machine_setup/nix/configuration/roles/distributed_build/default.nix

{
  config,
  lib,
  all_nixos_configs,
  pkgs,
  ...
}:

# TODO: FreeBSD is x86_64-freebsd

let
  make_machine_config = name: {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to use the ${name} machine during distributed builds.";
    };

    additional_config = lib.mkOption {
      type = lib.types.attrs;
      default = { };
      example = lib.literalExpression {
        speedFactor = 2;
      };
      description = "Additional config values for the buildMachines entry. For example, speedFactor.";
    };
  };

  static_host_configs = {
    quark = {
      # From: base64 -w0 /persist/ssh/ssh_host_ed25519_key.pub
      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUx0alplYlVYTkRkU3Y1enVGbjM3eFNMZUN3S2hPKzFMdWovM2FYNFJRTEEgcm9vdEBxdWFyawo=";
      systems = [
        "i686-linux"
        "x86_64-linux"
        # "aarch64-linux"
      ];
    };
  };
in
{
  imports = [ ];

  options.me = {
    distributed_build.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to use multiple machines to perform a nixos-rebuild.";
    };

    distributed_build.machines = lib.mapAttrs (name: value: make_machine_config name) all_nixos_configs;
  };

  config = lib.mkIf config.me.distributed_build.enable (
    lib.mkMerge [
      {
        nix.distributedBuilds = true;

        nix.settings.substituters = lib.mkForce [ "ssh://hydra" ];
        nix.settings.substitute = lib.mkForce true;
        nix.settings.post-build-hook = pkgs.writeShellScript "post-build-hook" ''
          set -euo pipefail
          IFS=$'\n\t'
          set -f # disable globbing
          echo "Signing and uploading paths" $OUT_PATHS
          #exec nix copy --to 'ssh://hydra?secret-key=/persist/manual/nix/nix-cache-key.sec' $OUT_PATHS
          exec nix copy --to 'ssh://hydra' $OUT_PATHS
        '';
        nix.settings.secret-key-files = [ "/persist/manual/nix/nix-cache-key.sec" ];
        nix.settings.trusted-public-keys = lib.mkForce [
          "odo:0S/XKSFjjIrihQ7lbHEIebXk/c/xuoodhm0Gz26YhjA="
          "quark:Eb6ygkIiVlcUqb5hOjEVIQcfYLpCz40YVYA3/rxrgBc="
        ];
      }
      {
        nix.buildMachines = (
          map (
            hostname:
            (lib.mkIf config.me.distributed_build.machines."${hostname}".enable (
              lib.mkMerge [
                {
                  hostName = hostname;
                  sshUser = "nixworker";
                  sshKey = "/persist/manual/ssh/root/keys/id_ed25519";
                  maxJobs = 1;
                  supportedFeatures = all_nixos_configs."${hostname}".config.me.optimizations.system_features;
                }
                static_host_configs."${hostname}"
                config.me.distributed_build.machines."${hostname}".additional_config
              ]
            ))
          ) (builtins.attrNames all_nixos_configs)
        );
      }
    ]
  );
}