diff options
| author | quentin@aristote.fr <quentin@aristote.fr> | 2024-12-08 23:02:44 +0100 |
|---|---|---|
| committer | quentin@aristote.fr <quentin@aristote.fr> | 2024-12-08 23:03:49 +0100 |
| commit | 33cab3051153ed77663474801aaff4a4c3287124 (patch) | |
| tree | 38d85de1367e11d049169a8de6ed9080be5f0c9f /config/nix | |
| parent | f7d5b5425fc70a242eb4c802cc59165ed7b00b70 (diff) | |
nix: enable remote building
Diffstat (limited to 'config/nix')
| -rw-r--r-- | config/nix/default.nix | 33 | ||||
| -rw-r--r-- | config/nix/remote-builds.nix | 30 |
2 files changed, 63 insertions, 0 deletions
diff --git a/config/nix/default.nix b/config/nix/default.nix new file mode 100644 index 0000000..c930095 --- /dev/null +++ b/config/nix/default.nix @@ -0,0 +1,33 @@ +{lib, ...}: { + imports = [./remote-builds.nix]; + + personal.nix = { + enable = true; + autoUpgrade = { + enable = true; + autoUpdateInputs = ["nixpkgs" "nixpkgs-unstable"]; + }; + gc.enable = true; + flake = "git+file:///etc/nixos/"; + }; + nix.settings.max-jobs = lib.mkDefault 1; + nixpkgs.flake = { + setNixPath = true; + setFlakeRegistry = true; + }; + + systemd.services.nixos-upgrade = let + mkForce = lib.mkOverride 51; + in { + # restart at most once every hour + serviceConfig = { + Restart = "on-failure"; + RestartSec = "5sec"; + MemoryAccounting = true; + MemoryHigh = "1G"; + MemoryMax = "1.5G"; + }; + startLimitBurst = mkForce 1; + startLimitIntervalSec = mkForce 3600; + }; +} diff --git a/config/nix/remote-builds.nix b/config/nix/remote-builds.nix new file mode 100644 index 0000000..5f23108 --- /dev/null +++ b/config/nix/remote-builds.nix @@ -0,0 +1,30 @@ +{...}: { + networking.hosts."10.13.42.2" = ["hephaistos.local"]; + programs.ssh = { + extraConfig = '' + Host hephaistos.local + # Prevent using ssh-agent or another keyfile, useful for testing + IdentitiesOnly yes + IdentityFile /etc/ssh/nixremote + # The weakly privileged user on the remote builder – if not set, 'root' is used – which will hopefully fail + User nixremote + ''; + knownHosts."hephaistos.local".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvtqi8tziBuviUV8LDK2ddQQUbHdJYB02dgWTK5Olxq"; + }; + + nix = { + distributedBuilds = true; + buildMachines = [ + { + hostName = "hephaistos.local"; + system = "x86_64-linux"; + # Nix custom ssh-variant that avoids lots of "trusted-users" settings pain + protocol = "ssh-ng"; + maxJobs = 4; + speedFactor = 4; + supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"]; + mandatoryFeatures = []; + } + ]; + }; +} |