/gbULI3h+SsKXCansh talexander@odo"
-  ];
 }
--- a/nix/configuration/hosts/odo/distributed_build.nix
+++ b/nix/configuration/hosts/odo/distributed_build.nix
@ -13,7 +13,7 @@
      nix.buildMachines = [
        {
          hostName = "hydra";
-          sshUser = "talexander";
+          sshUser = "nixworker";
          systems = [
            "x86_64-linux"
            # "aarch64-linux"
@ -25,14 +25,14 @@
            "benchmark"
            "big-parallel"
            # "kvm"
-            "gccarch-znver4"
            "gccarch-x86-64-v3"
            "gccarch-x86-64-v4"
+            "gccarch-znver4"
          ];
        }
        {
          hostName = "quark";
-          sshUser = "talexander";
+          sshUser = "nixworker";
          systems = [
            "x86_64-linux"
            # "aarch64-linux"
@ -44,9 +44,9 @@
            "benchmark"
            "big-parallel"
            # "kvm"
-            "gccarch-znver4"
            "gccarch-x86-64-v3"
            "gccarch-x86-64-v4"
+            "gccarch-znver4"
            "gccarch-znver5"
          ];
        }
--- a/nix/configuration/hosts/quark/default.nix
+++ b/nix/configuration/hosts/quark/default.nix
@ -58,6 +58,7 @@
  me.lvfs.enable = true;
  me.media.enable = true;
  me.nix_index.enable = true;
+  me.nix_worker.enable = true;
  me.pcsx2.enable = true;
  me.python.enable = true;
  me.qemu.enable = true;
--- a/nix/configuration/hosts/quark/distributed_build.nix
+++ b/nix/configuration/hosts/quark/distributed_build.nix
@ -13,7 +13,7 @@
      nix.buildMachines = [
        {
          hostName = "hydra";
-          sshUser = "talexander";
+          sshUser = "nixworker";
          systems = [
            "x86_64-linux"
            # "aarch64-linux"
@ -25,9 +25,9 @@
            "benchmark"
            "big-parallel"
            # "kvm"
-            "gccarch-znver4"
            "gccarch-x86-64-v3"
            "gccarch-x86-64-v4"
+            "gccarch-znver4"
          ];
        }
      ];
--- a/nix/configuration/roles/nix_worker/default.nix
+++ b/nix/configuration/roles/nix_worker/default.nix
@ -0,0 +1,57 @@
+# MANUAL: Remember to set up root's ssh config with any necessary values. For example:
+
+# Host foo
+#   HostName ns1.fizz.buzz
+#   Port 65122
+#   User nixworker
+#   IdentitiesOnly yes
+#   IdentityFile /persist/manual/ssh/root/keys/id_ed25519
+
+# Host *
+#   Compression yes
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    nix_worker.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether this machine should be set up to function as a nix.buildMachines. This does not configure nix.buildMachines, but only does the necessary setup to get the machine ready/capable of being a nix.buildMachines.";
+    };
+  };
+
+  config = lib.mkIf config.me.nix_worker.enable (
+    lib.mkMerge [
+      {
+        nix.settings.trusted-users = [ "nixworker" ];
+
+        users.users.nixworker = {
+          isNormalUser = true;
+          createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
+          group = "nixworker";
+          # extraGroups = [ "wheel" ];
+          # Generate with `mkpasswd -m scrypt`
+          hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
+          openssh.authorizedKeys.keys = [
+            # Normal keys:
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
+            "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
+            "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
+            # Key for nix to connect:
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/IlYTQ0M5pFN5tdoswh37CDl/gbULI3h+SsKXCansh talexander@odo"
+          ];
+        };
+        users.groups.nixworker = { };
+      }
+    ]
+  );
+}
--- a/nix/configuration/roles/ssh/files/ssh_config_root
+++ b/nix/configuration/roles/ssh/files/ssh_config_root
@ -1,7 +1,14 @@
 Host hydra
  HostName ns1.fizz.buzz
  Port 65122
-  User talexander
+  User nixworker
+  IdentitiesOnly yes
+  IdentityFile /persist/manual/ssh/root/keys/id_ed25519
+
+Host quark
+  HostName quark
+  Port 22
+  User nixworker
  IdentitiesOnly yes
  IdentityFile /persist/manual/ssh/root/keys/id_ed25519