Add a nix_worker role for nix builders.

This commit is contained in:
Tom Alexander 2025-05-04 15:31:13 -04:00
parent 7f4c41bb32
commit 4a303d17d8
Signed by: talexander
GPG Key ID: D3A179C9A53C0EDE
7 changed files with 74 additions and 12 deletions

View File

@ -41,6 +41,7 @@
./roles/memtest86
./roles/network
./roles/nix_index
./roles/nix_worker
./roles/nvme
./roles/pcsx2
./roles/python

View File

@ -45,13 +45,9 @@
me.emacs_flavor = "plainmacs";
me.graphical = false;
me.hydra.enable = false;
me.nix_worker.enable = true;
me.vm_disk.enable = true;
me.wireguard.activated = [ ];
me.wireguard.deactivated = [ ];
me.zsh.enable = true;
# Trust this key so nix running as root can ssh into hydra.
users.users.talexander.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/IlYTQ0M5pFN5tdoswh37CDl/gbULI3h+SsKXCansh talexander@odo"
];
}

View File

@ -13,7 +13,7 @@
nix.buildMachines = [
{
hostName = "hydra";
sshUser = "talexander";
sshUser = "nixworker";
systems = [
"x86_64-linux"
# "aarch64-linux"
@ -25,14 +25,14 @@
"benchmark"
"big-parallel"
# "kvm"
"gccarch-znver4"
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"gccarch-znver4"
];
}
{
hostName = "quark";
sshUser = "talexander";
sshUser = "nixworker";
systems = [
"x86_64-linux"
# "aarch64-linux"
@ -44,9 +44,9 @@
"benchmark"
"big-parallel"
# "kvm"
"gccarch-znver4"
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"gccarch-znver4"
"gccarch-znver5"
];
}

View File

@ -58,6 +58,7 @@
me.lvfs.enable = true;
me.media.enable = true;
me.nix_index.enable = true;
me.nix_worker.enable = true;
me.pcsx2.enable = true;
me.python.enable = true;
me.qemu.enable = true;

View File

@ -13,7 +13,7 @@
nix.buildMachines = [
{
hostName = "hydra";
sshUser = "talexander";
sshUser = "nixworker";
systems = [
"x86_64-linux"
# "aarch64-linux"
@ -25,9 +25,9 @@
"benchmark"
"big-parallel"
# "kvm"
"gccarch-znver4"
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"gccarch-znver4"
];
}
];

View File

@ -0,0 +1,57 @@
# MANUAL: Remember to set up root's ssh config with any necessary values. For example:
# Host foo
# HostName ns1.fizz.buzz
# Port 65122
# User nixworker
# IdentitiesOnly yes
# IdentityFile /persist/manual/ssh/root/keys/id_ed25519
# Host *
# Compression yes
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
options.me = {
nix_worker.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether this machine should be set up to function as a nix.buildMachines. This does not configure nix.buildMachines, but only does the necessary setup to get the machine ready/capable of being a nix.buildMachines.";
};
};
config = lib.mkIf config.me.nix_worker.enable (
lib.mkMerge [
{
nix.settings.trusted-users = [ "nixworker" ];
users.users.nixworker = {
isNormalUser = true;
createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
group = "nixworker";
# extraGroups = [ "wheel" ];
# Generate with `mkpasswd -m scrypt`
hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
openssh.authorizedKeys.keys = [
# Normal keys:
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
# Key for nix to connect:
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/IlYTQ0M5pFN5tdoswh37CDl/gbULI3h+SsKXCansh talexander@odo"
];
};
users.groups.nixworker = { };
}
]
);
}

View File

@ -1,7 +1,14 @@
Host hydra
HostName ns1.fizz.buzz
Port 65122
User talexander
User nixworker
IdentitiesOnly yes
IdentityFile /persist/manual/ssh/root/keys/id_ed25519
Host quark
HostName quark
Port 22
User nixworker
IdentitiesOnly yes
IdentityFile /persist/manual/ssh/root/keys/id_ed25519